Virtumonde Infection

**SpaceUnion** · 2009-01-15, 23:45

Hello, I seem to be having much of the same problems as others on this board with a Virtumonde infection. I've done numerous different scans with Spybot, Maleware Bytes, and AVG and it seemed to go away for a few days but then I think it reappeared again as my desktop is now disappearing and reappearing every 5 seconds. I did a scan and found some Virtumonde still on my system so any help getting rid of it would be appreciated. Thank you. Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:21 PM, on 1/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\CDBurnerXP\NMSAccessU.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\stsystra.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
D:\Documents and Settings\Harsimran S. Mann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe
D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\WINDOWS\system32\dllhost.exe
E:\SETUP.EXE
D:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
D:\Documents and Settings\Harsimran S. Mann\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Documents and Settings\Harsimran S. Mann\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\Harsimran S. Mann\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\Harsimran S. Mann\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\explorer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - D:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] D:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellAutomatedPCTuneUp] "D:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Harsimran S. Mann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MsnMsgr] "D:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [yirifatopa] Rundll32.exe "D:\WINDOWS\system32\hoditugu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yirifatopa] Rundll32.exe "D:\WINDOWS\system32\hoditugu.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Wireless Configuration Utility.lnk = D:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
O4 - Global Startup: ZDWLan Utility.lnk = D:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\hayeluze.dll (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DellAMBrokerService - Unknown owner - D:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - D:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7810 bytes

**Shaba** · 2009-01-19, 10:50

Hi SpaceUnion

Rename HijackThis.exe to SpaceUnion.exe and post back a fresh HijackThis log, please

**SpaceUnion** · 2009-01-19, 20:32

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:18 PM, on 1/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\CDBurnerXP\NMSAccessU.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\ehome\mcrdsvc.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\stsystra.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
D:\Documents and Settings\Har~\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe
D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
D:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\WINDOWS\system32\rundll32.exe
D:\Documents and Settings\Har~\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\Har~\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Program Files\Trend Micro\HijackThis\SpaceUnion.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - D:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {aa5ea87c-acea-418c-8061-ad489ad751a2} - D:\WINDOWS\system32\zopejaji.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - D:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] D:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellAutomatedPCTuneUp] "D:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Har~\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MsnMsgr] "D:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Wireless Configuration Utility.lnk = D:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
O4 - Global Startup: ZDWLan Utility.lnk = D:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DellAMBrokerService - Unknown owner - D:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - D:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9381 bytes

Here ya go

**Shaba** · 2009-01-19, 20:41

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

We need first to disable TeaTimer that it doesn''t interfere with fixes. You can re-enable it when you''re clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

**SpaceUnion** · 2009-01-20, 04:08

ComboFix 09-01-19.03 - Har~ 2009-01-19 20:50:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.627 [GMT -5:00]
Running from: d:\documents and settings\Har~\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\system32\ehilupap.ini
d:\windows\system32\TDSSosvd.dat
d:\windows\system32\ubiwenos.ini
d:\windows\Tasks\sesjjloy.job

.
((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-15 19:41 . 2009-01-15 19:41 <DIR> d-------- D:\VundoFix Backups
2009-01-15 17:38 . 2009-01-15 17:38 <DIR> d-------- d:\program files\Trend Micro
2009-01-10 15:42 . 2009-01-10 15:42 <DIR> d-------- d:\program files\Apple Software Update
2009-01-10 15:42 . 2009-01-10 15:42 <DIR> d-------- d:\documents and settings\All Users\Application Data\Apple
2009-01-06 15:02 . 2009-01-06 15:02 <DIR> d-------- d:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2009-01-05 16:20 . 2009-01-19 12:25 <DIR> d-------- d:\program files\Spyware Doctor
2009-01-05 16:20 . 2009-01-05 16:20 <DIR> d-------- d:\documents and settings\Har~\Application Data\PC Tools
2009-01-05 16:20 . 2009-01-19 18:43 <DIR> d-a------ d:\documents and settings\All Users\Application Data\TEMP
2009-01-05 16:20 . 2008-08-25 12:36 81,288 --a------ d:\windows\system32\drivers\iksyssec.sys
2009-01-05 16:20 . 2008-08-25 12:36 66,952 --a------ d:\windows\system32\drivers\iksysflt.sys
2009-01-05 16:20 . 2008-08-25 12:36 40,840 --a------ d:\windows\system32\drivers\ikfilesec.sys
2009-01-05 16:20 . 2008-06-02 16:19 29,576 --a------ d:\windows\system32\drivers\kcom.sys
2009-01-03 12:26 . 2009-01-05 18:26 323 --a------ d:\windows\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 23:41 --------- d-----w d:\documents and settings\Har~\Application Data\mIRC
2009-01-19 22:30 --------- d-----w d:\program files\mIRC
2009-01-19 03:06 --------- d-----w d:\documents and settings\Har~\Application Data\uTorrent
2009-01-03 18:15 --------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-03 16:41 --------- d-----w d:\program files\Spybot - Search & Destroy
2008-12-13 01:52 --------- d-----w d:\program files\DivX
2008-12-11 22:41 18,704 ----a-w d:\documents and settings\Har~\Application Data\GDIPFONTCACHEV1.DAT
2008-12-09 01:09 --------- d-----w d:\program files\Java
2008-12-08 00:23 --------- d--h--w d:\program files\InstallShield Installation Information
2008-12-08 00:21 21,035 ----a-w d:\windows\system32\drivers\AegisP.sys
2008-12-08 00:21 --------- d-----w d:\program files\TRENDnet
2008-12-01 23:26 --------- d-----w d:\program files\Common Files\InstallShield
2008-11-23 18:56 --------- d-----w d:\program files\CONEXANT
2008-11-23 18:44 --------- d-----w d:\program files\Broadcom
2008-08-11 20:32 4 ----a-w d:\documents and settings\All Users\Application Data\E00D3599.DAT
2008-02-09 02:12 22,328 ----a-w d:\documents and settings\Har~\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-05 68856]
"DellAutomatedPCTuneUp"="d:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"Google Update"="d:\documents and settings\Har~\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"MsnMsgr"="d:\progra~1\WI1F86~1\MESSEN~1\msnmsgr.exe" [2007-10-18 5724184]
"Uniblue RegistryBooster2"="d:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-06-13 1650720]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"OSSelectorReinstall"="d:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-22 2209224]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]
"nwiz"="nwiz.exe" [2007-10-04 d:\windows\system32\nwiz.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 d:\windows\stsystra.exe]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility.lnk - d:\program files\TRENDnet\TEW-424UB\WlanCU.exe [2007-07-10 634880]
ZDWLan Utility.lnk - d:\program files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2007-12-15 495616]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"d:\\Program Files\\mIRC\\mirc.exe"=
"d:\\WINDOWS\\system32\\PnkBstrA.exe"=
"d:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\ImageJ\\jre\\bin\\javaw.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"d:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"d:\nexon\Combat Arms\CombatArms.exe"= d:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"d:\nexon\Combat Arms\Engine.exe"= d:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"d:\\Nexon\\Combat Arms\\NMService.exe"=
"d:\\Program Files\\FrostWire\\FrostWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"d:\\WINDOWS\\system32\\spoolsv.exe"=
"d:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgrsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [2008-07-07 97928]
R4 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-07 231704]
R4 datunidr;DellAutomatedPCTuneUp UniDriver;d:\windows\system32\drivers\datunidr.sys [2007-08-23 5376]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;d:\windows\system32\drivers\RTL8187B.sys [2008-12-07 264576]
S3 sdAuxService;PC Tools Auxiliary Service;d:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-05 356920]
S3 SjyPkt;SjyPkt;d:\windows\system32\drivers\SjyPkt.sys [2002-10-03 13532]
.
Contents of the 'Scheduled Tasks' folder

