Virtumonde

**DROSS** · 2008-10-04, 04:57

Thanks in advance, I believe my computer is infected with virtumonde.I have tried the usual fixes with no luck including "vundofix.exe" from "beepingcomputer" with no luck.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:58 PM, on 10/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BM7692468d] Rundll32.exe "C:\WINDOWS\system32\tdxjwafb.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [A00F58DB1.exe] C:\DOCUME~1\doug\LOCALS~1\Temp\_A00F58DB1.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: MRI_DISABLED
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O15 - Trusted Zone: www.har.com
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: www.rci.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - AppInit_DLLs: uscarw.dl mezvmx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NkPtpEnumP2 - Nikon Corporation - C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe

--
End of file - 5710 bytes

**Shaba** · 2008-10-05, 11:17

Hi DROSS

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

After that, rename HijackThis.exe to DROSS.exe and post back a fresh HijackThis log, please

**DROSS** · 2008-10-06, 19:27

Ok, here is the new log tLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:25 PM, on 10/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {186A8634-5DC8-493E-83BD-204262DB3DFA} - (no file)
O2 - BHO: (no name) - {1EB15B9E-50B5-4D84-BFD6-88A0C0392EA3} - (no file)
O2 - BHO: (no name) - {1F3E314F-2B39-4F47-BD8D-C38892F3D1CA} - (no file)
O2 - BHO: (no name) - {220a9551-7623-4d1f-9d08-13905d45d048} - (no file)
O2 - BHO: (no name) - {29ABBFE0-411F-419C-A810-C0BAD65023A0} - (no file)
O2 - BHO: (no name) - {2C38E81D-D1EB-4E11-BD94-26B458D72808} - (no file)
O2 - BHO: {d241f49e-0853-8e69-4cd4-244341a8dc93} - {39cd8a14-3442-4dc4-96e8-3580e94f142d} - C:\WINDOWS\system32\lrjpan.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {655E256A-5D3B-46CE-8EA2-BF2CA7CB465A} - (no file)
O2 - BHO: (no name) - {6AB5A0C4-5398-4058-A30D-40C1495B54C3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {77A62B9E-35D9-4907-8941-0460B082D744} - (no file)
O2 - BHO: (no name) - {86A1813C-B371-43B6-881A-14330C9631AF} - (no file)
O2 - BHO: (no name) - {90B09C05-B70B-419A-A3D1-EBBB328F1AB4} - (no file)
O2 - BHO: (no name) - {93DEB2D4-E29E-499A-94A6-D1AD1E5D3131} - (no file)
O2 - BHO: (no name) - {9D2135EF-48CD-4068-8E1F-C02922235701} - (no file)
O2 - BHO: (no name) - {A83C5380-D18E-42E9-B950-36B4E511F517} - (no file)
O2 - BHO: (no name) - {adde7a7e-11b6-4854-937d-bd7c8ad11edb} - (no file)
O2 - BHO: (no name) - {AEA4DE5E-37ED-4A91-A883-6D8953A84614} - C:\WINDOWS\system32\ljJCvVpQ.dll (file missing)
O2 - BHO: (no name) - {B85ADD10-6810-4EFC-8074-02A308D2C81D} - C:\WINDOWS\system32\cbXQhHyA.dll (file missing)
O2 - BHO: (no name) - {C5CDC138-E804-44D1-96DB-C2C156A22D5E} - (no file)
O2 - BHO: (no name) - {c991d828-66f1-441b-ab60-b1afe060e009} - (no file)
O2 - BHO: (no name) - {D5976204-462E-48D2-9970-B2F0AB2CD3C8} - (no file)
O2 - BHO: (no name) - {e69c0268-32a8-4872-aa25-9d01367593b3} - (no file)
O2 - BHO: (no name) - {FA3C1647-4771-4680-929C-C888357D83AA} - (no file)
O2 - BHO: (no name) - {FC1D9694-AEB9-4ED5-B78F-0DD29FA50ACD} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BM7692468d] Rundll32.exe "C:\WINDOWS\system32\qpbwnkqk.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: MRI_DISABLED
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O15 - Trusted Zone: www.har.com
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: www.rci.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: uscarw.dl,xuxybj.dll,lrjpan.dll,avgrsstx.dll
O20 - Winlogon Notify: 75a175be382 - C:\WINDOWS\system32\__c00B63B5.dat (file missing)
O20 - Winlogon Notify: ljJCvVpQ - ljJCvVpQ.dll (file missing)
O20 - Winlogon Notify: __c0023479 - C:\WINDOWS\system32\__c0023479.dat (file missing)
O20 - Winlogon Notify: __c0043018 - C:\WINDOWS\system32\__c0043018.dat (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NkPtpEnumP2 - Nikon Corporation - C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe

