PDA

View Full Version : Virtumonde Problem



unionbank
2007-07-21, 08:28
Hey

Hi guys, im Joey :) im new to the forums so please be nice :laugh:
So ummm lately i have been experiencing slowly down of my computer and the
internet due to Virtumonde. I have AVG antispyware,Ad-adware, Spybot S&D. But all of them have failed to remove the virtumonde i have also downloaded Vundofix. It removes it but it seems to comeback everytime i scan. So if anyone can be nice to help me ;) please do so,

-Kind Regards

Here is the HJT log.


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MONKEY~1\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\main-user1\Desktop\HiJackThis_v2.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: (no name) - {4229E30E-1E21-4783-A9DC-0A58DF0A20F0} - C:\WINDOWS\system32\pmkhf.dll (file missing)
O2 - BHO: (no name) - {4D4FBC01-6E71-490C-9587-C11C9070C675} - C:\WINDOWS\system32\vturs.dll (file missing)
O2 - BHO: (no name) - {5D88F843-83B3-49EF-8197-915D1BB0E6DA} - C:\WINDOWS\system32\pmnnn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: OTSI Class - {85CC6BFF-5A5C-4A76-8FC8-DB0787DF1597} - C:\PROGRA~1\MONKEY~1\OTS.dll
O2 - BHO: (no name) - {8660FC5F-D647-4D30-A922-79B880E9A050} - C:\WINDOWS\system32\jkkji.dll (file missing)
O2 - BHO: (no name) - {941508F8-CCD9-44E0-AC29-4F1E141373F7} - C:\WINDOWS\system32\ljjkiji.dll
O2 - BHO: (no name) - {9FE8871F-DB04-454D-80CE-A34242BD2CC0} - C:\WINDOWS\system32\ssqrp.dll (file missing)
O2 - BHO: (no name) - {B21457B2-54C4-4650-9392-5A0FE43F9252} - C:\WINDOWS\system32\mlljh.dll (file missing)
O2 - BHO: (no name) - {DA48C01A-D8F5-48AE-B778-2057E40F76C3} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: (no name) - {E0AACEAB-625A-4DDE-865F-16763445E314} - (no file)
O2 - BHO: (no name) - {EED50537-250B-468F-99B8-F5CF65EF1292} - C:\WINDOWS\system32\gebca.dll (file missing)
O2 - BHO: (no name) - {FE225059-027D-4F26-A7C7-9FD5F3A5C37D} - C:\WINDOWS\system32\awvvs.dll (file missing)
O3 - Toolbar: 몽키3 - {E74BC74F-F470-4AD7-9FB4-1A4170A06082} - C:\PROGRA~1\MONKEY~1\OTWiz.dll
O3 - Toolbar: (no name) - {A83C19E3-55A4-4a75-AC5B-5BA0CE86CDB2} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [pcdata] "C:\WINDOWS\system32\pcdata.exe" /shide
O4 - HKLM\..\Run: [WMSRC] C:\Program Files\Windows Media Player\siratic.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: MSN Shell 4 - {0713E8D2-850A-101B-AFC0-4210102A8DA7} - C:\Program Files\MSNShell\Bin\MSNShell.exe (file missing)
O9 - Extra 'Tools' menuitem: MSN Shell 4 - {0713E8D2-850A-101B-AFC0-4210102A8DA7} - C:\Program Files\MSNShell\Bin\MSNShell.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: 몽키3 - {19103DAA-76E2-4fa0-B17A-8159B483F5A2} - "C:\PROGRA~1\MONKEY~1\OTdm2.exe" (file missing)
O9 - Extra 'Tools' menuitem: 몽키3 바로가기 - {19103DAA-76E2-4fa0-B17A-8159B483F5A2} - "C:\PROGRA~1\MONKEY~1\OTdm2.exe" (file missing)
O9 - Extra button: 현금리워드 - {26DFF40F-9082-4BDE-A703-D994E345C704} - "C:\PROGRA~1\MONKEY~1\OTdm.exe" (file missing)
O9 - Extra 'Tools' menuitem: 몽키3 현금돌려받기 적립금보기 - {26DFF40F-9082-4BDE-A703-D994E345C704} - "C:\PROGRA~1\MONKEY~1\OTdm.exe" (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00001024-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter24 Class) - http://download.netmarble.com/web/nmstarter/NMStarter24.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30819AD6-5356-4D9F-BA96-E636938D8013} (TVWebCtrl Control) - http://www.teamvoice.co.kr/TVWebCtrl.CAB
O16 - DPF: {32ECCE1D-F91E-413F-AFF3-BA477CF0C9C6} (IMBCControl Control) - http://touch.imbc.com/ActiveX/iMBCOnlineService.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {65E8E2DC-186A-4AAC-9E56-FDC683055A9E} (CNetOnlineInstall Control) - http://www.download.com/html/dl/bug211623/CNetOnlineInstall.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,2,0
O16 - DPF: {BD6BB450-7C69-43B8-96F3-689CAE57AB51} (SBSWebPlayer Class) - http://netv.sbs.co.kr/object/player/SBSWebPlayer.cab
O16 - DPF: {C9F2C949-1D30-43BF-A712-2D21048EFE1B} (SBSWebStudio Class) - http://netv.sbs.co.kr/object/editor/SBSWebStudio.cab
O16 - DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} (PlayerCue Control) - http://touch.imbc.com/ActiveX/iMBCOnlineService.cab
O16 - DPF: {CEEC548C-ACBB-4169-A1C1-7D74DEC86B07} (CJMUSet Class) - http://player.mnet.com/package/cjmuset.cab
O16 - DPF: {F2B10602-013E-43E0-96EC-1D6448F80E48} - http://www.dr-scan.net/program/drscan.cab
O16 - DPF: {F4A1D5E2-AF49-47A7-A945-23038106F3A4} (Pandora_SetUp Control) - http://imgcdn.pandora.tv/pan_img/launcher/codebase/Pandora_SetUpAX.cab
O20 - AppInit_DLLs: winver.dll
O20 - Winlogon Notify: ljjkiji - C:\WINDOWS\SYSTEM32\ljjkiji.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

