Help Please: Virtumonde + Smithfraud

**bobsterco** · 2008-11-13, 09:34

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:30 AM, on 11/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Multimedia Card Reader\shwiconem.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Replay7\ReplayAV.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Common Files\11 News ALERT\TrueWeather.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Process Explorer\procexp.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\Dropbox\Dropbox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\TaskbarPP\TaskbarPP.exe
C:\Program Files\trayit!_3.1.2.2\TrayIt!.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=www-proxy.us.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oracle.com; *.oraclecorp.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: 141.121.96.115 srfs4 #PRE
O1 - Hosts: 141.121.53.99 screamer #PRE
O1 - Hosts: ;127.0.0.1 banners.wunderground.com
O1 - Hosts: ; 127.0.0.1 rmads.eu.msn.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adelphia Toolbar - {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - C:\Program Files\Adelphia Toolbar\Adelphia.dll (file missing)
O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1042715665.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Multimedia Card Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\RunServices: [Microsoft Lsass Service] wintcp32.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Replay AV] "C:\Program Files\Replay7\ReplayAV.exe" -quiet
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [PCMagSurfSpeed2] "C:\Program Files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe" /m
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKLM\..\Policies\Explorer\Run: [Lsass Service] C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\lsass.exe
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Startup: DblRight.lnk = C:\Documents and Settings\Owner\My Documents\AHK Scripts\DblRight.ahk
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe
O4 - Startup: FileFullPath.lnk = C:\Documents and Settings\Owner\My Documents\AHK Scripts\FileFullPath.ahk
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Mouse2Type.lnk = C:\Documents and Settings\Owner\My Documents\AHK Scripts\Mouse2Type.ahk
O4 - Startup: Mouse_button45_macros.lnk = C:\Program Files\Logitech\SetPoint\uberOptions\Mouse_button45_macros.ahk
O4 - Startup: Taskbar++.lnk = C:\Program Files\TaskbarPP\TaskbarPP.exe
O4 - Startup: TrayIt!.lnk = C:\Program Files\trayit!_3.1.2.2\TrayIt!.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: 11 News ALERT.lnk = C:\Program Files\Common Files\11 News ALERT\TrueWeather.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Process Explorer.lnk = C:\Program Files\Process Explorer\procexp.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: BugMeNot - C:\Program Files\Maxthon\Plugin\BugMeNot4Maxthon\BugMeNot4Maxthon.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1042715665.dll/gn_menu1.html
O8 - Extra context menu item: Note this item (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1042715665.dll/gn_menu2.html
O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: Adelphia Toolbar - {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - C:\Program Files\Adelphia Toolbar\Adelphia.dll (file missing)
O9 - Extra 'Tools' menuitem: Adelphia Toolbar - {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - C:\Program Files\Adelphia Toolbar\Adelphia.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/
O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - http://activex.microsoft.com/activex...e/outlctlx.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {399CB6C4-7312-11D2-B4D9-00105A0422DF} (HHComponentActivator Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://www.viidoo.tv/TVUAx.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource...scbase7617.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1073287747703
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/5...l/gtdownls.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/b...ploader_v6.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://www.twcable.com/dana-cached/...erSetupSP1.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Filter hijack: text/html - {72D50253-BE71-4c85-9B38-6331E5AD1499} - C:\Program Files\eEye Digital Security\Blink\IEMimeFilter.dll
O20 - AppInit_DLLs: zsuuma.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: eEye Blink Engine (blinksvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: eEye Application Bus (eeyeevnt) - eEye Digital Security - C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 17491 bytes

**Shaba** · 2008-11-14, 10:52

Hi bobsterco

Rename HijackThis.exe to bobsterco.exe and post back a fresh HijackThis log, please

**bobsterco** · 2008-11-14, 18:02

Will comply as requested.

By the way...

In case you think that the malware is hiding from HJT, I have been running Spybot with 12-Nov defs. It cleans, sets boot time cleaner, but the malware returns on next reboot.

I believe the log I posted might have been after a Spybot run but before the next reboot.

Will rename hjt as requested and be sure to run it after a reboot so that the malware takes it's opportunity to come back.

**Shaba** · 2008-11-14, 18:05

Yes, I am pretty sure that malware hides from HJT.

Behavior you described is characteristic to virtumonde/vundo infection.