--
End of file - 8928 bytes
hanks.

**Shaba** · 2008-10-06, 19:32

Looks like AVG removed infection partly

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

**DROSS** · 2008-10-07, 00:00

ComboFix 08-10-06.03 - doug 2008-10-06 15:49:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.635 [GMT -5:00]
Running from: C:\Documents and Settings\doug\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\doug\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\VAV
C:\Program Files\VAV\vav.ooo
C:\WINDOWS\BM7692468d.txt
C:\WINDOWS\BM7692468d.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ahliljoe.ini
C:\WINDOWS\system32\ainjsery.ini
C:\WINDOWS\system32\AyHhQXbc.ini
C:\WINDOWS\system32\AyHhQXbc.ini2
C:\WINDOWS\system32\boxqhomg.ini
C:\WINDOWS\system32\cixqmjdv.ini
C:\WINDOWS\system32\cjyvutap.ini
C:\WINDOWS\system32\ekmlocoo.ini
C:\WINDOWS\system32\eptuhscm.ini
C:\WINDOWS\system32\esyffjem.ini
C:\WINDOWS\system32\ewgsfe.dll
C:\WINDOWS\system32\ewpatkfg.dll
C:\WINDOWS\system32\fwvosfgp.ini
C:\WINDOWS\system32\gbprcbbe.ini
C:\WINDOWS\system32\gfktapwe.ini
C:\WINDOWS\system32\gfsiahny.dll
C:\WINDOWS\system32\gpoxvart.dll
C:\WINDOWS\system32\gstgjdyx.ini
C:\WINDOWS\system32\hdxouoto.ini
C:\WINDOWS\system32\hldogofi.ini
C:\WINDOWS\system32\hofyuoop.dll
C:\WINDOWS\system32\ifpiyeyl.ini
C:\WINDOWS\system32\jamwgamr.ini
C:\WINDOWS\system32\khnibpwp.ini
C:\WINDOWS\system32\kkniloeh.ini
C:\WINDOWS\system32\ksanxjvp.ini
C:\WINDOWS\system32\lcndfcyx.ini
C:\WINDOWS\system32\lmtqjxue.ini
C:\WINDOWS\system32\lpwxtqbg.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlpsqcsk.ini
C:\WINDOWS\system32\nmuewwts.ini
C:\WINDOWS\system32\obpkhukc.ini
C:\WINDOWS\system32\obqvaklc.ini
C:\WINDOWS\system32\ofswvosu.ini
C:\WINDOWS\system32\ojmvkxky.dll
C:\WINDOWS\system32\ojrqvkus.ini
C:\WINDOWS\system32\onldydoo.ini
C:\WINDOWS\system32\pcscufas.ini
C:\WINDOWS\system32\qecrbhun.ini
C:\WINDOWS\system32\rilnkcjl.ini
C:\WINDOWS\system32\sdrrbqta.ini
C:\WINDOWS\system32\tddeojsm.ini
C:\WINDOWS\system32\tmaocjdx.ini
C:\WINDOWS\system32\tnlkjhgl.ini
C:\WINDOWS\system32\vuslmorc.ini
C:\WINDOWS\system32\wdjcvlht.ini
C:\WINDOWS\system32\whjfifeq.dll
C:\WINDOWS\system32\wliahmcn.ini
C:\WINDOWS\system32\wrbgsz.dll
C:\WINDOWS\system32\xhbrnigb.ini
C:\WINDOWS\system32\xnrkmfvj.ini
C:\WINDOWS\system32\xuxybj.dll
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2008-09-06 to 2008-10-06 )))))))))))))))))))))))))))))))
.

