Both Virtumonde and Smitfraud

**sh2005** · 2008-11-23, 18:12

Hello,
My computer seems to be infected with Virtumonde and Smitfraud (and could be few others as well). I checked on the forum and saw other procedures for removing them, but i didn't want to start with the combofix without asking in the forum first. I did install the AVG freeware and also have capttued the HijackThis log. I am including it in the post. In another post, I noticed that a log for the Uninstall Manger from the HijackThis was also requested, so I am adding it here as well. Your help is greatly appreicated.

**************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:51 PM, on 11/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - F:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {41838D59-9092-4E97-92A3-CBB11EC7A9A0} - (no file)
O2 - BHO: {8371a256-a05a-abca-fbb4-533906b17d3c} - {c3d71b60-9335-4bbf-acba-a50a652a1738} - C:\WINDOWS\system32\ujkumr.dll (file missing)
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SuperAdBlocker] F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTS...etaStream3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: ujkumr.dll,avgrsstx.dll
O20 - Winlogon Notify: !SABWinLogon - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 6570 bytes
******************************************************

******************************************************

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Advanced Sound Recorder v6.0
Age of Empires III
AGEIA PhysX v7.07.09
Alibre Design
Alibre Design Help
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HydraVision
ATI Parental Control & Encoder
ATT-AACE
AVG Free 8.0
AVIVO Codecs
Black Thorn
Call of Duty(R) 2
CAMtastic 2000 Designers Edition
Commandos 3 - Destination Berlin
Cool Edit 2000
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
EasyRecorder 5.5
eDrawings 2007
Enhancement Browser Tools Agadoo
FLV Player 2.0, build 23
FLV to AVI MPEG WMV 3GP MP4 iPod Converter 3.2.0607
GIMP 2.4.6
Google SketchUp 6
Google SketchUp 6
Groove
Hamachi 1.0.2.1
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Medal of Honor Airborne Demo
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft MSDN 2005 Express Edition - ENU
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU Service Pack 1 (KB926749)
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.3)
Mozilla Thunderbird (2.0.0.9)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
P-CAD 2001
PDFCreator
PDFCreator Toolbar
Pro/ENGINEER Release Wildfire Datecode 2002280
PTC Conference Server Release Wildfire Datecode 2002280
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Registry Mechanic 6.0
Security Task Manager 1.7f
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SimCity 4 Deluxe
SolidWorks 2003
Spybot - Search & Destroy
Spyware Doctor 6.0
Super Ad Blocker
T-Utility Fan Control
T-Utility Hardware Monitor
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VCW VicMan's Photo Editor 8.1
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Web Photo Album 0.9 Beta
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Xvid 1.1.3 final uninstall
Yahoo! Internet Mail
Yahoo! Messenger

******************************************************

**pskelley** · 2008-11-24, 23:21

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.

Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested: https://psi.secunia.com/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Reader 8.1.2 <<< out of date and being exploited, see this:
http://news.cnet.com/8301-1009_3-100...ml?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows
http://www.foxitsoftware.com/pdf/rd_intro.php

Viewpoint Manager (Remove Only)
Viewpoint Media Player
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.spywareinfo.com/newslette....php#viewpoint
http://www.clickz.com/news/article.php/3561546

Codec <<< I see you are downloaded these and many infections especially Smitfraud can occur, see this information:
http://forums.spybot.info/showthread.php?t=7344

We need to collect some information first:
http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consultin...rocessutil.htm

Post only the C:\rapport.txt

Thanks

**sh2005** · 2008-11-26, 00:16

Thank you for looking into it. I had downloaded the AVG and since then it seems like the smitfraud may have been removed (spybot no longer shows it). But, I ran the smitfraudfix as you asked for, and here's the rapport.txt file content. I think I still have the Virtumonde because spybot still shows it.