So please rename HijackThis.exe and post back a fresh HijackThis log afterwards.

**bobsterco** · 2008-11-15, 22:49

FYI: I am keeping the pc OFF the network (w/l antenna unplugged) until clean bill of health is received here.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:32 AM, on 11/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Multimedia Card Reader\shwiconem.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Replay7\ReplayAV.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Common Files\11 News ALERT\TrueWeather.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Process Explorer\procexp.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\Dropbox\Dropbox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\TaskbarPP\TaskbarPP.exe
C:\Program Files\trayit!_3.1.2.2\TrayIt!.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Trend Micro\HijackThis\bobsterco.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=www-proxy.us.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oracle.com; *.oraclecorp.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: 141.121.96.115 srfs4 #PRE
O1 - Hosts: 141.121.53.99 screamer #PRE
O1 - Hosts: ;127.0.0.1 banners.wunderground.com
O1 - Hosts: ; 127.0.0.1 rmads.eu.msn.com
O2 - BHO: (no name) - {4167E2C2-67FD-4E7E-823D-481B5BBDCEF7} - C:\WINDOWS\system32\rqRKBRkL.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {8BE27FD8-49C8-4CB5-8C00-EB357E19779D} - C:\WINDOWS\system32\vtUonllL.dll
O2 - BHO: {35d93c28-a5c2-60ab-9354-f0bc4f831dd8} - {8dd138f4-cb0f-4539-ba06-2c5a82c39d53} - C:\WINDOWS\system32\zsuuma.dll
O2 - BHO: (no name) - {9E91EF7B-6846-45C3-A8AB-67CF7C900783} - C:\WINDOWS\system32\urqPghfG.dll
O2 - BHO: netupbanner browser enhancer - {DF775C49-6356-D2C6-0C37-7F4386E1FD30} - C:\WINDOWS\system32\pjfucelgepphr.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adelphia Toolbar - {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - C:\Program Files\Adelphia Toolbar\Adelphia.dll (file missing)
O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1042715665.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Multimedia Card Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\RunServices: [Microsoft Lsass Service] wintcp32.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Replay AV] "C:\Program Files\Replay7\ReplayAV.exe" -quiet
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [PCMagSurfSpeed2] "C:\Program Files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe" /m
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKLM\..\Policies\Explorer\Run: [Lsass Service] C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\lsass.exe
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Startup: DblRight.lnk = C:\Documents and Settings\Owner\My Documents\AHK Scripts\DblRight.ahk
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe
O4 - Startup: FileFullPath.lnk = C:\Documents and Settings\Owner\My Documents\AHK Scripts\FileFullPath.ahk
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Mouse2Type.lnk = C:\Documents and Settings\Owner\My Documents\AHK Scripts\Mouse2Type.ahk
O4 - Startup: Mouse_button45_macros.lnk = C:\Program Files\Logitech\SetPoint\uberOptions\Mouse_button45_macros.ahk
O4 - Startup: Taskbar++.lnk = C:\Program Files\TaskbarPP\TaskbarPP.exe
O4 - Startup: TrayIt!.lnk = C:\Program Files\trayit!_3.1.2.2\TrayIt!.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: 11 News ALERT.lnk = C:\Program Files\Common Files\11 News ALERT\TrueWeather.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Process Explorer.lnk = C:\Program Files\Process Explorer\procexp.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: BugMeNot - C:\Program Files\Maxthon\Plugin\BugMeNot4Maxthon\BugMeNot4Maxthon.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1042715665.dll/gn_menu1.html
O8 - Extra context menu item: Note this item (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1042715665.dll/gn_menu2.html
O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: Adelphia Toolbar - {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - C:\Program Files\Adelphia Toolbar\Adelphia.dll (file missing)
O9 - Extra 'Tools' menuitem: Adelphia Toolbar - {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - C:\Program Files\Adelphia Toolbar\Adelphia.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/
O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - http://activex.microsoft.com/activex...e/outlctlx.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {399CB6C4-7312-11D2-B4D9-00105A0422DF} (HHComponentActivator Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://www.viidoo.tv/TVUAx.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource...scbase7617.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1073287747703
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/5...l/gtdownls.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/b...ploader_v6.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://www.twcable.com/dana-cached/...erSetupSP1.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Filter hijack: text/html - {72D50253-BE71-4c85-9B38-6331E5AD1499} - C:\Program Files\eEye Digital Security\Blink\IEMimeFilter.dll
O20 - AppInit_DLLs: zsuuma.dll
O20 - Winlogon Notify: urqPghfG - C:\WINDOWS\SYSTEM32\urqPghfG.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: eEye Blink Engine (blinksvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: eEye Application Bus (eeyeevnt) - eEye Digital Security - C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 18196 bytes

**Shaba** · 2008-11-16, 11:31

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

**bobsterco** · 2008-11-16, 20:53

ComboFix 08-11-14.01 - Owner 2008-11-16 7:56:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.858 [GMT -7:00]
Running from: D:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\Application Data\gadcom
c:\documents and settings\Owner\Application Data\gadcom\gadcom.exe
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\Downloaded Program Files\setup.inf
c:\windows\IA
c:\windows\IA\asappsrv.dll
c:\windows\IA\command.exe
c:\windows\IA\KE.vbs
c:\windows\IE4 Error Log.txt
c:\windows\system32\kregpefc.dll
c:\windows\system32\LllnoUtv.ini
c:\windows\system32\LllnoUtv.ini2
c:\windows\system32\mbgnknem.dll
c:\windows\system32\mdm.exe
c:\windows\system32\MSINET.oca
c:\windows\system32\pac.txt
c:\windows\system32\u2
c:\windows\system32\u2\BMAE3ak.exe
c:\windows\system32\urqPghfG.dll
c:\windows\system32\vtUonllL.dll
c:\windows\system32\winsusrm.dll
c:\windows\system32\winsusrx.dll
c:\windows\system32\zsuuma.dll
c:\windows\Tasks\fivjnadv.job
c:\windows\Tasks\hhwjlkyy.job
c:\windows\Tasks\rlmvvhmh.job
c:\windows\Tasks\twhlgzlu.job
c:\windows\Tasks\zzjpehos.job
c:\windows\Temp\tmp3.tmp

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_TnIDriver

((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-15 04:42 . 2008-11-16 08:13 <DIR> d-------- c:\windows\5374-8831-2029-7643-5722
2008-11-13 01:10 . 2008-11-13 01:10 <DIR> d-------- c:\documents and settings\Owner\Application Data\Canneverbe_Limited
2008-11-13 01:02 . 2008-11-13 01:02 <DIR> d-------- c:\program files\Trend Micro
2008-11-13 01:01 . 2008-11-13 01:01 <DIR> d-------- c:\program files\CDBurnerXP
2008-11-12 23:22 . 2008-11-12 23:22 60,928 --ahs---- c:\windows\system32\cbXNFust.dll
2008-11-12 22:34 . 2008-11-12 22:34 60,928 --ahs---- c:\windows\system32\ddcDwtrs.dll
2008-11-12 07:54 . 2008-11-12 07:54 60,928 --ahs---- c:\windows\system32\xxyaxWQI.dll
2008-11-12 07:02 . 2008-11-12 07:02 60,928 --ahs---- c:\windows\system32\urqNDSIx.dll
2008-11-12 00:41 . 2008-11-12 00:42 <DIR> d-------- C:\Spybot - Search & Destroy
2008-11-11 23:51 . 2008-11-13 00:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-11 08:24 . 2008-11-11 08:24 1,049,968 --a------ c:\windows\system32\elic.dll
2008-11-11 08:24 . 2008-11-11 08:24 284,016 --a------ c:\windows\system32\DebugRpt.dll
2008-11-11 08:24 . 2008-11-11 08:24 193,904 --a------ c:\windows\system32\LocalStorage.dll
2008-11-11 07:14 . 2008-11-11 07:14 1,409 --a------ c:\windows\QTFont.for
2008-11-11 07:13 . 2008-11-16 08:16 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-09 02:20 . 2008-11-09 02:34 1,241 --ahs---- c:\windows\system32\LkRBKRqr.ini
2008-11-09 02:15 . 2008-11-09 02:15 <DIR> d-------- c:\windows\system32\svm
2008-11-09 02:15 . 2008-11-09 02:15 <DIR> d-------- c:\windows\system32\prt
2008-11-09 02:15 . 2008-11-09 02:15 <DIR> d-------- c:\windows\system32\db
2008-11-09 02:15 . 2008-11-09 02:15 <DIR> d-------- c:\windows\system32\AX5
2008-11-09 02:15 . 2008-11-09 02:15 <DIR> d-------- c:\documents and settings\Owner\Application Data\NI.GSCNS
2008-11-09 02:15 . 2008-11-09 02:15 79,094 --a------ c:\windows\system32\huuqyhtqbku.exe
2008-11-09 02:14 . 2008-11-09 02:14 <DIR> d-------- c:\windows\system32\sX3i19
2008-11-09 02:14 . 2008-11-09 02:14 <DIR> d-------- c:\temp\PRE45
2008-11-09 02:14 . 2008-11-11 02:14 <DIR> d-------- C:\Temp
2008-11-09 02:14 . 2008-11-09 02:14 507,250 --a------ c:\temp\cnsP744.exe
2008-11-09 02:14 . 2008-11-09 02:14 60,928 --ahs---- c:\windows\system32\ljJDSKbC.dll
2008-11-09 02:14 . 2008-11-09 02:14 34,816 --a------ c:\windows\system32\prun.exe
2008-10-18 18:15 . 2008-10-19 20:27 <DIR> d-------- c:\program files\Dropbox
2008-10-18 18:15 . 2008-11-15 04:45 <DIR> d-------- c:\documents and settings\Owner\Application Data\Dropbox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 15:16 --------- d-----w c:\program files\Replay7
2008-11-16 15:13 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2008-11-16 15:13 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2008-11-09 09:15 --------- d-----w c:\program files\FirefoxPortable
2008-11-09 02:16 --------- d--h--w c:\documents and settings\Owner\Application Data\Move Networks
2008-11-03 07:47 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2008-11-02 22:07 --------- d-----w c:\program files\Google
2008-10-11 18:13 --------- d-----w c:\documents and settings\Owner\Application Data\VMware
2008-10-11 09:08 95,352 ----a-w c:\windows\system32\drivers\eeyehv64.sys
2008-10-11 09:08 92,016 ----a-w c:\windows\system32\drivers\eeyeh.sys
2008-10-11 09:08 76,920 ----a-w c:\windows\system32\drivers\eeyehv.sys
2008-10-11 09:08 70,000 ----a-w c:\windows\system32\drivers\eeyet.sys
2008-10-11 09:08 59,000 ----a-w c:\windows\system32\drivers\eeyetv64.sys
2008-10-11 09:08 52,592 ----a-w c:\windows\system32\drivers\eeyen.sys
2008-10-11 09:08 50,296 ----a-w c:\windows\system32\drivers\eeyenv64.sys
2008-10-11 09:08 47,736 ----a-w c:\windows\system32\drivers\eeyetv.sys
2008-10-11 09:08 42,104 ----a-w c:\windows\system32\drivers\eeyenv.sys
2008-10-02 13:44 --------- d-----w c:\documents and settings\Owner\Application Data\PC Magazine Utilities
2008-10-02 13:43 --------- d-----w c:\program files\PC Magazine Utilities
1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
2006-05-06 16:42 7,260,160 ----a-w c:\program files\mozilla firefox\plugins\libvlc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF775C49-6356-D2C6-0C37-7F4386E1FD30}]
2008-10-14 08:40 171520 --a------ c:\windows\system32\pjfucelgepphr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 00:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 00:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 00:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClockEx"="c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-09-16 1961984]
"Replay AV"="c:\program files\Replay7\ReplayAV.exe" [2006-03-27 1437696]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-09-02 716800]
"PCMagSurfSpeed2"="c:\program files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe" [2008-05-23 3122688]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-10-25 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"SunKistEM"="c:\program files\Multimedia Card Reader\shwiconem.exe" [2004-11-23 135168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2005-08-06 974848]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-07 267064]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2008-08-08 55856]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"VTTimer"="VTTimer.exe" [2005-05-25 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-05-25 c:\windows\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-05-25 c:\windows\SOUNDMAN.EXE]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 c:\windows\StartupMonitor.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-10-25 160592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 c:\windows\system32\narrator.exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
DblRight.lnk - c:\documents and settings\Owner\My Documents\AHK Scripts\DblRight.ahk [2007-03-14 345]
Dropbox.lnk - c:\program files\Dropbox\Dropbox.exe [2008-09-26 24096981]
FileFullPath.lnk - c:\documents and settings\Owner\My Documents\AHK Scripts\FileFullPath.ahk [2007-03-14 1608]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2007-02-17 534016]
Mouse2Type.lnk - c:\documents and settings\Owner\My Documents\AHK Scripts\Mouse2Type.ahk [2007-03-14 679]
Mouse_button45_macros.lnk - c:\program files\Logitech\SetPoint\uberOptions\Mouse_button45_macros.ahk [2005-11-08 2247]
Taskbar++.lnk - c:\program files\TaskbarPP\TaskbarPP.exe [2007-02-17 163840]
TrayIt!.lnk - c:\program files\trayit!_3.1.2.2\TrayIt!.exe [2005-09-02 147456]
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 2913584]