2008-10-06 09:31 . 2008-10-06 10:05 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-06 09:25 . 2008-10-06 09:25 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-06 09:25 . 2008-10-06 09:25 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-10-06 09:25 . 2008-10-06 09:25 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-10-06 09:24 . 2008-10-06 15:08 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-10-06 09:24 . 2008-10-06 09:24 <DIR> d-------- C:\Program Files\AVG
2008-10-06 09:24 . 2008-10-06 09:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-10-05 15:07 . 2008-10-05 20:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-10-05 15:07 . 2008-10-05 15:07 1,409 --a------ C:\WINDOWS\QTFont.for
2008-10-05 14:36 . 2008-10-05 14:36 67,072 --a------ C:\WINDOWS\system32\pvjxnask.dll
2008-10-04 14:36 . 2008-10-04 14:36 123,904 --a------ C:\WINDOWS\system32\wddhhrjr.dll
2008-10-03 21:49 . 2008-10-03 21:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-02 19:39 . 2008-10-02 19:39 <DIR> d-------- C:\VundoFix Backups
2008-10-01 11:28 . 2008-10-01 11:28 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-10-01 11:26 . 2008-10-01 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-06 14:14 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-10-06 01:02 1,252 ----a-w C:\Documents and Settings\doug\Application Data\wklnhst.dat
2008-10-05 18:41 --------- d-----w C:\Program Files\Microsoft Money 2005
2008-10-03 01:33 --------- d-----w C:\Program Files\Lavasoft
2008-10-03 01:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-03 01:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-24 13:51 --------- d-----w C:\Documents and Settings\doug\Application Data\AdobeUM
2008-09-06 17:30 512 ----a-w C:\ScanSectorLog.dat
2008-08-31 15:45 --------- d-----w C:\Program Files\Strategic Command
2008-08-31 15:45 --------- d-----w C:\Program Files\Sonic
2008-08-31 15:30 --------- d-----w C:\Program Files\Symantec
2008-08-31 15:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-30 21:52 --------- d-----w C:\Program Files\Microsoft Games
2008-08-29 03:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 339968]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 282624]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-06 1234712]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-12-22 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 01:11 49152 C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2005-04-11 17:21 794624 C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-06 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-06 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-06 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-10-06 76040]
R2 NkPtpEnumP2;NkPtpEnumP2;C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe [2005-06-17 24064]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-22 200192]
R3 VBus;Virtual Bus;C:\WINDOWS\system32\DRIVERS\NkVBus.sys [2005-06-17 17664]
S3 bDMusicb;bDMusicb;C:\DOCUME~1\doug\LOCALS~1\Temp\bDMusicb.sys [ ]
.
- - - - ORPHANS REMOVED - - - -