--
End of file - 9387 bytes

--[This is the lastest Vundofix scan Log i did.]--


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 오후 2:43:00 2007-07-21

Listing files found while scanning....

C:\WINDOWS\system32\awvvs.dll
C:\WINDOWS\system32\svvwa.bak1
C:\WINDOWS\system32\svvwa.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awvvs.dll
C:\WINDOWS\system32\awvvs.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\svvwa.bak1
C:\WINDOWS\system32\svvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\svvwa.ini
C:\WINDOWS\system32\svvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awvvs.dll
C:\WINDOWS\system32\awvvs.dll Has been deleted!

Performing Repairs to the registry.
Done!

unionbank
2007-07-21, 16:40
can somone plz help it seems like its getting worse everyday, i need an expert right away.

-thank you

steamwiz
2007-07-21, 23:48
HI

1. Please download VirtumundoBegone, and save it to your desktop.

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

2. Double-click on VirtumundoBeGone.exe and follow the instructions.

Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.

3. When the process finishes, reboot.

4. Post the contents of the VBG.TXT file, which you will find on your desktop

THEN...

Please download Combofix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Please remember to post :-

1. VBG.TXT file
2. C:\ComboFix.txt
3. A new hijackthis log ( run after the above programs)

steam

unionbank
2007-07-22, 06:22
HI

Thanks for you time and assistance :)

This is my ComboFix Log

C:\WINDOWS\system32\cvnmyvuq.dll
C:\WINDOWS\system32\tuvwwtq.dll
C:\WINDOWS\system32\cdlpbxwq.dll
C:\WINDOWS\system32\iacgeoar.dll
C:\WINDOWS\system32\pcgaqraj.dll
C:\WINDOWS\system32\xciyqcla.dll
C:\WINDOWS\system32\quvymnvc.ini
C:\WINDOWS\system32\egjlm.bak1
C:\WINDOWS\system32\egjlm.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\sysdm.exe
C:\WINDOWS\system32\xpdx.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NDNET1
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\asc3550u
-------\xpdx


((((((((((((((((((((((((( Files Created from 2007-06-22 to 2007-07-22 )))))))))))))))))))))))))))))))