c:\documents and settings\Owner\Start Menu\Programs\Startup\AutorunsDisabled
Yahoo! Desktop Search System Tray.lnk - c:\program files\Yahoo!\Yahoo! Desktop Search\YDSsystray.exe [2005-12-13 331264]
Yahoo! Desktop Search.lnk - c:\program files\Yahoo!\Yahoo! Desktop Search\YahooDesktopSearch.exe [2005-12-13 10684144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
11 News ALERT.lnk - c:\program files\Common Files\11 News ALERT\TrueWeather.exe [2005-12-07 5786112]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-03-03 671744]
Process Explorer.lnk - c:\program files\Process Explorer\procexp.exe [2007-11-05 3564584]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-10-19 110080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-10-19 293888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=zsuuma.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"wave2"= vacumd.dll
"mixer1"= vacumd.dll
"vidc.ffds"= c:\program files\ffdshow\ffdshow.ax

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\11 News ALERT\\TrueWeather.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Maxthon\\Maxthon.exe"=
"c:\\Program Files\\Download Express\\dep.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\hfs.exe"=
"c:\\Program Files\\Replay7\\Tuner.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Replay7\\ReplayAV.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\eEye Digital Security\\Application Bus\\eeyeevnt.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5910:TCP"= 5910:TCP:bobsxp vnc
"5810:TCP"= 5810:TCP:bobsxp jvnc
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R0 eeyen;eEye NDIS driver;c:\windows\system32\Drivers\eeyen.sys [2008-10-11 52592]
R1 eeyeh;eEye API driver;c:\windows\system32\drivers\eeyeh.sys [2008-10-11 92016]
R1 eeyet;eEye TDI driver;c:\windows\system32\Drivers\eeyet.sys [2008-10-11 70000]
R1 VirtualAudioCable;Virtual Audio Cable;c:\windows\system32\drivers\vackmd.sys [2006-01-30 14336]
R2 blinksvc;eEye Blink Engine;"c:\program files\eEye Digital Security\Blink\blinksvc.exe" [2008-10-11 169416]
R2 ndiskio;eEye DirectDisk Access Driver;c:\windows\system32\Drivers\ndiskio.sys [2008-06-20 20448]
R2 vnccom;vnccom;c:\windows\system32\Drivers\vnccom.SYS [2006-01-28 6016]
R3 SbieDrv;SbieDrv;\??\c:\program files\Sandboxie\SbieDrv.sys [2008-09-02 100352]
S2 LxrSII1d;Secure II Driver;\??\c:\windows\system32\Drivers\LxrSII1d.sys []
S3 APLMp50;APLMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\APLMp50.sys [2005-10-27 18816]
S3 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE []
S3 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe [2006-02-01 204800]
S3 RET55;RET55 NDIS Protocol Driver;\??\c:\program files\eEye Digital Security\Blink\Scanner\Scanner\RET55.sys [2008-01-20 25712]
S3 RIOUNIV;Rio universal USB driver;c:\windows\system32\Drivers\RIOUNIV.sys [2005-12-04 16128]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\T]
\Shell\AutoRun\command - T:\Autorun.exe /run
\Shell\Shell00\Command - T:\Autorun.exe /run
\Shell\Shell01\Command - T:\Autorun.exe /action
\Shell\Shell02\Command - T:\Autorun.exe /uninstall
\Shell\Shell03\Command - pstart.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15054dbf-fc8b-11da-ace9-0012178c535f}]
\Shell\AutoRun\command - u:\autostart\AutoStart.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15054dc9-fc8b-11da-ace9-0012178c535f}]
\Shell\AutoRun\command - r:\jdlightning\Windows\JDLightning.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{15054dcc-fc8b-11da-ace9-0012178c535f}]
\Shell\AutoRun\command - t:\ceedo\PROGRA~1\PStart\PStart.exe

