PDA

View Full Version : Virtumonde ruined me


stuart
2007-08-31, 12:56
Hi, I am new to this forum and after reading a few threads I have tried fixing the issue. It seems to be ever present in the Kaspersky scan, however after afe mode restart and spybot scan. nothing has been found. I think its still here. Please help. Thanks

Heres the Kaspersky scan:


Friday, August 31, 2007 11:08:13 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 31/08/2007
Kaspersky Anti-Virus database records: 400536


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 185580
Number of viruses found 12
Number of infected objects 40
Number of suspicious objects 0
Duration of the scan process 02:03:36

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Stuart\Application Data\__c0086748.exe Infected: Trojan-Downloader.Win32.Small.eyx skipped

C:\Documents and Settings\Stuart\Application Data\__c00C6AEC.exe Infected: Trojan-Downloader.Win32.Small.eyx skipped

C:\Documents and Settings\Stuart\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Stuart\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Stuart\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Stuart\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Stuart\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Stuart\Local Settings\History\History.IE5\MSHist012007083120070901\index.dat Object is locked skipped

C:\Documents and Settings\Stuart\Local Settings\Temp\~DF3735.tmp Object is locked skipped

C:\Documents and Settings\Stuart\Local Settings\Temp\~DFD7C.tmp Object is locked skipped

C:\Documents and Settings\Stuart\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Stuart\Local Settings\Temporary Internet Files\Content.IE5\8B53D925\antzom[1].exe Infected: Trojan.Win32.Dialer.qn skipped

C:\Documents and Settings\Stuart\Local Settings\Temporary Internet Files\Content.IE5\8B53D925\xc42[1].exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\Documents and Settings\Stuart\Local Settings\Temporary Internet Files\Content.IE5\8B53D925\xc42[1].exe NSIS: infected - 1 skipped

C:\Documents and Settings\Stuart\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Stuart\ntuser.dat Object is locked skipped

C:\Documents and Settings\Stuart\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP126\A0027509.exe Object is locked skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP127\A0028522.exe Object is locked skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP127\A0028524.exe Infected: Trojan-Clicker.Win32.Costrat.be skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP127\A0028526.dll Object is locked skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP127\A0028528.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP127\A0028528.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.lk skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP127\A0028528.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP127\A0028528.exe/data.rar/install.exe Infected: Virus.Win32.Virut.i skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP127\A0028528.exe/data.rar Infected: Virus.Win32.Virut.i skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP127\A0028528.exe RarSFX: infected - 5 skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP132\A0033437.sys Infected: Trojan-Clicker.Win32.Costrat.be skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP142\A0042530.exe Object is locked skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP142\A0042535.dll Infected: Trojan.Win32.Dialer.qn skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP142\change.log Object is locked skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP95\A0022907.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ld skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP95\A0022911.exe Infected: Trojan-Downloader.Win32.Small.eyx skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP95\A0022912.exe/data.rar/keygen.exe Infected: Trojan.Win32.Inject.cu skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP95\A0022912.exe/data.rar/crack.exe Infected: Trojan-Downloader.Win32.Small.eyx skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP95\A0022912.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP95\A0022912.exe/data.rar/install.exe Infected: Virus.Win32.Virut.i skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP95\A0022912.exe/data.rar Infected: Virus.Win32.Virut.i skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP95\A0022912.exe RarSFX: infected - 5 skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP95\A0022913.exe Object is locked skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP95\A0022916.exe Infected: Trojan.Win32.Dialer.qn skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP95\A0023902.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ld skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP95\A0023903.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ld skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP95\A0023904.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ld skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP97\A0024089.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.b skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP97\A0024091.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.b skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP97\A0024093.exe Infected: Trojan.Win32.Agent.qt skipped

C:\System Volume Information\_restore{9AD51B9A-18ED-4476-AF99-D565CEC6CE2E}\RP97\A0024095.exe Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{1B844B7E-04B0-46CB-B65E-C77097207741}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drvlak.dll Infected: Trojan.Win32.Dialer.qn skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\ogvhbfee\ogvhbfee1.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped

C:\WINDOWS\system32\ogvhbfee\ogvhbfee2.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped

C:\WINDOWS\system32\ogvhbfee\ogvhbfee3.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\__c002CBBD.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ld skipped

C:\WINDOWS\system32\__c00C6100.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ld skipped

C:\WINDOWS\Temp\gos1FB9.tmp Infected: Trojan.Win32.Dialer.qn skipped

C:\WINDOWS\Temp\win1FA8.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped

C:\WINDOWS\Temp\win444.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped

C:\WINDOWS\Temp\win44B.tmp.exe Infected: Trojan.Win32.Agent.qt skipped

C:\WINDOWS\Temp\win50D.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
stuart
2007-08-31, 12:58
and here's the HJT scan. Any help is welcome. I appreciate you guys taking the time

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:27, on 31/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://runonce.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55EDB93B-6FCC-2A25-DA97-095A187E5D18} - C:\Program Files\Osqcunen\rmqebfap.dll (file missing)
O2 - BHO: (no name) - {57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4} - C:\WINDOWS\system32\wvutqop.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [tkrczyje] rundll32.exe "C:\Program Files\tkrczyje\jgruloto.dll",Init
O4 - HKLM\..\Run: [olcfytut] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\olcfytut.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: winmbj32 - winmbj32.dll (file missing)
O20 - Winlogon Notify: wvutqop - wvutqop.dll (file missing)
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 9760 bytes
pskelley
2007-09-01, 01:40
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

If you ran any tools prior to posting and did not mention them, please do so in your next post.

You are still infected as evidenced by that Kaspersky scan. Do you have any idea what this is?
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe here's the Google:
http://www.google.com/search?hl=en&q=scprot4.exe&btnG=Google+Search
Google has no information for the Program either: SecCenter
If you don't know it please scan it with one or more of these free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
post the results or me to view.

Let's see if combofix will locate and delete some of the junk Kaspersky is finding.

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks
pskelley
2007-09-08, 12:27
This topic is closed due to lack of a response.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks