help with virtumonde removal

**mxmstrs** · 2008-08-10, 15:42

ComboFix 08-08-09.06 - Owner 2008-08-10 9:27:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.653 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
/wow section - STAGE 40
pv: No matching processes found
The syntax of the command is incorrect.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\lsass.exe
C:\WINDOWS\17PHolmes1188.exe
C:\WINDOWS\BM3b1f74fb.txt
C:\WINDOWS\BM3b1f74fb.xml
C:\WINDOWS\system32\aombbmkt.dll
C:\WINDOWS\system32\ctjmdz.dll
C:\WINDOWS\system32\dipgumfu.exe
C:\WINDOWS\system32\djvythqt.exe
C:\WINDOWS\system32\iifcCurP.dll
C:\WINDOWS\system32\ljJaawVO.dll
C:\WINDOWS\system32\mqdnimea.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nnnMgfFu.dll
C:\WINDOWS\system32\ocujlfaw.dll
C:\WINDOWS\system32\OVwaaJjl.ini
C:\WINDOWS\system32\OVwaaJjl.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\sokpej.dll
C:\WINDOWS\system32\sqjawspc.dll
C:\WINDOWS\system32\tkmbbmoa.ini
C:\WINDOWS\system32\vtUonmKd.dll
C:\WINDOWS\system32\wafljuco.ini
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-09 14:13 . 2008-08-09 14:13 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-08-09 14:13 . 2008-08-09 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-09 13:29 . 2008-08-09 13:32 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-09 13:29 . 2008-08-09 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-09 13:19 . 2008-08-09 13:19 <DIR> d-------- C:\Program Files\FireTrust
2008-08-09 13:19 . 2008-08-09 13:19 <DIR> d-------- C:\Program Files\BillP Studios
2008-08-09 13:19 . 2008-08-09 13:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WinPatrol
2008-08-09 13:19 . 2008-08-10 08:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SiteHound
2008-08-08 23:54 . 2008-08-08 23:54 <DIR> d-------- C:\WINDOWS\system32\kBin02
2008-08-08 23:54 . 2008-08-08 23:54 <DIR> d-------- C:\Temp\epr1
2008-08-08 23:54 . 2008-08-10 08:54 190,398 --a------ C:\Temp\nbU103h.exe
2008-08-08 23:54 . 2008-08-08 23:54 77 --a------ C:\Documents and Settings\Owner\8124.bat
2008-08-08 20:36 . 2008-08-08 20:36 <DIR> d-------- C:\WINDOWS\Sun
2008-08-08 20:29 . 2008-08-08 20:29 <DIR> d-------- C:\Program Files\Java
2008-08-08 20:29 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-08 20:27 . 2008-08-08 20:27 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-07 20:40 . 2008-08-07 20:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-07 20:40 . 2008-08-07 20:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-07 20:40 . 2008-08-07 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-07 20:40 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-07 20:40 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-06 20:27 . 2008-08-06 20:27 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-08-06 17:05 . 2008-08-06 17:05 <DIR> d-------- C:\Program Files\100% Free Hearts Toolbar
2008-08-03 11:52 . 2008-08-09 14:16 <DIR> d-------- C:\Program Files\iTunes
2008-08-03 11:52 . 2008-08-03 11:52 <DIR> d-------- C:\Program Files\iPod
2008-08-03 11:52 . 2008-08-03 11:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-08-03 11:51 . 2008-08-09 14:14 <DIR> d-------- C:\Program Files\QuickTime
2008-08-03 11:51 . 2008-08-09 14:15 <DIR> d-------- C:\Program Files\Bonjour
2008-08-03 11:50 . 2008-08-03 11:50 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-03 11:50 . 2008-08-09 14:13 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-03 11:50 . 2008-08-06 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-31 18:57 . 2008-07-31 18:57 <DIR> d-------- C:\Program Files\DreamQuest
2008-07-26 22:51 . 2008-07-26 22:51 0 --a------ C:\WINDOWS\system32\SigUpdRequest_1217127097.tmp
2008-07-26 21:38 . 2008-08-10 09:21 247,716 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2008-07-26 21:38 . 2008-08-10 09:21 1,204 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2008-07-26 21:36 . 2008-08-10 09:21 247,716 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2008-07-26 21:36 . 2007-07-11 11:39 191,672 --a------ C:\WINDOWS\system32\drivers\idsflt.sys
2008-07-26 21:36 . 2007-05-11 09:33 132,920 --a------ C:\WINDOWS\system32\drivers\NETFLTDI.SYS
2008-07-26 21:36 . 2007-05-11 09:33 71,736 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS
2008-07-26 21:36 . 2007-05-11 09:33 51,256 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys
2008-07-26 21:36 . 2007-05-11 09:33 37,304 --a------ C:\WINDOWS\system32\drivers\smsflt.sys
2008-07-26 21:36 . 2007-05-11 09:33 30,648 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys
2008-07-26 21:36 . 2007-05-11 09:33 22,072 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys
2008-07-26 21:36 . 2008-08-10 09:21 1,204 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG
2008-07-26 21:20 . 2008-07-26 21:20 261 --a------ C:\WINDOWS\system32\PavCPL.dat