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\Good Sync bobsxp to bobsipod.job
- c:\program files\Siber Systems\Good Sync\bin\syncappw.exe [2006-06-29 11:16]

2008-11-16 c:\windows\Tasks\Good Sync bs3485p to bobsxp.job
- c:\program files\Siber Systems\Good Sync\bin\syncappw.exe [2006-06-29 11:16]

2008-11-15 c:\windows\Tasks\Good Sync_{4086D29820A63056E4910643F6A6DF9C}.job
- c:\program files\Siber Systems\Good Sync\bin\syncappw.exe [2006-06-29 11:16]

2006-03-18 c:\windows\Tasks\Good Sync_{4FE4C7F978C630B15AC4C9507EBCBA95}.job
- c:\program files\Siber Systems\Good Sync\bin\syncappw.exe [2006-06-29 11:16]

2007-05-20 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 17:26]
.
- - - - ORPHANS REMOVED - - - -

BHO-{4167E2C2-67FD-4E7E-823D-481B5BBDCEF7} - c:\windows\system32\rqRKBRkL.dll
BHO-{8BE27FD8-49C8-4CB5-8C00-EB357E19779D} - c:\windows\system32\vtUonllL.dll
BHO-{8dd138f4-cb0f-4539-ba06-2c5a82c39d53} - c:\windows\system32\zsuuma.dll
BHO-{9E91EF7B-6846-45C3-A8AB-67CF7C900783} - c:\windows\system32\urqPghfG.dll
HKLM-Run-DU Meter - c:\program files\DU Meter\DUMeter.exe
HKLM-RunServices-Microsoft Lsass Service - wintcp32.exe
HKLM-Explorer_Run-Lsass Service - c:\documents and settings\Owner\Application Data\Microsoft\Windows\lsass.exe
ShellExecuteHooks-{0cab0400-7395-11d0-a5e5-0020afe2fdd9} - qvphook.dll
ShellExecuteHooks-{9E91EF7B-6846-45C3-A8AB-67CF7C900783} - c:\windows\system32\urqPghfG.dll
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-IS CfgWiz - c:\program files\Norton Internet Security\cfgwiz.exe
MSConfigStartUp-SSC_UserPrompt - c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
MSConfigStartUp-URLLSTCK - c:\program files\Norton Internet Security\UrlLstCk.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\bwccci23.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://my.myway.com/index.jsp
FF -: plugin - c:\program files\FirefoxPortable\App\firefox\plugins\npnul32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Virtual Earth 3D\npVE3D.dll
.
.
------- File Associations -------
.
inffile\shell\install\command=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 08:14:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Lsass Service = c:\documents and settings\Owner\Application Data\Microsoft\Windows\lsass.exe??4???????4?????????????????????????P?P???P???@????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\vacumd.dll

PROCESS: c:\windows\system32\lsass.exe
-> c:\windows\system32\vacumd.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\eEye Digital Security\Blink\blinkrm.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Executive Software\DiskeeperLite\DKService.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
c:\windows\system32\vmnat.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\system32\searchindexer.exe
c:\program files\Common Files\eEye Digital Security\Application Bus\EEYEEVNT.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\system32\searchprotocolhost.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\program files\AutoHotkey\AutoHotkey.exe
c:\program files\AutoHotkey\AutoHotkey.exe
c:\program files\AutoHotkey\AutoHotkey.exe
c:\program files\AutoHotkey\AutoHotkey.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-11-16 8:41:41 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-11-16 15:41:16