****************************************************

SmitFraudFix v2.378

Scan done at 18:12:57.59, Tue 11/25/2008
Run from C:\Documents and Settings\Admin\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\notepad.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Admin

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Admin\LOCALS~1\Temp

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Admin\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Admin\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="ujkumr.dll,avgrsstx.dll"
"LoadAppInit_DLLs"=dword:00000001

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» RK

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7636219B-D60D-4FA7-B8CC-308DB6E33444}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7636219B-D60D-4FA7-B8CC-308DB6E33444}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7636219B-D60D-4FA7-B8CC-308DB6E33444}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

**pskelley** · 2008-11-26, 00:30

Thanks for returning your information and right your are. Smitfraudfix is showing nothing. You may remove (delete) it from your computer.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/comb...o-use-combofix

Thanks

**sh2005** · 2008-11-26, 01:38

I think AVG removed it after I did a scan. After a I a reboot after finishing the scan in AVG, I noticed I was no longer getting IE popped open automatically.

Here is the result from the ComboFix:
-----------------------------------

ComboFix 08-11-26.01 - Admin 2008-11-25 19:28:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1580 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\tn3
c:\windows\system32\fnqhzo.dll
c:\windows\system32\GgjjPqss.ini
c:\windows\system32\GgjjPqss.ini2
c:\windows\system32\jorbtmuo.dll
c:\windows\system32\rjveshut.dll
c:\windows\system32\x4