BHO-{186A8634-5DC8-493E-83BD-204262DB3DFA} - (no file)
BHO-{1EB15B9E-50B5-4D84-BFD6-88A0C0392EA3} - (no file)
BHO-{1F3E314F-2B39-4F47-BD8D-C38892F3D1CA} - (no file)
BHO-{220a9551-7623-4d1f-9d08-13905d45d048} - (no file)
BHO-{29ABBFE0-411F-419C-A810-C0BAD65023A0} - (no file)
BHO-{2C38E81D-D1EB-4E11-BD94-26B458D72808} - (no file)
BHO-{39cd8a14-3442-4dc4-96e8-3580e94f142d} - C:\WINDOWS\system32\lrjpan.dll
BHO-{655E256A-5D3B-46CE-8EA2-BF2CA7CB465A} - (no file)
BHO-{6AB5A0C4-5398-4058-A30D-40C1495B54C3} - (no file)
BHO-{77A62B9E-35D9-4907-8941-0460B082D744} - (no file)
BHO-{86A1813C-B371-43B6-881A-14330C9631AF} - (no file)
BHO-{90B09C05-B70B-419A-A3D1-EBBB328F1AB4} - (no file)
BHO-{93DEB2D4-E29E-499A-94A6-D1AD1E5D3131} - (no file)
BHO-{9D2135EF-48CD-4068-8E1F-C02922235701} - (no file)
BHO-{A83C5380-D18E-42E9-B950-36B4E511F517} - (no file)
BHO-{adde7a7e-11b6-4854-937d-bd7c8ad11edb} - (no file)
BHO-{AEA4DE5E-37ED-4A91-A883-6D8953A84614} - C:\WINDOWS\system32\ljJCvVpQ.dll
BHO-{B85ADD10-6810-4EFC-8074-02A308D2C81D} - C:\WINDOWS\system32\cbXQhHyA.dll
BHO-{C5CDC138-E804-44D1-96DB-C2C156A22D5E} - (no file)
BHO-{c991d828-66f1-441b-ab60-b1afe060e009} - (no file)
BHO-{D5976204-462E-48D2-9970-B2F0AB2CD3C8} - (no file)
BHO-{e69c0268-32a8-4872-aa25-9d01367593b3} - (no file)
BHO-{FA3C1647-4771-4680-929C-C888357D83AA} - (no file)
BHO-{FC1D9694-AEB9-4ED5-B78F-0DD29FA50ACD} - (no file)
HKLM-Run-BM7692468d - C:\WINDOWS\system32\qpbwnkqk.dll
ShellExecuteHooks-{AEA4DE5E-37ED-4A91-A883-6D8953A84614} - C:\WINDOWS\system32\ljJCvVpQ.dll
Notify-75a175be382 - C:\WINDOWS\system32\__c00B63B5.dat
Notify-__c0023479 - C:\WINDOWS\system32\__c0023479.dat
Notify-__c0043018 - C:\WINDOWS\system32\__c0043018.dat
Notify-ljJCvVpQ - ljJCvVpQ.dll

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://msn.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
R0 -: HKLM-Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O15 -: Trusted Zone: www.har.com
O15 -: Trusted Zone: www.rci.com
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 15:57:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????4?4?6?6??????? ???B?????????????hLC? ??????

scanning hidden files ...

C:\WINDOWS\TEMP\32345e3f-b090-474c-af63-600a5701fd10.tmp
C:\WINDOWS\TEMP\75478b87-6d96-4cda-baa1-ce50db74a9f8.tmp

scan completed successfully
hidden files: 2

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-10-06 16:06:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-06 21:06:47
Ok here is the combo log i will post the Hijack log next.
Thanks.
Pre-Run: 5,382,017,024 bytes free
Post-Run: 5,500,743,680 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

230 --- E O F --- 2008-08-17 08:07:15

**DROSS** · 2008-10-07, 00:03

Here is the Hijack log Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:43 PM, on 10/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: MRI_DISABLED
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O15 - Trusted Zone: www.har.com
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: www.rci.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NkPtpEnumP2 - Nikon Corporation - C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe

--
End of file - 6467 bytes

**Shaba** · 2008-10-07, 14:38

Looks much better

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
C:\WINDOWS\TEMP\32345e3f-b090-474c-af63-600a5701fd10.tmp
C:\WINDOWS\TEMP\75478b87-6d96-4cda-baa1-ce50db74a9f8.tmp
C:\WINDOWS\system32\pvjxnask.dll
C:\WINDOWS\system32\wddhhrjr.dll

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

**DROSS** · 2008-10-08, 03:25

Ok, here is the combo log.I will follow with the new Hijack log.Everthing seems to be running well so far but I guess it is the "Teatime " that keeps asking about registry chaComboFix 08-10-06.03 - doug 2008-10-07 20:14:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.656 [GMT -5:00]
Running from: C:\Documents and Settings\doug\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\doug\Desktop\CFSCRIPT.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\pvjxnask.dll
C:\WINDOWS\system32\wddhhrjr.dll
C:\WINDOWS\TEMP\32345e3f-b090-474c-af63-600a5701fd10.tmp
C:\WINDOWS\TEMP\75478b87-6d96-4cda-baa1-ce50db74a9f8.tmp
.