Pre-Run: 51,320,020,992 bytes free
Post-Run: 51,449,765,888 bytes free

342 --- E O F --- 2008-10-25 09:01:19

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:22 PM, on 11/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Multimedia Card Reader\shwiconem.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Replay7\ReplayAV.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Common Files\11 News ALERT\TrueWeather.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Process Explorer\procexp.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\Dropbox\Dropbox.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\TaskbarPP\TaskbarPP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\trayit!_3.1.2.2\TrayIt!.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\CDBurnerXP\cdbxpp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\bobsterco.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=www-proxy.us.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oracle.com; *.oraclecorp.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: netupbanner browser enhancer - {DF775C49-6356-D2C6-0C37-7F4386E1FD30} - C:\WINDOWS\system32\pjfucelgepphr.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adelphia Toolbar - {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - C:\Program Files\Adelphia Toolbar\Adelphia.dll (file missing)
O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1042715665.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Multimedia Card Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Replay AV] "C:\Program Files\Replay7\ReplayAV.exe" -quiet
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [PCMagSurfSpeed2] "C:\Program Files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe" /m
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Startup: DblRight.lnk = C:\Documents and Settings\Owner\My Documents\AHK Scripts\DblRight.ahk
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe
O4 - Startup: FileFullPath.lnk = C:\Documents and Settings\Owner\My Documents\AHK Scripts\FileFullPath.ahk
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Mouse2Type.lnk = C:\Documents and Settings\Owner\My Documents\AHK Scripts\Mouse2Type.ahk
O4 - Startup: Mouse_button45_macros.lnk = C:\Program Files\Logitech\SetPoint\uberOptions\Mouse_button45_macros.ahk
O4 - Startup: Taskbar++.lnk = C:\Program Files\TaskbarPP\TaskbarPP.exe
O4 - Startup: TrayIt!.lnk = C:\Program Files\trayit!_3.1.2.2\TrayIt!.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: 11 News ALERT.lnk = C:\Program Files\Common Files\11 News ALERT\TrueWeather.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Process Explorer.lnk = C:\Program Files\Process Explorer\procexp.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: BugMeNot - C:\Program Files\Maxthon\Plugin\BugMeNot4Maxthon\BugMeNot4Maxthon.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditIdent.html
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1042715665.dll/gn_menu1.html
O8 - Extra context menu item: Note this item (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1042715665.dll/gn_menu2.html
O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPass.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod4\v6\yhexbmes.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\Program Files\EverNote\EverNote\enbar.dll
O9 - Extra button: Adelphia Toolbar - {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - C:\Program Files\Adelphia Toolbar\Adelphia.dll (file missing)
O9 - Extra 'Tools' menuitem: Adelphia Toolbar - {E5E2F8B2-79A4-495C-8581-90BA2C845CC2} - C:\Program Files\Adelphia Toolbar\Adelphia.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/
O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - http://activex.microsoft.com/activex...e/outlctlx.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {399CB6C4-7312-11D2-B4D9-00105A0422DF} (HHComponentActivator Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://www.viidoo.tv/TVUAx.dll
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource...scbase7617.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1073287747703
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/5...l/gtdownls.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://www.twcable.com/dana-cached/...erSetupSP1.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Filter hijack: text/html - {72D50253-BE71-4c85-9B38-6331E5AD1499} - C:\Program Files\eEye Digital Security\Blink\IEMimeFilter.dll
O20 - AppInit_DLLs: zsuuma.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: eEye Blink Engine (blinksvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: eEye Application Bus (eeyeevnt) - eEye Digital Security - C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe
O23 - Service: OracleServiceXE - Oracle Corporation - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
O23 - Service: OracleXEClrAgent - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\bin\OraClrAgnt.exe
O23 - Service: OracleXETNSListener - Unknown owner - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 16835 bytes