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-25 18:11 . 2008-11-25 18:12 1,340 --a------ c:\windows\system32\tmp.reg
2008-11-25 18:10 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-25 18:10 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-25 18:10 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-25 18:10 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-25 18:10 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-25 18:10 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-25 18:10 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-25 18:10 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-25 18:10 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-25 18:10 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-23 09:20 . 2008-11-23 09:30 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-23 09:07 . 2008-11-25 17:45 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-23 09:07 . 2008-11-23 09:07 <DIR> d-------- c:\program files\AVG
2008-11-23 09:07 . 2008-11-23 09:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-23 09:07 . 2008-11-23 09:07 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-23 09:07 . 2008-11-23 09:07 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-23 09:07 . 2008-11-23 09:07 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-22 12:19 . 2008-11-22 12:19 <DIR> d-------- c:\windows\system32\URTTemp
2008-11-22 12:19 . 2008-11-22 12:19 <DIR> d-------- c:\documents and settings\Admin\Application Data\SuperAdBlocker.com
2008-11-22 11:35 . 2008-11-22 11:35 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-22 11:33 . 2008-11-22 11:33 <DIR> d-------- c:\windows\ERUNT
2008-11-22 11:33 . 2008-11-22 11:33 <DIR> d-------- C:\SDFix
2008-11-22 11:29 . 2008-11-23 09:07 <DIR> d-------- c:\documents and settings\Administrator
2008-11-22 11:15 . 2008-11-22 14:36 <DIR> d-------- c:\program files\Spyware Doctor
2008-11-22 11:15 . 2008-11-22 11:15 <DIR> d-------- c:\documents and settings\Admin\Application Data\PC Tools
2008-11-22 11:15 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-11-22 11:15 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-11-22 11:15 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-11-22 11:15 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-11-22 10:17 . 2008-11-22 12:18 503 --a------ c:\windows\wininit.ini
2008-11-22 09:36 . 2008-11-22 11:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 09:22 . 2008-11-22 09:22 <DIR> d-------- c:\windows\system32\mp
2008-11-22 09:22 . 2008-11-22 14:07 <DIR> d-------- c:\windows\system32\ID2
2008-11-22 09:22 . 2008-11-22 14:07 <DIR> d-------- c:\windows\system32\gp2
2008-11-22 09:22 . 2008-11-22 14:07 <DIR> d-------- c:\windows\system32\dim
2008-11-22 09:22 . 2008-11-22 09:22 <DIR> d-------- c:\temp\FT62
2008-11-22 09:22 . 2008-11-25 19:28 <DIR> d-------- C:\Temp
2008-11-22 09:22 . 2008-11-22 09:22 29,184 --a------ c:\windows\system32\MSINET.oca
2008-11-22 09:22 . 2008-11-22 09:22 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-12 22:34 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 22:34 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-25 23:12 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-23 13:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-22 17:18 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-13 03:51 18,320 ----a-w c:\documents and settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 00:17 --------- d-----w c:\documents and settings\Admin\Application Data\gtk-2.0
2008-10-19 02:30 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-10-16 12:03 --------- d-----w c:\program files\Common Files\Motive
2008-10-16 12:03 --------- d-----w c:\program files\ATT
2008-10-16 12:03 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2008-03-16 18:04 2 --shatr c:\windows\winstart.bat
2008-08-02 12:10 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080220080803\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-23 1234712]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 c:\windows\RTHDCPL.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= "f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL" [2006-11-07 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
2007-08-01 09:28 176128 f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ujkumr.dll,avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"f:\\Program Files\\Eidos\\Pyro Studios\\Commandos 3 - Destination Berlin\\commandos3.exe"=
"f:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"f:\\Program Files\\Groove Networks\\Groove\\Bin\\Groove.exe"=
"f:\\Program Files\\proeWildfire\\i486_nt\\nms\\nmsd.exe"=
"f:\\Program Files\\proeWildfire\\i486_nt\\obj\\proevconf.exe"=
"f:\\Program Files\\Games\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-23 97928]
R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys [2007-02-24 13696]
R1 BS_I2cIo;BS_I2cIo;\??\c:\windows\system32\drivers\BS_I2cIo.sys [2007-02-24 8192]
R1 SABDIFSV;SABDIFSV;\??\f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS [2005-09-21 5632]
R1 SABKUTIL;SABKUTIL;\??\f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [2007-02-20 32256]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-23 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-23 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-23 76040]
S1 atinmdxxx;atinmdxxx;c:\windows\system32\drivers\atinmdxxx.sys []
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys []
S4 GrooveInstallerService;Groove Installer Service;f:\program files\Groove Networks\Groove\Bin\GrooveInstallerService.exe [2007-04-28 75328]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - d:\setup\rsrc\autorun.exe
\Shell\dinstall\command - d:\directx\dxsetup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-02 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- f:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2007-11-28 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- f:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{41838D59-9092-4E97-92A3-CBB11EC7A9A0} - (no file)
BHO-{c3d71b60-9335-4bbf-acba-a50a652a1738} - c:\windows\system32\ujkumr.dll
ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\snarwbm4.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - f:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF -: plugin - f:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - f:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF -: plugin - f:\program files\DivX\DivX Web Player\npdivx32.dll
FF -: plugin - f:\program files\Mozilla Firefox\plugins\npnul32.dll
FF -: plugin - f:\program files\Mozilla Firefox\plugins\nppl3260.dll
FF -: plugin - f:\program files\Mozilla Firefox\plugins\nprjplug.dll
FF -: plugin - f:\program files\Mozilla Firefox\plugins\nprpjplug.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin2.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin3.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin4.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin5.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin6.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin7.dll
FF -: plugin - f:\program files\RealPlayer\Netscape6\nppl3260.dll
FF -: plugin - f:\program files\RealPlayer\Netscape6\nprjplug.dll
FF -: plugin - f:\program files\RealPlayer\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-25 19:30:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-25 19:34:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-26 00:33:56

Pre-Run: 30,182,756,352 bytes free
Post-Run: 30,797,615,104 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

202 --- E O F --- 2008-11-13 04:18:51

**pskelley** · 2008-11-26, 01:57

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

Post the requested Hijackthis log before I can continue.

