Infected with Virtumonde virus

**Tanaka** · 2007-10-21, 01:49

Hello. Thanks in advance for any help.

I picked up the VirtuMonde virus through a lapse in judgement when I installed a shady file.

I have looked through a number of the threads here of other people that got infected with VirtuMonde, and I followed most of the advice that the Security Experts gave them. I scanned my computer with ComboFix, VundoFix, Spybot S&D, Kaspersky, and Panda. My computer is acting normally again, however, Spybot S&D still picks up VirtuMonde sometimes and Kapersky says I am infected with some stuff too. I would be very appreciative if someone could help me!

Below are the Kapersky and HijackThis logs

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, October 19, 2007 2:59:09 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/10/2007
Kaspersky Anti-Virus database records: 440941
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 44527
Number of viruses found: 4
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 00:29:12

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_DUSTIN.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_DUSTIN.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\bwm1stcc\Application Data\Microsoft\IMJP8_1\imjp81u.dic Object is locked skipped
C:\Documents and Settings\bwm1stcc\Application Data\Mozilla\Firefox\Profiles\coi0lsu1.default\cert8.db Object is locked skipped
C:\Documents and Settings\bwm1stcc\Application Data\Mozilla\Firefox\Profiles\coi0lsu1.default\history.dat Object is locked skipped
C:\Documents and Settings\bwm1stcc\Application Data\Mozilla\Firefox\Profiles\coi0lsu1.default\key3.db Object is locked skipped
C:\Documents and Settings\bwm1stcc\Application Data\Mozilla\Firefox\Profiles\coi0lsu1.default\parent.lock Object is locked skipped
C:\Documents and Settings\bwm1stcc\Application Data\Mozilla\Firefox\Profiles\coi0lsu1.default\search.sqlite Object is locked skipped
C:\Documents and Settings\bwm1stcc\Application Data\Mozilla\Firefox\Profiles\coi0lsu1.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\bwm1stcc\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\bwm1stcc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\bwm1stcc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\bwm1stcc\Local Settings\Application Data\Mozilla\Firefox\Profiles\coi0lsu1.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\bwm1stcc\Local Settings\Application Data\Mozilla\Firefox\Profiles\coi0lsu1.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\bwm1stcc\Local Settings\Application Data\Mozilla\Firefox\Profiles\coi0lsu1.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\bwm1stcc\Local Settings\Application Data\Mozilla\Firefox\Profiles\coi0lsu1.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\bwm1stcc\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\bwm1stcc\Local Settings\History\History.IE5\MSHist012007101920071020\index.dat Object is locked skipped
C:\Documents and Settings\bwm1stcc\Local Settings\Temp\NAILogs\UpdaterUI_DUSTIN.log Object is locked skipped
C:\Documents and Settings\bwm1stcc\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\bwm1stcc\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\bwm1stcc\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46D1D6EA-FFDE-4045-8380-7F5C6440C724}\RP270\A0015880.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{46D1D6EA-FFDE-4045-8380-7F5C6440C724}\RP270\A0015882.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Agent.dlu skipped
C:\System Volume Information\_restore{46D1D6EA-FFDE-4045-8380-7F5C6440C724}\RP270\A0015882.exe/data.rar/patch.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{46D1D6EA-FFDE-4045-8380-7F5C6440C724}\RP270\A0015882.exe/data.rar/crack.exe Infected: Trojan.Win32.Inject.gv skipped
C:\System Volume Information\_restore{46D1D6EA-FFDE-4045-8380-7F5C6440C724}\RP270\A0015882.exe/data.rar/install.exe Infected: Virus.Win32.Virut.aj skipped
C:\System Volume Information\_restore{46D1D6EA-FFDE-4045-8380-7F5C6440C724}\RP270\A0015882.exe/data.rar Infected: Virus.Win32.Virut.aj skipped
C:\System Volume Information\_restore{46D1D6EA-FFDE-4045-8380-7F5C6440C724}\RP270\A0015882.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{46D1D6EA-FFDE-4045-8380-7F5C6440C724}\RP272\A0016233.dll Infected: Trojan-Downloader.Win32.Agent.dlu skipped
C:\System Volume Information\_restore{46D1D6EA-FFDE-4045-8380-7F5C6440C724}\RP278\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\IMJP8_1\imjp81u.dic Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:49 PM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [B Flets Internet Connection tool] "C:\Program Files\NTTE\Flets\app\TangoManager.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun ? Java ????? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9069 bytes

**ken545** · 2007-10-21, 03:27

Hello Tanaka

Welcome to Safer Networking.