2009-01-15 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-20 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-412668190-839522115-1003.job
- d:\documents and settings\Har~\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 16:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{aa5ea87c-acea-418c-8061-ad489ad751a2} - d:\windows\system32\zopejaji.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Download all with Free Download Manager - file://d:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://d:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://d:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://d:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - d:\documents and settings\Har~\Application Data\Mozilla\Firefox\Profiles\ybw61fmw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: d:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: d:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: d:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: d:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: d:\documents and settings\Har~\Application Data\Mozilla\Firefox\Profiles\ybw61fmw.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: d:\documents and settings\Har~\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: d:\program files\Download Manager\npfpdlm.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 21:04:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1214440339-412668190-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b5,6d,5b,8d,6c,e8,67,bd,c0,a0,f7,b0,bd,ed,01,5c,f5,f7,76,4f,f5,51,a3,
cb,9e,b3,72,03,7a,8b,b0,cc,25,d6,18,b8,f5,f0,5a,a1,9d,3c,80,2e,82,f0,8a,c2,\
"??"=hex:04,ab,cd,94,64,76,eb,fc,29,73,51,f4,03,e3,4a,6e
.
------------------------ Other Running Processes ------------------------
.
d:\windows\ehome\ehrecvr.exe
d:\windows\ehome\ehSched.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\CDBurnerXP\NMSAccessU.exe
d:\windows\system32\nvsvc32.exe
d:\windows\system32\PnkBstrA.exe
d:\windows\ehome\mcrdsvc.exe
d:\progra~1\AVG\AVG8\avgrsx.exe
d:\windows\system32\dllhost.exe
d:\windows\system32\wscntfy.exe
d:\windows\system32\rundll32.exe
d:\program files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-01-19 21:08:39 - machine was rebooted [Har~]
ComboFix-quarantined-files.txt 2009-01-20 02:08:36

Pre-Run: 28,017,082,368 bytes free
Post-Run: 28,164,747,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(4)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(4)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

183 --- E O F --- 2008-12-18 22:07:24

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:33 PM, on 1/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\CDBurnerXP\NMSAccessU.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\svchost.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\stsystra.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
D:\Documents and Settings\Har~\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe
D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
D:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
D:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Documents and Settings\Har~\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\Har~\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Program Files\Trend Micro\HijackThis\SpaceUnion.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - D:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - D:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] D:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellAutomatedPCTuneUp] "D:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Har~\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MsnMsgr] "D:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Wireless Configuration Utility.lnk = D:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
O4 - Global Startup: ZDWLan Utility.lnk = D:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DellAMBrokerService - Unknown owner - D:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - D:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 8661 bytes