**sh2005** · 2008-11-26, 02:29

Sorry, I didn't notice it in your post. Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:28:21, on 11/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - F:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: ujkumr.dll,avgrsstx.dll
O20 - Winlogon Notify: !SABWinLogon - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 5770 bytes

**pskelley** · 2008-11-26, 12:26

Thanks for posting the HJT log, read and follow alll directions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

Code:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"AppInit_DLLs"="avgrsstx.dll"

Folder::
C:\SDFix
c:\documents and settings\All Users\Application Data\Viewpoint
c:\documents and settings\All Users\Application Data\Trymedia

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O20 - AppInit_DLLs: ujkumr.dll,avgrsstx.dll <<< may be gone

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/art...efetch-XP.html

5) DownloadMalwarebytes' Anti-Malwareto yourDesktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum...ware-mbam.html

How is the computer running now?

Thanks

**sh2005** · 2008-11-27, 15:49

Hello PSKelly,
Here's the log from the ComboFix with the CFScript and the HJT after that. In my next post, I will put the log fromt he MBAM and HJT. One thing I should mention is that first time when I ran the Combofix with the CFScript, I realized that I didn't disable the AVG Resident shield. So, I let ComboFix finish, then disabled the AVG and ran steps again. The log here is from running ComboFix with the AVG running. I also copied the log from running the Combofix the second time. I can post that if you need it.

------------------------------------------
------------------ ComboFix ---------------------------------