2007-07-22 13:07 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-22 12:47 6,529 ---hs---- C:\WINDOWS\system32\klkkj.bak1
2007-07-22 12:47 266,336 --a------ C:\WINDOWS\system32\jkklk.dll.vir
2007-07-21 23:36 66,112 --a------ C:\WINDOWS\system32\dlgxyonn.exe
2007-07-21 21:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-21 18:10 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-21 17:46 66,112 --a------ C:\WINDOWS\system32\nkkxiqic.exe
2007-07-21 09:28 66,112 --a------ C:\WINDOWS\system32\tqweimln.exe
2007-07-20 20:18 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-19 20:38 955,810 ---hs---- C:\WINDOWS\system32\fhkmp.bak2
2007-07-19 20:38 66,112 --a------ C:\WINDOWS\system32\mroxhbrx.exe
2007-07-19 19:16 6,365 ---hs---- C:\WINDOWS\system32\fhkmp.bak1
2007-07-19 16:16 <DIR> d-------- C:\DOCUME~1\MAIN-U~1\APPLIC~1\vlc
2007-07-18 21:27 66,112 --a------ C:\WINDOWS\system32\sijdimxd.exe
2007-07-18 08:54 <DIR> d-------- C:\Program Files\VideoLAN
2007-07-18 08:44 959,049 ---hs---- C:\WINDOWS\system32\ppqss.bak2
2007-07-18 08:44 66,112 --a------ C:\WINDOWS\system32\niqricwj.exe
2007-07-17 15:47 6,409 ---hs---- C:\WINDOWS\system32\ppqss.bak1
2007-07-17 08:10 66,112 --a------ C:\WINDOWS\system32\koakujsv.exe
2007-07-17 08:10 1,094,436 ---hs---- C:\WINDOWS\system32\ijkkj.bak2
2007-07-16 16:02 66,112 --a------ C:\WINDOWS\system32\yplynfvc.exe
2007-07-16 12:46 66,112 --a------ C:\WINDOWS\system32\emafdydn.exe
2007-07-15 22:27 <DIR> d-------- C:\WINDOWS\setup.pss
2007-07-15 12:57 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-07-14 13:13 29,056 --a------ C:\WINDOWS\system32\drivers\ip6fw.sys
2007-07-14 11:01 1,123,777 ---hs---- C:\WINDOWS\system32\srutv.bak2
2007-07-13 21:07 <DIR> d-------- C:\Program Files\Steam
2007-07-13 18:50 6,409 ---hs---- C:\WINDOWS\system32\srutv.bak1
2007-07-13 18:45 15,360 --a------ C:\WINDOWS\RtlExUpd.exe
2007-07-13 18:44 31,254 --a------ C:\WINDOWS\system32\ljjkiji.dll.vir
2007-07-11 13:00 71,308 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-07-10 17:31 8,126,464 --a------ C:\DOCUME~1\MAIN-U~1\ntuser.dat
2007-07-09 15:19 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-09 15:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-07 12:33 <DIR> d-------- C:\Program Files\mIRC
2007-06-24 15:07 <DIR> d-------- C:\Program Files\iexplore
2007-06-24 14:36 49,152 --a------ C:\WINDOWS\system32\icon.exe
2007-06-24 14:35 <DIR> d-------- C:\WINDOWS\VCP_TEMP
2007-06-23 00:43 <DIR> d-------- C:\DOCUME~1\MAIN-U~1\Parts
2007-06-22 21:00 <DIR> d-------- C:\WINDOWS\VCP_SAVE
2007-06-22 19:57 <DIR> d-------- C:\Program Files\IconTweaker
2007-06-22 19:57 <DIR> d-------- C:\DOCUME~1\MAIN-U~1\APPLIC~1\IconTweaker
2007-06-22 19:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\IconTweaker


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-22 03:06:28 -------- d-----w C:\Program Files\MonKeyBar
2007-07-20 10:25:29 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-20 09:27:10 -------- d-----w C:\DOCUME~1\MAIN-U~1\APPLIC~1\Xfire
2007-07-15 23:09:56 -------- d-----w C:\Program Files\MSN Messenger
2007-07-15 12:27:49 -------- d-----w C:\DOCUME~1\MAIN-U~1\APPLIC~1\DivX
2007-07-15 12:05:34 -------- d-----w C:\DOCUME~1\MAIN-U~1\APPLIC~1\Ventrilo
2007-07-13 08:51:03 -------- d-----w C:\DOCUME~1\MAIN-U~1\APPLIC~1\BitTorrent
2007-07-13 08:50:30 -------- d-----w C:\DOCUME~1\MAIN-U~1\APPLIC~1\Hamachi
2007-07-13 08:50:30 -------- d-----w C:\DOCUME~1\MAIN-U~1\APPLIC~1\ESTsoft
2007-07-11 08:22:47 -------- d-----w C:\Program Files\Warcraft III
2007-07-09 07:16:05 -------- d-----w C:\Program Files\Monkey3
2007-07-09 05:22:24 -------- d-----w C:\Program Files\iTunes
2007-07-09 05:22:03 -------- d-----w C:\Program Files\iPod
2007-06-08 12:47:23 -------- d-----w C:\Program Files\DivX
2007-06-08 01:32:14 -------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-06-01 10:47:11 -------- d-----w C:\Program Files\SystemRequirementsLab
2007-05-31 05:06:33 -------- d-----w C:\Program Files\QuickTime
2007-05-30 20:30:27 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-05-30 20:30:24 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-05-30 20:30:21 36,624 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-05-30 20:30:21 2,560 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-30 20:30:21 2,432 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-30 20:30:21 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-05-30 20:30:21 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-05-30 20:30:21 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-05-30 20:30:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-05-30 20:30:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-05-30 20:27:55 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-05-30 20:27:55 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-05-30 20:27:54 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-05-30 20:27:53 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-05-30 20:27:53 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-05-30 20:27:53 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-05-30 20:27:53 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-05-30 20:27:53 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-05-30 20:27:51 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-05-30 20:27:51 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-05-30 20:27:51 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-05-30 20:27:51 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-05-30 20:27:23 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-05-30 20:27:23 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-05 06:50:55 1,156 -c--a-w C:\WINDOWS\mozver.dat
2007-05-03 07:52:03 0 -c--a-w C:\WINDOWS\nsreg.dat
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 20:38 63128 --------- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{111CAA23-6F4F-42AC-8555-B48C1D87BBAB}]
2006-01-09 15:01 86016 --a------ C:\WINDOWS\system32\gigagetbho_v10.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4229E30E-1E21-4783-A9DC-0A58DF0A20F0}]
C:\WINDOWS\system32\pmkhf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D4FBC01-6E71-490C-9587-C11C9070C675}]
C:\WINDOWS\system32\vturs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DDBCBDC-930A-4CF2-BAE8-2FF5396186A6}]
C:\WINDOWS\system32\mljge.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D88F843-83B3-49EF-8197-915D1BB0E6DA}]
C:\WINDOWS\system32\pmnnn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85CC6BFF-5A5C-4A76-8FC8-DB0787DF1597}]
2006-09-15 15:21 75568 --a------ C:\PROGRA~1\MONKEY~1\OTS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8660FC5F-D647-4D30-A922-79B880E9A050}]
C:\WINDOWS\system32\jkkji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9FE8871F-DB04-454D-80CE-A34242BD2CC0}]
C:\WINDOWS\system32\ssqrp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B0E12174-39BD-44BF-9AC6-63EB0685FC94}]
C:\WINDOWS\system32\ddccd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B21457B2-54C4-4650-9392-5A0FE43F9252}]
C:\WINDOWS\system32\mlljh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA48C01A-D8F5-48AE-B778-2057E40F76C3}]
C:\WINDOWS\system32\ssqpp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0AACEAB-625A-4DDE-865F-16763445E314}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EED50537-250B-468F-99B8-F5CF65EF1292}]
C:\WINDOWS\system32\gebca.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE225059-027D-4F26-A7C7-9FD5F3A5C37D}]
C:\WINDOWS\system32\awvvs.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25]
"nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32\nwiz.exe]
"WMSRC"="C:\Program Files\Windows Media Player\siratic.exe" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 22:00 C:\WINDOWS\system32\bthprops.cpl]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 17:49 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 20:43 C:\WINDOWS\Alcmtr.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iconcache"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-07-13 21:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-07-20 20:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=winver.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHNSD]
"C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dalgonaTVPlayer]
C:\Program Files\dalgonaTVPlayer\dalgonaTVPlayer.exe /WS