**Shaba** · 2009-01-20, 14:58

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

**SpaceUnion** · 2009-01-20, 18:47

Acronis*Disk Director Suite
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Advanced WindowsCare Personal
Apple Software Update
Apple Software Update
AusLogics Registry Defrag
AVG Free 8.0
Battlefield 2: Deluxe Edition
Blender (remove only)
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
CCleaner (remove only)
CDBurnerXP
Cleanup Assistant
Combat Arms
Conexant D850 56K V.9x DFVc Modem
Dell Automated PC TuneUp
DivX Web Player
Download Manager 2.3.6
ESPNMotion
Free Download Manager 2.5
FrostWire 4.13.5
GameSpy Arcade
GemMaster Mystic
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
ImageConverter Plus 7.1
ImageJ 1.40g
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 7
Magic ISO Maker v5.4 (build 0256)
MagicDisc 2.6.93
Malwarebytes' Anti-Malware
Medieval II Total War
Medieval II Total War : Kingdoms : Americas
Medieval II Total War : Kingdoms : Britannia
Medieval II Total War : Kingdoms : Crusades
Medieval II Total War : Kingdoms : Teutonic
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Windows Journal Viewer
MilkShape 3D 1.8.0
mIRC
Mozilla Firefox (3.0.5)
MSXML 6 Service Pack 2 (KB954459)
MySpeed PC Lite Edition
NVIDIA Drivers
Otto
Paint.NET v3.30
Project Reality 0.75 Core
Project Reality 0.75 Levels
PunkBuster Services
Python 2.5.1
QuickTime
RealPlayer
Rhapsody Player Engine
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
SharpDevelop 2.2
SigmaTel Audio
Sonic Encoders
Sound Blaster ADVANCED MB Drivers
Spybot - Search & Destroy
Spyware Doctor 6.0
TRENDnet TEW-424UB Wireless USB 2.0 Adapter Driver and Utility
Uniblue RegistryBooster 2
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update Rollup 2 for Windows XP Media Center Edition 2005
Ventrilo Client
VideoLAN VLC media player 0.8.6d
Windows Imaging Component
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WinRAR archiver
World in Conflict
ZyDAS IEEE 802.11 b+g Wireless LAN - USB

**Shaba** · 2009-01-20, 18:50

Open notepad and copy/paste the text in the codebox below into it:

Code:

Folder::
d:\documents and settings\Har~\Application Data\uTorrent
d:\Program Files\FrostWire
d:\Program Files\uTorrent

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\uTorrent\\uTorrent.exe"=-
"d:\\Program Files\\FrostWire\\FrostWire.exe"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