**Shaba** · 2008-11-16, 21:03

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

**bobsterco** · 2008-11-16, 21:12

µTorrent
11 News ALERT
56Kbps Internal Modem
Adelphia Music
Adelphia Toolbar
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Reader Chinese Traditional Fonts
Adobe Shockwave Player 11
Adobe® Photoshop® Album Starter Edition 3.2
Advanced LAN Scanner v1.0 BETA 1
Advertisement Service
AI RoboForm (All Users)
Alt-Tab Task Switcher Powertoy for Windows XP
Anapod Explorer (remove only)
Any Video Converter 2.0.3
Apple Mobile Device Support
Apple Software Update
Audacity 1.3.0
AutoHotkey 1.0.47.01
Bejeweled Deluxe 1.862
Belarc Advisor 7.0
BigFix
BugMeNot
Cabinet File Viewer
CDBurnerXP
Cisco ConfigMaker v2.6
Citeknet EXE IFilter
Citeknet HLP IFilter
Citeknet IFilter Explorer (Beta 2)
Citeknet RAR IFilter
ClearType Tuning Control Panel Applet
Compatibility Pack for the 2007 Office system
Customize Folder Shell Extension
Debugging Tools for Windows
Diskeeper Lite
DiskMapper
Dropbox
DU Meter 3.50 Build R2822
eEye Digital Security Blink
eFax Messenger 4.3
EverNote Plus Beta
FeedDemon
FeedStation
ffdshow (remove only)
FoxyTunes for Firefox
Gem Shop
GMail Drive Shell Extension
Good Sync version 4.6.10
GoodSync V6
Google Earth
Google Gmail Notifier
Google Notebook for Internet Explorer
GSpot Codec Information Appliance
Hamachi 0.9.9.9
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hoyle Card Games 2007
InstallRite 2.5
iPod for Windows 2006-01-10
iTunes
iTunes Art Importer
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
JPEG IFilter 1.0
KhalSetup
Linksys Wireless-G PCI Adapter
LiveUpdate 2.5 (Symantec Corporation)
Logitech Desktop Messenger
Logitech SetPoint
Magic ISO Maker v5.3 (build 0216)
MagicDisc 2.5.74
Maxthon Browser (remove only)
MediaLife
MetaProducts Download Express
MetaProducts Mass Downloader
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Calculator Plus
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Vista Upgrade Advisor
Microsoft Works
Motherboard Monitor 5
Move Networks Player for Internet Explorer
Mozilla Firefox (2.0.0.17)
Mozilla Firefox (3.0.3)
Mozilla Thunderbird (1.5)
MSN Music Assistant
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Multimedia Card Reader
MuvAudio
Nero OEM
New Folder Here
Omron Health Management Software
OpenOffice.org 2.0
Oracle Data Provider for .NET Help
Oracle Database 10g Express Edition
OverDrive Media Console
Packet Tracer 4.1
PC Wizard 2006.1.661
PCMagazine SurfSpeed 2
PhishTank Addin OE
PodProducer Beta v0.25
Power2Go 4.0
PowerBackup 1.0
PowerDVD
PowerDVD Copy 1.0
PowerQuest PartitionMagic 8.0
PowerStarter
Quick View Plus
QuickTime
RealPlayer
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Replay 7.0
Rhapsody Player Engine
Rio Internet Update
Rio Music Manager
RON Tool Netupbanner
Sam Spade version 1.14
Sandboxie 3.30
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Send To Extensions PowerToy
SequoiaView
SolarWinds Advanced Subnet Calculator
Solitaire Vol. 1
Solitaire Vol. 2
StartupMonitor
Super Collapse II
SyncBack
Target Context Menu (Remove Only)
TBS WMP Plug-in
TClockEx
TextPad 5
Trillian
Tweak UI
uberOptions 3.15.1
UltraVNC v1.0
UltraVNC v1.0.1
Universal Extractor 1.2.1
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
VIA/S3G Display Driver
VideoLAN VLC media player 0.8.6c
Videora iPod Converter 2.19
Virtual Earth 3D (Beta)
VisualRoute Lite Edition
VMware Player
vPod (Remove Only)
WeatherBug
Windows Defender
Windows Defender Signatures
Windows Desktop Search 3.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
WinZip
XML Notepad 2007
Xteq-dotec X-Setup Pro 6.6.300.Final1
Xvid 1.1.2 final uninstall
Yahoo! Anti-Spy
Yahoo! Central
Yahoo! Desktop Search
Yahoo! Install Manager
Yahoo! Messenger Explorer Bar
Yahoo! Toolbar for Internet Explorer
Yahoo! Widgets
Zinio Reader

**Shaba** · 2008-11-16, 21:19

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

uTorrent

I'd like you to read the this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Please run a new uninstall list scan when finished and post the log back here.

Thread: Help Please: Virtumonde + Smithfraud

Thread Tools

Display

Help Please: Virtumonde + Smithfraud

Clarifying Details

HJT Log after reboot & rename

ComboFix & Post-Fix HJT Logs

uninstall_list.txt

Posting Permissions