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
"C:\Program Files\Microsoft IntelliType Pro\itype.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSNShell]
C:\Program Files\MSNShell\BIN\MSNShell.exe autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\overtoolsupdate]
"C:\Program Files\MonKeyBar\write.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\screensave]
"C:\Program Files\MonKeyBar\scrsave.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ventrilo]
C:\WINDOWS\RtlExUpd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"MonSvcNT"=2 (0x2)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"BlueSoleil Hid Service"=2 (0x2)
"Ahnlab Task Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
Usnsvc usnsvc


Contents of the 'Scheduled Tasks' folder
2007-05-20 21:56:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-11-11 09:07:06 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1155117331.job
2007-07-21 04:11:33 C:\WINDOWS\tasks\Pareto UNS.job
2007-06-25 13:40:05 C:\WINDOWS\tasks\WebReg 20070625234005.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-22 13:11:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-22 13:12:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-22 13:12

--- E O F ---


Im afraid i cannot post the VGB file text due to the number of characters exceeding the character limit. If it is possible i will email it to you

unionbank
2007-07-22, 06:24
HI

Thanks again for your help

here is my HJT Log:


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\main-user1\Desktop\Desktop\Short cuts\HiJackThis_v2.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: (no name) - {4229E30E-1E21-4783-A9DC-0A58DF0A20F0} - C:\WINDOWS\system32\pmkhf.dll (file missing)
O2 - BHO: (no name) - {4D4FBC01-6E71-490C-9587-C11C9070C675} - C:\WINDOWS\system32\vturs.dll (file missing)
O2 - BHO: (no name) - {4DDBCBDC-930A-4CF2-BAE8-2FF5396186A6} - C:\WINDOWS\system32\mljge.dll (file missing)
O2 - BHO: (no name) - {5D88F843-83B3-49EF-8197-915D1BB0E6DA} - C:\WINDOWS\system32\pmnnn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: OTSI Class - {85CC6BFF-5A5C-4A76-8FC8-DB0787DF1597} - C:\PROGRA~1\MONKEY~1\OTS.dll
O2 - BHO: (no name) - {8660FC5F-D647-4D30-A922-79B880E9A050} - C:\WINDOWS\system32\jkkji.dll (file missing)
O2 - BHO: (no name) - {9FE8871F-DB04-454D-80CE-A34242BD2CC0} - C:\WINDOWS\system32\ssqrp.dll (file missing)
O2 - BHO: (no name) - {B0E12174-39BD-44BF-9AC6-63EB0685FC94} - C:\WINDOWS\system32\ddccd.dll (file missing)
O2 - BHO: (no name) - {B21457B2-54C4-4650-9392-5A0FE43F9252} - C:\WINDOWS\system32\mlljh.dll (file missing)
O2 - BHO: (no name) - {DA48C01A-D8F5-48AE-B778-2057E40F76C3} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: (no name) - {E0AACEAB-625A-4DDE-865F-16763445E314} - (no file)
O2 - BHO: (no name) - {EED50537-250B-468F-99B8-F5CF65EF1292} - C:\WINDOWS\system32\gebca.dll (file missing)