ComboFix 08-11-26.01 - Admin 2008-11-27 8:42:32.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1587 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Trymedia
c:\documents and settings\All Users\Application Data\Trymedia\data\{00745072-B373-E166-3C31-5A47D2D88193}
c:\documents and settings\All Users\Application Data\Trymedia\data\{2DA1A51F-C9FF-6FDE-93FC-55A8D033F011}
c:\documents and settings\All Users\Application Data\Trymedia\data\{33920AC5-578E-727D-1A02-FDB862EB735E}
c:\documents and settings\All Users\Application Data\Trymedia\data\{5D32AFE0-F011-2C9D-A0AB-189A86585FB9}
c:\documents and settings\All Users\Application Data\Trymedia\data\{855FFF31-577D-DD08-DAFD-76B63F606B41}
c:\documents and settings\All Users\Application Data\Trymedia\data\{95F4DE04-AAB1-2F7E-F78D-951B04CA15F6}
c:\documents and settings\All Users\Application Data\Trymedia\data\{B8120112-55FE-5939-C536-E09097A61828}
c:\documents and settings\All Users\Application Data\Trymedia\data\{DAC41050-1A03-6A0C-B118-2078EAA0F017}
c:\documents and settings\All Users\Application Data\Viewpoint
C:\SDFix
c:\sdfix\SDFix\Add_DBFix_RunOnce_key.inf
c:\sdfix\SDFix\apps\assosfix.reg
c:\sdfix\SDFix\apps\Cghtme.exe
c:\sdfix\SDFix\apps\cliptext.exe
c:\sdfix\SDFix\apps\DBFix.inf
c:\sdfix\SDFix\apps\download.exe
c:\sdfix\SDFix\apps\dummy.sys
c:\sdfix\SDFix\apps\Enable_Command_Prompt.inf
c:\sdfix\SDFix\apps\Enable_Command_Prompt.reg
c:\sdfix\SDFix\apps\ERDNT.E_E
c:\sdfix\SDFix\apps\ERDNTDOS.LOC
c:\sdfix\SDFix\apps\ERDNTWIN.LOC
c:\sdfix\SDFix\apps\ERUNT.EXE
c:\sdfix\SDFix\apps\ERUNT.LOC
c:\sdfix\SDFix\apps\fix.reg
c:\sdfix\SDFix\apps\FixBeep.reg
c:\sdfix\SDFix\apps\FixBH.reg
c:\sdfix\SDFix\apps\FixComponents.reg
c:\sdfix\SDFix\apps\FIXCU.reg
c:\sdfix\SDFix\apps\FIXLM.reg
c:\sdfix\SDFix\apps\FixPath.exe
c:\sdfix\SDFix\apps\FixRedir.reg
c:\sdfix\SDFix\apps\FixSchedule.reg
c:\sdfix\SDFix\apps\FixWebCheck.reg
c:\sdfix\SDFix\apps\fixXP.reg
c:\sdfix\SDFix\apps\FixXPsp2.reg
c:\sdfix\SDFix\apps\grep.exe
c:\sdfix\SDFix\apps\HaxdFix.reg
c:\sdfix\SDFix\apps\HPFix.reg
c:\sdfix\SDFix\apps\HPFix2.reg
c:\sdfix\SDFix\apps\HPFix3.reg
c:\sdfix\SDFix\apps\HPFix4.reg
c:\sdfix\SDFix\apps\HPFix5.reg
c:\sdfix\SDFix\apps\HPFix6.reg
c:\sdfix\SDFix\apps\HPFix7.reg
c:\sdfix\SDFix\apps\HPFix8.reg
c:\sdfix\SDFix\apps\HPFix9.reg
c:\sdfix\SDFix\apps\Installed.txt
c:\sdfix\SDFix\apps\isadmin.exe
c:\sdfix\SDFix\apps\leg2.txt
c:\sdfix\SDFix\apps\legacy.txt
c:\sdfix\SDFix\apps\legacybk.txt
c:\sdfix\SDFix\apps\locate.com
c:\sdfix\SDFix\apps\LS.exe
c:\sdfix\SDFix\apps\MD5File.exe
c:\sdfix\SDFix\apps\moveex.exe
c:\sdfix\SDFix\apps\MyGcpvFix.reg
c:\sdfix\SDFix\apps\MyGkFix2.reg
c:\sdfix\SDFix\apps\Process.exe
c:\sdfix\SDFix\apps\procs.exe
c:\sdfix\SDFix\apps\psservice.exe
c:\sdfix\SDFix\apps\Rem.txt
c:\sdfix\SDFix\apps\Rem2.txt
c:\sdfix\SDFix\apps\Replace\regedit.exe
c:\sdfix\SDFix\apps\Replace\w2k\AUTOEXEC.NT
c:\sdfix\SDFix\apps\Replace\w2k\beep.sys
c:\sdfix\SDFix\apps\Replace\w2k\command.com
c:\sdfix\SDFix\apps\Replace\w2k\command.PIF
c:\sdfix\SDFix\apps\Replace\w2k\CONFIG.NT
c:\sdfix\SDFix\apps\Replace\w2k\null.sys
c:\sdfix\SDFix\apps\Replace\xp\AUTOEXEC.NT
c:\sdfix\SDFix\apps\Replace\xp\beep.sys
c:\sdfix\SDFix\apps\Replace\xp\command.com
c:\sdfix\SDFix\apps\Replace\xp\command.PIF
c:\sdfix\SDFix\apps\Replace\xp\CONFIG.NT
c:\sdfix\SDFix\apps\Replace\xp\null.sys
c:\sdfix\SDFix\apps\Reset_AppInit_DLLs.reg
c:\sdfix\SDFix\apps\RestartIt!.exe
c:\sdfix\SDFix\apps\Restore_SafeBoot_Windows2000.reg
c:\sdfix\SDFix\apps\Restore_SafeBoot_WindowsXP.reg
c:\sdfix\SDFix\apps\Restore_SafeBoot_WindowsXP_SP2.reg
c:\sdfix\SDFix\apps\Restore_SafeBoot_WindowsXP_SP3.reg
c:\sdfix\SDFix\apps\Restore_SecurityCenter.reg
c:\sdfix\SDFix\apps\Restore_SharedAccess.reg
c:\sdfix\SDFix\apps\sc.exe
c:\sdfix\SDFix\apps\sed.exe
c:\sdfix\SDFix\apps\SF.exe
c:\sdfix\SDFix\apps\shutdown.exe
c:\sdfix\SDFix\apps\srv2.txt
c:\sdfix\SDFix\apps\srv2bk.txt
c:\sdfix\SDFix\apps\svc.txt
c:\sdfix\SDFix\apps\svcbk.txt
c:\sdfix\SDFix\apps\Swreg.exe
c:\sdfix\SDFix\apps\swsc.exe
c:\sdfix\SDFix\apps\UnRAR.exe
c:\sdfix\SDFix\apps\unzip.exe
c:\sdfix\SDFix\apps\vfind.exe
c:\sdfix\SDFix\apps\WINMSG.EXE
c:\sdfix\SDFix\apps\winsec.reg
c:\sdfix\SDFix\apps\zip.exe
c:\sdfix\SDFix\backups\backupreg.zip
c:\sdfix\SDFix\backups\catchme.log
c:\sdfix\SDFix\backups\catchme.zip
c:\sdfix\SDFix\backups\HOSTS
c:\sdfix\SDFix\catchme.exe
c:\sdfix\SDFix\DBFix.bat
c:\sdfix\SDFix\dummy.sys
c:\sdfix\SDFix\Report.txt
c:\sdfix\SDFix\RunThis.bat
c:\sdfix\SDFix\SDFIX_ReadMe_Online.url
c:\sdfix\SDFix\W2K_VirusAlert_Repair.inf
c:\sdfix\SDFix\XP_VirusAlert_Repair.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-27 to 2008-11-27 )))))))))))))))))))))))))))))))
.