**SpaceUnion** · 2009-01-20, 21:18

ComboFix 09-01-19.05 - Har~ 2009-01-20 15:07:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.516 [GMT -5:00]
Running from: d:\documents and settings\Har~\My Documents\Downloads\ComboFix.exe
Command switches used :: d:\documents and settings\Har~\My Documents\Downloads\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\program files\FrostWire
d:\program files\FrostWire\clink.jar
d:\program files\FrostWire\commons-httpclient.jar
d:\program files\FrostWire\commons-logging.jar
d:\program files\FrostWire\commons-net.jar
d:\program files\FrostWire\commons-pool.jar
d:\program files\FrostWire\daap.jar
d:\program files\FrostWire\EULA.txt
d:\program files\FrostWire\FrostWire.exe
d:\program files\FrostWire\FrostWire.ico
d:\program files\FrostWire\FrostWire.jar
d:\program files\FrostWire\GPL2.txt
d:\program files\FrostWire\hashes
d:\program files\FrostWire\i18n.jar
d:\program files\FrostWire\icu4j.jar
d:\program files\FrostWire\id3v2.jar
d:\program files\FrostWire\irc.jar
d:\program files\FrostWire\jcraft.jar
d:\program files\FrostWire\jdic.dll
d:\program files\FrostWire\jdic.jar
d:\program files\FrostWire\jdic_stub.jar
d:\program files\FrostWire\jl011.jar
d:\program files\FrostWire\jmdns.jar
d:\program files\FrostWire\jython.jar
d:\program files\FrostWire\log.txt
d:\program files\FrostWire\log4j.jar
d:\program files\FrostWire\log4j.properties
d:\program files\FrostWire\looks.jar
d:\program files\FrostWire\MessagesBundle.properties
d:\program files\FrostWire\MessagesBundles.jar
d:\program files\FrostWire\mp3sp14.jar
d:\program files\FrostWire\pmf.ico
d:\program files\FrostWire\ProgressTabs.jar
d:\program files\FrostWire\SystemUtilities.dll
d:\program files\FrostWire\themes.jar
d:\program files\FrostWire\tray.dll
d:\program files\FrostWire\tritonus.jar
d:\program files\FrostWire\Uninstall.exe
d:\program files\FrostWire\update.ver
d:\program files\FrostWire\vorbis.jar
d:\program files\FrostWire\xml-apis.jar
d:\program files\FrostWire\xml.war
d:\program files\uTorrent
d:\program files\uTorrent\uTorrent.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-15 19:41 . 2009-01-15 19:41 <DIR> d-------- D:\VundoFix Backups
2009-01-15 17:38 . 2009-01-15 17:38 <DIR> d-------- d:\program files\Trend Micro
2009-01-10 15:42 . 2009-01-10 15:42 <DIR> d-------- d:\program files\Apple Software Update
2009-01-10 15:42 . 2009-01-10 15:42 <DIR> d-------- d:\documents and settings\All Users\Application Data\Apple
2009-01-06 15:02 . 2009-01-06 15:02 <DIR> d-------- d:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2009-01-05 16:20 . 2009-01-19 12:25 <DIR> d-------- d:\program files\Spyware Doctor
2009-01-05 16:20 . 2009-01-05 16:20 <DIR> d-------- d:\documents and settings\Har~\Application Data\PC Tools
2009-01-05 16:20 . 2009-01-19 18:43 <DIR> d-a------ d:\documents and settings\All Users\Application Data\TEMP
2009-01-05 16:20 . 2008-08-25 12:36 81,288 --a------ d:\windows\system32\drivers\iksyssec.sys
2009-01-05 16:20 . 2008-08-25 12:36 66,952 --a------ d:\windows\system32\drivers\iksysflt.sys
2009-01-05 16:20 . 2008-08-25 12:36 40,840 --a------ d:\windows\system32\drivers\ikfilesec.sys
2009-01-05 16:20 . 2008-06-02 16:19 29,576 --a------ d:\windows\system32\drivers\kcom.sys
2009-01-03 12:26 . 2009-01-05 18:26 323 --a------ d:\windows\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 23:41 --------- d-----w d:\documents and settings\Har~\Application Data\mIRC
2009-01-19 22:30 --------- d-----w d:\program files\mIRC
2009-01-19 03:06 --------- d-----w d:\documents and settings\Har~\Application Data\uTorrent
2009-01-03 18:15 --------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-03 16:41 --------- d-----w d:\program files\Spybot - Search & Destroy
2008-12-13 01:52 --------- d-----w d:\program files\DivX
2008-12-11 22:41 18,704 ----a-w d:\documents and settings\Har~\Application Data\GDIPFONTCACHEV1.DAT
2008-12-11 10:57 333,952 ----a-w d:\windows\system32\drivers\srv.sys
2008-12-09 01:09 410,984 ----a-w d:\windows\system32\deploytk.dll
2008-12-09 01:09 --------- d-----w d:\program files\Java
2008-12-08 00:23 --------- d--h--w d:\program files\InstallShield Installation Information
2008-12-08 00:21 21,035 ----a-w d:\windows\system32\drivers\AegisP.sys
2008-12-08 00:21 --------- d-----w d:\program files\TRENDnet
2008-12-01 23:26 --------- d-----w d:\program files\Common Files\InstallShield
2008-11-23 18:56 --------- d-----w d:\program files\CONEXANT
2008-11-23 18:44 --------- d-----w d:\program files\Broadcom
2008-11-21 21:46 200,704 ----a-w d:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w d:\windows\system32\libdivx.dll
2008-10-23 12:36 286,720 ----a-w d:\windows\system32\gdi32.dll
2008-08-11 20:32 4 ----a-w d:\documents and settings\All Users\Application Data\E00D3599.DAT
2008-02-09 02:12 22,328 ----a-w d:\documents and settings\Har~\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((( snapshot@2009-01-19_21.07.42.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-08 10:41:42 333,824 -c----w d:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w d:\windows\system32\dllcache\srv.sys
+ 2009-01-20 18:07:28 16,384 ----atw d:\windows\Temp\Perflib_Perfdata_710.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-05 68856]
"DellAutomatedPCTuneUp"="d:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"Google Update"="d:\documents and settings\Har~\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"MsnMsgr"="d:\progra~1\WI1F86~1\MESSEN~1\msnmsgr.exe" [2007-10-18 5724184]
"Uniblue RegistryBooster2"="d:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-06-13 1650720]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"OSSelectorReinstall"="d:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-22 2209224]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]
"nwiz"="nwiz.exe" [2007-10-04 d:\windows\system32\nwiz.exe]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 d:\windows\stsystra.exe]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility.lnk - d:\program files\TRENDnet\TEW-424UB\WlanCU.exe [2007-07-10 634880]
ZDWLan Utility.lnk - d:\program files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2007-12-15 495616]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"d:\\Program Files\\mIRC\\mirc.exe"=
"d:\\WINDOWS\\system32\\PnkBstrA.exe"=
"d:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Program Files\\ImageJ\\jre\\bin\\javaw.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"d:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"d:\nexon\Combat Arms\CombatArms.exe"= d:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"d:\nexon\Combat Arms\Engine.exe"= d:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"d:\\Nexon\\Combat Arms\\NMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"d:\\WINDOWS\\system32\\spoolsv.exe"=
"d:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgrsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [2008-07-07 97928]
R4 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-07 231704]
R4 datunidr;DellAutomatedPCTuneUp UniDriver;d:\windows\system32\drivers\datunidr.sys [2007-08-23 5376]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;d:\windows\system32\drivers\RTL8187B.sys [2008-12-07 264576]
S3 sdAuxService;PC Tools Auxiliary Service;d:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-05 356920]
S3 SjyPkt;SjyPkt;d:\windows\system32\drivers\SjyPkt.sys [2002-10-03 13532]
.
Contents of the 'Scheduled Tasks' folder