((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 )))))))))))))))))))))))))))))))
.

2008-10-06 09:31 . 2008-10-07 03:57 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-06 09:25 . 2008-10-06 09:25 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-06 09:25 . 2008-10-06 09:25 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-10-06 09:25 . 2008-10-06 09:25 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-10-06 09:24 . 2008-10-07 15:43 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-10-06 09:24 . 2008-10-06 09:24 <DIR> d-------- C:\Program Files\AVG
2008-10-06 09:24 . 2008-10-06 09:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-10-03 21:49 . 2008-10-03 21:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-02 19:39 . 2008-10-02 19:39 <DIR> d-------- C:\VundoFix Backups
2008-10-01 11:28 . 2008-10-01 11:28 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-10-01 11:26 . 2008-10-01 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-08 00:53 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-10-06 01:02 1,252 ----a-w C:\Documents and Settings\doug\Application Data\wklnhst.dat
2008-10-05 18:41 --------- d-----w C:\Program Files\Microsoft Money 2005
2008-10-03 01:33 --------- d-----w C:\Program Files\Lavasoft
2008-10-03 01:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-03 01:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-24 13:51 --------- d-----w C:\Documents and Settings\doug\Application Data\AdobeUM
2008-09-06 17:30 512 ----a-w C:\ScanSectorLog.dat
2008-08-31 15:45 --------- d-----w C:\Program Files\Strategic Command
2008-08-31 15:45 --------- d-----w C:\Program Files\Sonic
2008-08-31 15:30 --------- d-----w C:\Program Files\Symantec
2008-08-31 15:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-30 21:52 --------- d-----w C:\Program Files\Microsoft Games
2008-08-29 03:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 339968]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 282624]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-06 1234712]
"BM7692468d"="C:\WINDOWS\system32\qpbwnkqk.dll" [BU]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-12-22 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 01:11 49152 C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2005-04-11 17:21 794624 C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-06 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-06 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-06 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-10-06 76040]
R2 NkPtpEnumP2;NkPtpEnumP2;C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe [2005-06-17 24064]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-22 200192]
R3 VBus;Virtual Bus;C:\WINDOWS\system32\DRIVERS\NkVBus.sys [2005-06-17 17664]
S3 bDMusicb;bDMusicb;C:\DOCUME~1\doug\LOCALS~1\Temp\bDMusicb.sys [ ]
.
- - - - ORPHANS REMOVED - - - -