Please read Before You Post
All advice given by anyone volunteering here, is taken at own risk. While best efforts are made to assist in removing infections safely, unexpected stuff can happen

By running the fixes yourself, it removes any tell tale signs of what you were infected with, there may be more than just Vundo, I dont know what you were infected with , what was removed and what was not removed. you say Vundo but was there other infections, posting the reports from the fixes are a very necessary part of helping you remove the bad stuff.

This is important
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Scanner.exe

Drag Combofix to the trash and download a new copy as its updated quite regularly.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Combofix log and a New HJT log renamed please

**Tanaka** · 2007-10-21, 19:16

Thanks so much for your help!

Here are the logs:

ComboFix 07-10-21.1** - bwm1stcc 2007-10-21 13:08:43.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.932.81.1041.18.940 [GMT -4:00]
Running from: C:\Documents and Settings\bwm1stcc\デスクトップ\Anti Vundo\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.

2007-10-20 22:02 <DIR> d-------- C:\Documents and Settings\bwm1stcc\Application Data\FaxCtr
2007-10-20 21:04 <DIR> d-------- C:\Program Files\Lexmark Toolbar
2007-10-20 21:01 <DIR> d-------- C:\Documents and Settings\bwm1stcc\Application Data\Lexmark Productivity Studio
2007-10-20 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Lx_cats
2007-10-20 20:36 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-20 20:36 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-10-20 20:36 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-10-20 20:36 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2007-10-20 20:20 <DIR> d-------- C:\logs
2007-10-20 20:20 344,064 --a------ C:\WINDOWS\system32\lxdicoin.dll
2007-10-20 20:20 40,960 --a------ C:\WINDOWS\system32\lxdivs.dll
2007-10-20 20:19 692,224 --a------ C:\WINDOWS\system32\lxdidrs.dll
2007-10-20 20:19 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-10-20 20:19 87,040 --a------ C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-10-20 20:19 69,632 --a------ C:\WINDOWS\system32\lxdicnv4.dll
2007-10-20 20:19 65,536 --a------ C:\WINDOWS\system32\lxdicaps.dll
2007-10-20 20:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FaxCtr
2007-10-20 20:18 339,968 --a------ C:\WINDOWS\system32\IMGMAN32.DLL
2007-10-20 20:18 98,345 --a------ C:\WINDOWS\system32\IMHOST32.DLL
2007-10-20 20:18 45,056 --a------ C:\WINDOWS\system32\LXF3PMON.DLL
2007-10-20 20:18 36,864 --a------ C:\WINDOWS\system32\lxf3oem.dll
2007-10-20 20:18 32,768 --a------ C:\WINDOWS\system32\LXF3FXPU.DLL
2007-10-20 20:18 12,288 --a------ C:\WINDOWS\system32\LXF3PMRC.DLL
2007-10-20 20:17 <DIR> d-------- C:\Program Files\Lexmark Fax Solutions
2007-10-20 20:17 <DIR> d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-10-20 20:16 1,645,320 --a------ C:\WINDOWS\system32\gdiplus.dll
2007-10-20 20:10 <DIR> d-------- C:\Program Files\Lexmark 3500-4500 Series
2007-10-19 12:00 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-19 12:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-19 11:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-19 10:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-19 09:57 283,525 --a------ C:\Documents and Settings\bwm1stcc\catchme.zip
2007-10-19 09:54 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-19 09:29 <DIR> d-------- C:\VundoFix Backups
2007-10-19 07:27 <DIR> d-------- C:\quarantine
2007-10-19 01:48 127,488 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys
2007-10-19 01:48 5,888 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2007-10-19 01:47 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-10-19 01:47 <DIR> d-------- C:\Program Files\Ahead
2007-10-19 01:47 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
2007-10-19 01:47 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
2007-10-19 01:47 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
2007-10-19 01:47 364,544 --a------ C:\WINDOWS\system32\TwnLib4.dll
2007-10-19 01:47 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
2007-10-19 01:47 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-10-19 01:47 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-10-09 14:04 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 03:03 --------- d-----w C:\Documents and Settings\bwm1stcc\Application Data\OpenOffice.org2
2007-10-21 01:29 --------- d-----w C:\Documents and Settings\bwm1stcc\Application Data\Ahead
2007-10-19 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-19 15:50 --------- d-----w C:\Program Files\Java
2007-10-19 15:14 --------- d-----w C:\Program Files\Digital Line Detect
2007-09-21 19:38 --------- d-----w C:\Program Files\AIM95
2007-09-14 14:17 --------- d-----w C:\Documents and Settings\bwm1stcc\Application Data\U3
2007-09-14 14:12 --------- d-----w C:\Program Files\Common Files\SWF Studio
2007-09-12 12:54 --------- d-----w C:\Program Files\MinTimer
2007-09-12 12:52 --------- d-----w C:\Documents and Settings\bwm1stcc\Application Data\GetRightToGo
2007-08-22 12:56 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 12:56 655,872 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 12:56 613,888 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 12:56 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 12:56 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 12:56 473,600 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:56 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 12:56 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 12:56 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 12:56 3,085,824 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 12:56 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 12:56 205,824 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 12:56 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 12:56 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:56 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 12:56 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:56 1,051,136 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:56 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:19 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:16 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:16 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-07-30 10:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 10:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 10:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 10:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 10:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 10:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 10:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 10:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 10:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 10:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 10:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 10:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 10:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 10:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 10:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-05 08:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 08:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 08:00]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 03:44]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 03:41]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 03:45]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-30 20:28]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-30 20:28]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 03:30 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-07 22:48]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 07:29]
"CTSVolFE.exe"="C:\Program Files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 02:57]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 12:05]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 03:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 03:50]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 06:05]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-21 19:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-06 14:55]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-06 20:48]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 17:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 02:57]
"B Flets Internet Connection tool"="C:\Program Files\NTTE\Flets\app\TangoManager.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-10 14:06]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"lxdimon.exe"="C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 14:07]
"lxdiamon"="C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 08:40]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 14:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 08:00]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" []
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 00:43]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-09-16 16:41]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"=ctfmon.exe