2008-07-26 21:19 . 2007-07-12 08:42 292,144 --a------ C:\WINDOWS\system32\PavSHook.dll
2008-07-26 21:19 . 2007-03-13 18:01 161,328 --a------ C:\WINDOWS\system32\TpUtil.dll
2008-07-26 21:19 . 2007-02-08 11:53 107,568 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL
2008-07-26 21:19 . 2007-02-28 18:04 63,024 --a------ C:\WINDOWS\system32\pavipc.dll
2008-07-26 21:19 . 2007-03-15 19:38 54,832 --a------ C:\WINDOWS\system32\pavcpl.cpl
2008-07-26 21:19 . 2007-06-08 08:44 24,760 --a------ C:\WINDOWS\system32\drivers\cpoint.sys
2008-07-26 21:18 . 2008-07-26 21:18 <DIR> d-------- C:\WINDOWS\system32\PAV
2008-07-26 21:16 . 2007-07-12 08:49 178,872 -ra------ C:\WINDOWS\system32\drivers\PavProc.sys
2008-07-26 21:16 . 2007-05-23 10:40 38,968 -ra------ C:\WINDOWS\system32\drivers\ShlDrv51.sys
2008-07-26 20:24 . 2008-08-09 09:55 8,627 --a------ C:\WINDOWS\system32\PAV_FOG.OPC
2008-07-26 20:14 . 2007-06-06 05:43 83,640 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2008-07-26 20:13 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2008-07-26 20:13 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2008-07-26 20:12 . 2003-10-22 18:23 446,464 --a------ C:\WINDOWS\system32\HHActiveX.dll
2008-07-26 20:12 . 2007-04-24 15:43 142,128 --a------ C:\WINDOWS\system32\drivers\netimflt.sys
2008-07-26 20:12 . 2007-02-15 20:02 50,736 --a------ C:\WINDOWS\system32\avldr.dll
2008-07-26 20:12 . 2001-07-30 17:40 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-07-26 20:12 . 2007-04-24 16:43 1,990 --a------ C:\WINDOWS\system32\drivers\net_m32.inf
2008-07-26 19:55 . 2008-07-26 19:55 0 --a------ C:\WINDOWS\system32\drivers\wnmsav.dat
2008-07-26 19:40 . 2008-07-26 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2008-07-26 18:58 . 2008-07-26 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Backup
2008-07-26 18:55 . 2008-07-26 18:55 <DIR> d-------- C:\Program Files\Panda Security
2008-07-26 18:55 . 2008-07-26 18:55 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-07-26 17:59 . 2008-07-26 21:16 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2008-07-26 17:13 . 2008-08-09 23:09 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-26 17:04 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-07-26 17:03 . 2008-07-26 17:03 <DIR> d-------- C:\Program Files\MSBuild
2008-07-26 17:00 . 2008-07-26 17:00 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-07-26 16:59 . 2008-07-26 16:59 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-07-26 16:59 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-07-21 19:08 . 2008-07-21 19:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-21 18:32 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-21 18:32 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-21 18:32 . 2008-04-13 14:45 10,368 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-21 18:32 . 2008-04-13 14:45 10,368 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-20 08:31 . 2008-07-20 08:31 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2008-07-20 08:28 . 2008-07-20 08:32 <DIR> d-------- C:\Program Files\AutoCAD 2006
2008-07-20 08:28 . 2008-07-26 17:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Autodesk
2008-07-20 08:28 . 2008-07-20 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-07-20 08:27 . 2008-07-26 23:44 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-07-20 08:26 . 2008-07-20 08:26 <DIR> d-------- C:\Program Files\Autodesk
2008-07-20 07:48 . 2008-08-06 17:05 <DIR> d-------- C:\Documents and Settings\Administrator.ROBANDSHE
2008-07-19 17:33 . 2008-07-20 07:47 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-18 12:06 . 2008-07-29 19:13 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-18 09:46 . 2008-07-18 09:46 <DIR> d-------- C:\Program Files\Real
2008-07-18 09:45 . 2008-07-19 16:58 <DIR> d-------- C:\Program Files\Common Files\Real
2008-07-17 09:38 . 2008-07-20 08:25 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-07-16 22:26 . 2008-07-16 22:26 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-16 22:26 . 2008-07-16 22:26 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-16 22:25 . 2008-07-16 22:25 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-16 22:25 . 2008-07-16 22:25 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-16 22:23 . 2008-07-16 22:23 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-16 22:15 . 2008-07-16 22:15 <DIR> d-------- C:\WINDOWS\EHome
2008-07-16 22:08 . 2008-04-13 20:12 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-07-16 21:50 . 2008-07-16 21:50 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-07-16 21:11 . 2008-04-13 20:09 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-07-16 21:09 . 2008-07-16 21:09 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-07-16 21:09 . 2008-07-16 21:09 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-07-16 21:07 . 2004-08-12 09:57 1,361 --a------ C:\WINDOWS\system32\fxscount.h