2009-01-15 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-20 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-412668190-839522115-1003.job
- d:\documents and settings\Har~\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 16:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Download all with Free Download Manager - file://d:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://d:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://d:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://d:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - d:\documents and settings\Har~\Application Data\Mozilla\Firefox\Profiles\ybw61fmw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: d:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: d:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: d:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: d:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: d:\documents and settings\Har~\Application Data\Mozilla\Firefox\Profiles\ybw61fmw.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: d:\documents and settings\Har~\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: d:\program files\Download Manager\npfpdlm.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 15:10:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1214440339-412668190-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b5,6d,5b,8d,6c,e8,67,bd,c0,a0,f7,b0,bd,ed,01,5c,f5,f7,76,4f,f5,51,a3,
cb,9e,b3,72,03,7a,8b,b0,cc,25,d6,18,b8,f5,f0,5a,a1,9d,3c,80,2e,82,f0,8a,c2,\
"??"=hex:04,ab,cd,94,64,76,eb,fc,29,73,51,f4,03,e3,4a,6e
.
Completion time: 2009-01-20 15:12:05
ComboFix-quarantined-files.txt 2009-01-20 20:12:04
ComboFix2.txt 2009-01-20 02:08:40

Pre-Run: 28,122,243,072 bytes free
Post-Run: 28,106,473,472 bytes free

209 --- E O F --- 2009-01-20 17:40:42

It went without problems

**SpaceUnion** · 2009-01-20, 21:21

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:01 PM, on 1/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\CDBurnerXP\NMSAccessU.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\svchost.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\stsystra.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
D:\Documents and Settings\Har~\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
D:\Documents and Settings\Har~\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\Har~\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
D:\Documents and Settings\Har~\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\Har~\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Trend Micro\HijackThis\SpaceUnion.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - D:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - D:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] D:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellAutomatedPCTuneUp] "D:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Har~\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MsnMsgr] "D:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Wireless Configuration Utility.lnk = D:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
O4 - Global Startup: ZDWLan Utility.lnk = D:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DellAMBrokerService - Unknown owner - D:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - D:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 8671 bytes

forgot the HTJ log

Thread: Virtumonde Infection

Thread Tools

Display

Virtumonde Infection

Posting Permissions