BHO-{186A8634-5DC8-493E-83BD-204262DB3DFA} - (no file)
BHO-{1EB15B9E-50B5-4D84-BFD6-88A0C0392EA3} - (no file)
BHO-{1F3E314F-2B39-4F47-BD8D-C38892F3D1CA} - (no file)
BHO-{220a9551-7623-4d1f-9d08-13905d45d048} - (no file)
BHO-{29ABBFE0-411F-419C-A810-C0BAD65023A0} - (no file)
BHO-{2C38E81D-D1EB-4E11-BD94-26B458D72808} - (no file)
BHO-{39cd8a14-3442-4dc4-96e8-3580e94f142d} - (no file)
BHO-{655E256A-5D3B-46CE-8EA2-BF2CA7CB465A} - (no file)
BHO-{6AB5A0C4-5398-4058-A30D-40C1495B54C3} - (no file)
BHO-{77A62B9E-35D9-4907-8941-0460B082D744} - (no file)
BHO-{86A1813C-B371-43B6-881A-14330C9631AF} - (no file)
BHO-{90B09C05-B70B-419A-A3D1-EBBB328F1AB4} - (no file)
BHO-{93DEB2D4-E29E-499A-94A6-D1AD1E5D3131} - (no file)
BHO-{9D2135EF-48CD-4068-8E1F-C02922235701} - (no file)
BHO-{A83C5380-D18E-42E9-B950-36B4E511F517} - (no file)
BHO-{adde7a7e-11b6-4854-937d-bd7c8ad11edb} - (no file)
BHO-{AEA4DE5E-37ED-4A91-A883-6D8953A84614} - (no file)
BHO-{B85ADD10-6810-4EFC-8074-02A308D2C81D} - (no file)
BHO-{C5CDC138-E804-44D1-96DB-C2C156A22D5E} - (no file)
BHO-{c991d828-66f1-441b-ab60-b1afe060e009} - (no file)
BHO-{D5976204-462E-48D2-9970-B2F0AB2CD3C8} - (no file)
BHO-{e69c0268-32a8-4872-aa25-9d01367593b3} - (no file)
BHO-{FA3C1647-4771-4680-929C-C888357D83AA} - (no file)
BHO-{FC1D9694-AEB9-4ED5-B78F-0DD29FA50ACD} - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 20:17:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????4?4?6?6??P???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-07 20:20:46
ComboFix-quarantined-files.txt 2008-10-08 01:20:25
ComboFix2.txt 2008-10-06 21:06:53

Pre-Run: 8,686,071,808 bytes free
Post-Run: 8,685,576,192 bytes free

148 --- E O F --- 2008-08-17 08:07:15
nges.

**DROSS** · 2008-10-08, 03:26

Here is the Hijack log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:36 PM, on 10/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {186A8634-5DC8-493E-83BD-204262DB3DFA} - (no file)
O2 - BHO: (no name) - {1EB15B9E-50B5-4D84-BFD6-88A0C0392EA3} - (no file)
O2 - BHO: (no name) - {1F3E314F-2B39-4F47-BD8D-C38892F3D1CA} - (no file)
O2 - BHO: (no name) - {220a9551-7623-4d1f-9d08-13905d45d048} - (no file)
O2 - BHO: (no name) - {29ABBFE0-411F-419C-A810-C0BAD65023A0} - (no file)
O2 - BHO: (no name) - {2C38E81D-D1EB-4E11-BD94-26B458D72808} - (no file)
O2 - BHO: (no name) - {39cd8a14-3442-4dc4-96e8-3580e94f142d} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {655E256A-5D3B-46CE-8EA2-BF2CA7CB465A} - (no file)
O2 - BHO: (no name) - {6AB5A0C4-5398-4058-A30D-40C1495B54C3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {77A62B9E-35D9-4907-8941-0460B082D744} - (no file)
O2 - BHO: (no name) - {86A1813C-B371-43B6-881A-14330C9631AF} - (no file)
O2 - BHO: (no name) - {90B09C05-B70B-419A-A3D1-EBBB328F1AB4} - (no file)
O2 - BHO: (no name) - {93DEB2D4-E29E-499A-94A6-D1AD1E5D3131} - (no file)
O2 - BHO: (no name) - {9D2135EF-48CD-4068-8E1F-C02922235701} - (no file)
O2 - BHO: (no name) - {A83C5380-D18E-42E9-B950-36B4E511F517} - (no file)
O2 - BHO: (no name) - {adde7a7e-11b6-4854-937d-bd7c8ad11edb} - (no file)
O2 - BHO: (no name) - {AEA4DE5E-37ED-4A91-A883-6D8953A84614} - (no file)
O2 - BHO: (no name) - {B85ADD10-6810-4EFC-8074-02A308D2C81D} - (no file)
O2 - BHO: (no name) - {C5CDC138-E804-44D1-96DB-C2C156A22D5E} - (no file)
O2 - BHO: (no name) - {c991d828-66f1-441b-ab60-b1afe060e009} - (no file)
O2 - BHO: (no name) - {D5976204-462E-48D2-9970-B2F0AB2CD3C8} - (no file)
O2 - BHO: (no name) - {e69c0268-32a8-4872-aa25-9d01367593b3} - (no file)
O2 - BHO: (no name) - {FA3C1647-4771-4680-929C-C888357D83AA} - (no file)
O2 - BHO: (no name) - {FC1D9694-AEB9-4ED5-B78F-0DD29FA50ACD} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BM7692468d] Rundll32.exe "C:\WINDOWS\system32\qpbwnkqk.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: MRI_DISABLED
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O15 - Trusted Zone: www.har.com
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: www.rci.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NkPtpEnumP2 - Nikon Corporation - C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe

--
End of file - 8252 bytes

**Shaba** · 2008-10-08, 10:31

Yes, TeaTimer needs to be disabled.

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {186A8634-5DC8-493E-83BD-204262DB3DFA} - (no file)
O2 - BHO: (no name) - {1EB15B9E-50B5-4D84-BFD6-88A0C0392EA3} - (no file)
O2 - BHO: (no name) - {1F3E314F-2B39-4F47-BD8D-C38892F3D1CA} - (no file)
O2 - BHO: (no name) - {220a9551-7623-4d1f-9d08-13905d45d048} - (no file)
O2 - BHO: (no name) - {29ABBFE0-411F-419C-A810-C0BAD65023A0} - (no file)
O2 - BHO: (no name) - {2C38E81D-D1EB-4E11-BD94-26B458D72808} - (no file)
O2 - BHO: (no name) - {39cd8a14-3442-4dc4-96e8-3580e94f142d} - (no file)
O2 - BHO: (no name) - {655E256A-5D3B-46CE-8EA2-BF2CA7CB465A} - (no file)
O2 - BHO: (no name) - {6AB5A0C4-5398-4058-A30D-40C1495B54C3} - (no file)
O2 - BHO: (no name) - {77A62B9E-35D9-4907-8941-0460B082D744} - (no file)
O2 - BHO: (no name) - {86A1813C-B371-43B6-881A-14330C9631AF} - (no file)
O2 - BHO: (no name) - {90B09C05-B70B-419A-A3D1-EBBB328F1AB4} - (no file)
O2 - BHO: (no name) - {93DEB2D4-E29E-499A-94A6-D1AD1E5D3131} - (no file)
O2 - BHO: (no name) - {9D2135EF-48CD-4068-8E1F-C02922235701} - (no file)
O2 - BHO: (no name) - {A83C5380-D18E-42E9-B950-36B4E511F517} - (no file)
O2 - BHO: (no name) - {adde7a7e-11b6-4854-937d-bd7c8ad11edb} - (no file)
O2 - BHO: (no name) - {AEA4DE5E-37ED-4A91-A883-6D8953A84614} - (no file)
O2 - BHO: (no name) - {B85ADD10-6810-4EFC-8074-02A308D2C81D} - (no file)
O2 - BHO: (no name) - {C5CDC138-E804-44D1-96DB-C2C156A22D5E} - (no file)
O2 - BHO: (no name) - {c991d828-66f1-441b-ab60-b1afe060e009} - (no file)
O2 - BHO: (no name) - {D5976204-462E-48D2-9970-B2F0AB2CD3C8} - (no file)
O2 - BHO: (no name) - {e69c0268-32a8-4872-aa25-9d01367593b3} - (no file)
O2 - BHO: (no name) - {FA3C1647-4771-4680-929C-C888357D83AA} - (no file)
O4 - HKLM\..\Run: [BM7692468d] Rundll32.exe "C:\WINDOWS\system32\qpbwnkqk.dll",s

Close all windows including browser and press fix checked.

Reboot.

Re-enable TeaTimer.

Post back a fresh HijackThis log, please.

Thread: Virtumonde

Thread Tools

Display

Virtumonde

Posting Permissions