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-27 03:47 --------- d-----w C:\Program Files\Verizon
2008-07-27 03:45 --------- d-----w C:\Program Files\Common Files\Motive
2008-07-27 00:10 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-20 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-20 20:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-19 20:57 --------- d-----w C:\Program Files\NOS
2008-07-18 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-07-18 16:07 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-07-14 23:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\Motive
2008-07-14 23:17 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Motive
2008-07-10 23:36 --------- d-----w C:\Program Files\GVC Modem User Guide
2008-07-09 22:40 --------- d-----w C:\Program Files\Intel
2008-07-09 22:22 --------- d-----w C:\Program Files\Common Files\Scanner
2008-07-09 22:21 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-06 15:55 --------- d-----w C:\Program Files\Motive
2008-07-05 22:12 --------- d-----w C:\Program Files\Common Files\Authentium
2008-07-04 23:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-04 23:02 --------- d-----w C:\Program Files\Lavasoft
2008-07-04 23:01 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 21:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-07-04 15:10 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-02 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-07-02 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2008-06-28 14:17 155,995 ----a-w C:\WINDOWS\java\Packages\9RHJBLVB.ZIP
2008-06-28 12:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSNInstaller
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 17:37 936960]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-04 12:58 333120]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 16:18:22 10872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ljJaawVO

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 09:33]
R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 09:33]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 09:33]
R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 11:39]
R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 09:33]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2007-05-23 10:40]
R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 09:33]
R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 09:33]
R2 CPoint;Panda CPoint Driver.;C:\WINDOWS\system32\Drivers\cpoint.sys [2007-06-08 08:44]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-07-12 08:49]
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-24 15:43]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 14:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7871d40-65c2-11dd-8e27-001111437762}]
\Shell\Auto\command - E:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-18 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wlxtuf1c.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://finance.yahoo.com/
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 09:33:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrlS.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PAVFNSVR.EXE
C:\Program Files\Common Files\Panda Software\PavShld\PavPrSrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PAVSRV51.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\FIREWALL\PSHost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\apvxdwin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SrvLoad.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\avciman.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\psimreal.exe
.
**************************************************************************
.
Completion time: 2008-08-10 9:37:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-10 13:37:11
ComboFix2.txt 2008-08-06 22:48:20

Pre-Run: 71,905,415,168 bytes free
Post-Run: 71,826,567,168 bytes free

262 --- E O F --- 2008-08-10 13:36:16

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:28 AM, on 8/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\Firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\ApvxdWin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PAVJOBS.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\ActHosp.exe
C:\Program Files\Trend Micro\HijackThis\Finder.exe.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\psimreal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\Firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe

--
End of file - 6201 bytes

Thread: help with virtumonde removal

Thread Tools

Display

Threaded View

Posting Permissions