O2 - BHO: (no name) - {FE225059-027D-4F26-A7C7-9FD5F3A5C37D} - C:\WINDOWS\system32\awvvs.dll (file missing)
O3 - Toolbar: 몽키3 - {E74BC74F-F470-4AD7-9FB4-1A4170A06082} - C:\PROGRA~1\MONKEY~1\OTWiz.dll
O3 - Toolbar: (no name) - {A83C19E3-55A4-4a75-AC5B-5BA0CE86CDB2} - (no file)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WMSRC] C:\Program Files\Windows Media Player\siratic.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: MSN Shell 4 - {0713E8D2-850A-101B-AFC0-4210102A8DA7} - C:\Program Files\MSNShell\Bin\MSNShell.exe (file missing)
O9 - Extra 'Tools' menuitem: MSN Shell 4 - {0713E8D2-850A-101B-AFC0-4210102A8DA7} - C:\Program Files\MSNShell\Bin\MSNShell.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: 몽키3 - {19103DAA-76E2-4fa0-B17A-8159B483F5A2} - "C:\PROGRA~1\MONKEY~1\OTdm2.exe" (file missing)
O9 - Extra 'Tools' menuitem: 몽키3 바로가기 - {19103DAA-76E2-4fa0-B17A-8159B483F5A2} - "C:\PROGRA~1\MONKEY~1\OTdm2.exe" (file missing)
O9 - Extra button: 현금리워드 - {26DFF40F-9082-4BDE-A703-D994E345C704} - "C:\PROGRA~1\MONKEY~1\OTdm.exe" (file missing)
O9 - Extra 'Tools' menuitem: 몽키3 현금돌려받기 적립금보기 - {26DFF40F-9082-4BDE-A703-D994E345C704} - "C:\PROGRA~1\MONKEY~1\OTdm.exe" (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00001024-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter24 Class) - http://download.netmarble.com/web/nmstarter/NMStarter24.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30819AD6-5356-4D9F-BA96-E636938D8013} (TVWebCtrl Control) - http://www.teamvoice.co.kr/TVWebCtrl.CAB
O16 - DPF: {32ECCE1D-F91E-413F-AFF3-BA477CF0C9C6} (IMBCControl Control) - http://touch.imbc.com/ActiveX/iMBCOnlineService.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {65E8E2DC-186A-4AAC-9E56-FDC683055A9E} (CNetOnlineInstall Control) - http://www.download.com/html/dl/bug211623/CNetOnlineInstall.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/Online.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - http://dl.sayclub.com/sayclub/sayctl/sayax.cab
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - http://cafeimg.hanmail.net/cto/xman.cab?ver=1,2,2,0
O16 - DPF: {BD6BB450-7C69-43B8-96F3-689CAE57AB51} (SBSWebPlayer Class) - http://netv.sbs.co.kr/object/player/SBSWebPlayer.cab
O16 - DPF: {C9F2C949-1D30-43BF-A712-2D21048EFE1B} (SBSWebStudio Class) - http://netv.sbs.co.kr/object/editor/SBSWebStudio.cab
O16 - DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} (PlayerCue Control) - http://touch.imbc.com/ActiveX/iMBCOnlineService.cab
O16 - DPF: {CEEC548C-ACBB-4169-A1C1-7D74DEC86B07} (CJMUSet Class) - http://player.mnet.com/package/cjmuset.cab
O16 - DPF: {F2B10602-013E-43E0-96EC-1D6448F80E48} - http://www.dr-scan.net/program/drscan.cab
O16 - DPF: {F4A1D5E2-AF49-47A7-A945-23038106F3A4} (Pandora_SetUp Control) - http://imgcdn.pandora.tv/pan_img/launcher/codebase/Pandora_SetUpAX.cab
O20 - AppInit_DLLs: winver.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