C:\Documents and Settings\All Users\スタートメニュー\プログラム\スタートアップ\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-05 12:33:17]

R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 lxdi_device;lxdi_device;C:\WINDOWS\system32\lxdicoms.exe -service
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
S3 LOGNT;LOGNT;\??\C:\PROGRA~1\NTTE\Flets\app\lognt.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command - G:\LaunchU3.exe

*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 22:30:00 C:\WINDOWS\Tasks\McAfee.com ウイルススキャン - マイコンピュータ (Dustin-bwm1stcc).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 13:09:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-21 13:10:05
C:\ComboFix2.txt ... 2007-10-21 12:23
C:\ComboFix3.txt ... 2007-10-19 10:00
.
--- E O F ---

**ken545** · 2007-10-21, 19:40

Post the Combofix log and a New HJT log renamed please

**Tanaka** · 2007-10-22, 02:39

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:23 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [B Flets Internet Connection tool] "C:\Program Files\NTTE\Flets\app\TangoManager.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun ? Java ????? - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10018 bytes

**ken545** · 2007-10-22, 03:08

The reason I had you rename HJT is because the thieves that have written the Vundo Trojan have written it to evade a HJT scan and by renaming it to something else if Vundo is present on your system it will now show up on your HJT log. It did not show up

The rest of your log looks fine, I suspect that Spybot is finding old registry entries related to Vundo, let Spybot remove them, reboot and run another Spybot scan and see if it comes up clean.

**Tanaka** · 2007-10-23, 03:36

Alright. Thanks.

Can I clear my restore points?

**ken545** · 2007-10-23, 03:43

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.

Reboot your computer

Turn ON System Restore.

Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.

Create a new Restore Point <-- Very Important

Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point

System Restore Tutorial <-- If you need it

How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
Tom Coyote
TonyKlein CastleCops
Grinler BleepingComputer
Geeks To Go
Dslreports

Safe Surfn
Ken

**Tanaka** · 2007-10-23, 16:26

Thank you!

**ken545** · 2007-10-23, 18:20

Your very welcome

Stay Well,
Ken

Thread: Infected with Virtumonde virus

Thread Tools

Display

Infected with Virtumonde virus

Posting Permissions