2008-11-25 18:11 . 2008-11-25 18:12 1,340 --a------ c:\windows\system32\tmp.reg
2008-11-25 18:10 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-25 18:10 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-25 18:10 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-25 18:10 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-25 18:10 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-25 18:10 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-25 18:10 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-25 18:10 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-25 18:10 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-25 18:10 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-23 09:20 . 2008-11-23 09:30 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-23 09:07 . 2008-11-26 22:38 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-23 09:07 . 2008-11-23 09:07 <DIR> d-------- c:\program files\AVG
2008-11-23 09:07 . 2008-11-23 09:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-23 09:07 . 2008-11-23 09:07 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-23 09:07 . 2008-11-23 09:07 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-23 09:07 . 2008-11-23 09:07 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-22 12:19 . 2008-11-22 12:19 <DIR> d-------- c:\windows\system32\URTTemp
2008-11-22 12:19 . 2008-11-22 12:19 <DIR> d-------- c:\documents and settings\Admin\Application Data\SuperAdBlocker.com
2008-11-22 11:35 . 2008-11-22 11:35 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-22 11:33 . 2008-11-22 11:33 <DIR> d-------- c:\windows\ERUNT
2008-11-22 11:29 . 2008-11-23 09:07 <DIR> d-------- c:\documents and settings\Administrator
2008-11-22 11:15 . 2008-11-22 14:36 <DIR> d-------- c:\program files\Spyware Doctor
2008-11-22 11:15 . 2008-11-22 11:15 <DIR> d-------- c:\documents and settings\Admin\Application Data\PC Tools
2008-11-22 11:15 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-11-22 11:15 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-11-22 11:15 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-11-22 11:15 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-11-22 10:17 . 2008-11-22 12:18 503 --a------ c:\windows\wininit.ini
2008-11-22 09:36 . 2008-11-22 11:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 09:22 . 2008-11-22 09:22 <DIR> d-------- c:\windows\system32\mp
2008-11-22 09:22 . 2008-11-22 14:07 <DIR> d-------- c:\windows\system32\ID2
2008-11-22 09:22 . 2008-11-22 14:07 <DIR> d-------- c:\windows\system32\gp2
2008-11-22 09:22 . 2008-11-22 14:07 <DIR> d-------- c:\windows\system32\dim
2008-11-22 09:22 . 2008-11-22 09:22 <DIR> d-------- c:\temp\FT62
2008-11-22 09:22 . 2008-11-25 19:28 <DIR> d-------- C:\Temp
2008-11-22 09:22 . 2008-11-22 09:22 29,184 --a------ c:\windows\system32\MSINET.oca
2008-11-22 09:22 . 2008-11-22 09:22 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-12 22:34 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 22:34 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 13:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-22 17:18 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-13 03:51 18,320 ----a-w c:\documents and settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 00:17 --------- d-----w c:\documents and settings\Admin\Application Data\gtk-2.0
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 12:03 --------- d-----w c:\program files\Common Files\Motive
2008-10-16 12:03 --------- d-----w c:\program files\ATT
2008-10-16 12:03 --------- d-----w c:\documents and settings\All Users\Application Data\Motive
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-03-16 18:04 2 --shatr c:\windows\winstart.bat
2008-08-02 12:10 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080220080803\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-23 1234712]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 c:\windows\RTHDCPL.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= "f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL" [2006-11-07 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
2007-08-01 09:28 176128 f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"f:\\Program Files\\Eidos\\Pyro Studios\\Commandos 3 - Destination Berlin\\commandos3.exe"=
"f:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"f:\\Program Files\\Groove Networks\\Groove\\Bin\\Groove.exe"=
"f:\\Program Files\\proeWildfire\\i486_nt\\nms\\nmsd.exe"=
"f:\\Program Files\\proeWildfire\\i486_nt\\obj\\proevconf.exe"=
"f:\\Program Files\\Games\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-23 97928]
R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys [2007-02-24 13696]
R1 BS_I2cIo;BS_I2cIo;\??\c:\windows\system32\drivers\BS_I2cIo.sys [2007-02-24 8192]
R1 SABDIFSV;SABDIFSV;\??\f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABDIFSV.SYS [2005-09-21 5632]
R1 SABKUTIL;SABKUTIL;\??\f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [2007-02-20 32256]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-23 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-23 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-23 76040]
S1 atinmdxxx;atinmdxxx;c:\windows\system32\drivers\atinmdxxx.sys []
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys []
S4 GrooveInstallerService;Groove Installer Service;f:\program files\Groove Networks\Groove\Bin\GrooveInstallerService.exe [2007-04-28 75328]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - d:\setup\rsrc\autorun.exe
\Shell\dinstall\command - d:\directx\dxsetup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-02 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- f:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2007-11-28 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- f:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-27 08:44:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\avgrsstx.dll
f:\program files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(796)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\nvappfilter.dll
.
Completion time: 2008-11-27 8:45:08
ComboFix-quarantined-files.txt 2008-11-27 13:44:59
ComboFix2.txt 2008-11-26 00:34:18