--
End of file - 9589 bytes

steamwiz
2007-07-22, 21:03
Hi

Please try and spread the VBG.TXT file over 2 threads ... if you can't, then you can send it to me here :-

cactus445AThotmail.com .. replace the AT With @

THEN...

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

O2 - BHO: (no name) - {4229E30E-1E21-4783-A9DC-0A58DF0A20F0} - C:\WINDOWS\system32\pmkhf.dll (file missing)
O2 - BHO: (no name) - {4D4FBC01-6E71-490C-9587-C11C9070C675} - C:\WINDOWS\system32\vturs.dll (file missing)
O2 - BHO: (no name) - {4DDBCBDC-930A-4CF2-BAE8-2FF5396186A6} - C:\WINDOWS\system32\mljge.dll (file missing)
O2 - BHO: (no name) - {5D88F843-83B3-49EF-8197-915D1BB0E6DA} - C:\WINDOWS\system32\pmnnn.dll (file missing)

O2 - BHO: OTSI Class - {85CC6BFF-5A5C-4A76-8FC8-DB0787DF1597} - C:\PROGRA~1\MONKEY~1\OTS.dll

O2 - BHO: (no name) - {8660FC5F-D647-4D30-A922-79B880E9A050} - C:\WINDOWS\system32\jkkji.dll (file missing)
O2 - BHO: (no name) - {9FE8871F-DB04-454D-80CE-A34242BD2CC0} - C:\WINDOWS\system32\ssqrp.dll (file missing)
O2 - BHO: (no name) - {B0E12174-39BD-44BF-9AC6-63EB0685FC94} - C:\WINDOWS\system32\ddccd.dll (file missing)
O2 - BHO: (no name) - {B21457B2-54C4-4650-9392-5A0FE43F9252} - C:\WINDOWS\system32\mlljh.dll (file missing)
O2 - BHO: (no name) - {DA48C01A-D8F5-48AE-B778-2057E40F76C3} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: (no name) - {E0AACEAB-625A-4DDE-865F-16763445E314} - (no file)
O2 - BHO: (no name) - {EED50537-250B-468F-99B8-F5CF65EF1292} - C:\WINDOWS\system32\gebca.dll (file missing)
O2 - BHO: (no name) - {FE225059-027D-4F26-A7C7-9FD5F3A5C37D} - C:\WINDOWS\system32\awvvs.dll (file missing)

O3 - Toolbar: 몽키3 - {E74BC74F-F470-4AD7-9FB4-1A4170A06082} - C:\PROGRA~1\MONKEY~1\OTWiz.dll
O3 - Toolbar: (no name) - {A83C19E3-55A4-4a75-AC5B-5BA0CE86CDB2} - (no file)

O4 - HKLM\..\Run: [WMSRC] C:\Program Files\Windows Media Player\siratic.exe

O9 - Extra button: 몽키3 - {19103DAA-76E2-4fa0-B17A-8159B483F5A2} - "C:\PROGRA~1\MONKEY~1\OTdm2.exe" (file missing)
O9 - Extra 'Tools' menuitem: 몽키3 바로가기 - {19103DAA-76E2-4fa0-B17A-8159B483F5A2} - "C:\PROGRA~1\MONKEY~1\OTdm2.exe" (file missing)
O9 - Extra button: 현금리워드 - {26DFF40F-9082-4BDE-A703-D994E345C704} - "C:\PROGRA~1\MONKEY~1\OTdm.exe" (file missing)
O9 - Extra 'Tools' menuitem: 몽키3 현금돌려받기 적립금보기 - {26DFF40F-9082-4BDE-A703-D994E345C704} - "C:\PROGRA~1\MONKEY~1\OTdm.exe" (file missing)

O16 - DPF: {C9F2C949-1D30-43BF-A712-2D21048EFE1B} (SBSWebStudio Class) - http://netv.sbs.co.kr/object/editor/SBSWebStudio.cab

O20 - AppInit_DLLs: winver.dll < remove - not known as an AppInit_DLLs


THEN...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)


File::
C:\WINDOWS\system32\klkkj.bak1
C:\WINDOWS\system32\jkklk.dll.vir
C:\WINDOWS\system32\dlgxyonn.exe
C:\WINDOWS\system32\nkkxiqic.exe
C:\WINDOWS\system32\tqweimln.exe
C:\WINDOWS\system32\fhkmp.bak2
C:\WINDOWS\system32\mroxhbrx.exe
C:\WINDOWS\system32\fhkmp.bak1
C:\WINDOWS\system32\sijdimxd.exe
C:\WINDOWS\system32\ppqss.bak2
C:\WINDOWS\system32\niqricwj.exe
C:\WINDOWS\system32\ppqss.bak1
C:\WINDOWS\system32\koakujsv.exe
C:\WINDOWS\system32\ijkkj.bak2
C:\WINDOWS\system32\yplynfvc.exe
C:\WINDOWS\system32\emafdydn.exe
C:\WINDOWS\system32\srutv.bak2
C:\WINDOWS\system32\srutv.bak1
C:\WINDOWS\system32\ljjkiji.dll.vir



Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


Please include the information in the header of the hijackthis log.

steam

unionbank
2007-07-23, 08:50
HI

Thanks for your assistance and the time you sacraficed to help me.

Seems like all Signs of virtumonde is gone :)

No more silly pop ups and im relieved that Spybot SD and Vundofix dont

detect Virtumonde. I think Combofixed did the job ;)

Thanks again hope you have a good one ;)

-Kind Regards

steamwiz
2007-07-23, 22:01
HI

You're very welcome :)

You can post the logs I requested for checking if you want, if not, then ....

Happy surfing

steam