Pre-Run: 30,782,152,704 bytes free
Post-Run: 30,781,292,544 bytes free

271 --- E O F --- 2008-11-13 04:18:51

--------------------- HJT --------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:55:29, on 11/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - F:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SABWinLogon - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 5784 bytes

**sh2005** · 2008-11-27, 15:51

Here's the log from MBAM and HJT.... looks like MBAM found the virtumonde and a Rootkit.

---------------------------------
Malwarebytes' Anti-Malware 1.30
Database version: 1428
Windows 5.1.2600 Service Pack 3

11/27/2008 9:41:26 AM
mbam-log-2008-11-27 (09-41-26).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 176627
Time elapsed: 35 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\mp (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\fnqhzo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jorbtmuo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rjveshut.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031370.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031373.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031375.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031395.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031396.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031413.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031416.dll (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031417.exe (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031428.dll (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031430.exe (Adware.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP391\A0031432.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP392\A0031564.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP392\A0031569.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP394\A0031676.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP397\A0031954.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP397\A0031956.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7A03ACA3-AB1B-4FCF-972A-833095A61992}\RP397\A0031957.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mp\kstamv3.exe (Trojan.Agent) -> Quarantined and deleted successfully.

----------------- HJT ---------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:51:42, on 11/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\avgtray.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - F:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SABWinLogon - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - F:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 5603 bytes

Thread: Both Virtumonde and Smitfraud

Thread Tools

Display

Both Virtumonde and Smitfraud

CFScript and HJT

MBAM and Another HJT log

Posting Permissions