View Full Version : PLEASE HELP ASAP: virtumonde keeps coming back
knoxdigit
2007-10-03, 02:03
I have previously tried removing it with SS&D and Spyware doctor... please help, thanks
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 02, 2007 10:55:14 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 2/10/2007
Kaspersky Anti-Virus database records: 426249
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 211068
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 04:02:59
Infected Object Name / Virus Name / Last Action
C:\check_LSA7.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Support\MPLog-06192007-111858.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\edb.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\MPSSVCPolicyIdLog.etl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/hggdeec.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vq skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Jon Viney\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jon Viney\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Jon Viney\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jon Viney\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jon Viney\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jon Viney\Local Settings\Temp\tbpwbad.log Object is locked skipped
C:\Documents and Settings\Jon Viney\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jon Viney\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jon Viney\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\My Downloads\Ash Grunwald\Ash Grunwald - Naked.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\My Downloads\Random\(New Release) fingered goons of doom 50.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Ent.dat Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\prov.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml.bak Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml.bak Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\edb.log Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\tmp.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\WinSS_st.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\onecaremp_log.bin Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\WinSSSvc_log.bin Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ibdata1 Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ib_logfile0 Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ib_logfile1 Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\REEF.err Object is locked skipped
C:\System Volume Information\_restore{07C888CE-636F-47B9-BA61-169539C651AB}\RP534\A0132679.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vq skipped
C:\System Volume Information\_restore{07C888CE-636F-47B9-BA61-169539C651AB}\RP543\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F678F2A2-7AF4-45C4-A120-98C2F6EB7C50}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\MSFWSVC.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\Windows_OneCare_Evt.evt Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\hsperfdata_SYSTEM\6124 Object is locked skipped
C:\WINDOWS\Temp\ib29 Object is locked skipped
C:\WINDOWS\Temp\ib30 Object is locked skipped
C:\WINDOWS\Temp\ib31 Object is locked skipped
C:\WINDOWS\Temp\ib34 Object is locked skipped
C:\WINDOWS\Temp\ib35 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
knoxdigit
2007-10-03, 02:05
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:18 AM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGP.EXE
C:\WINDOWS\system32\cfpsys.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telstra BigPond Home Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo RX530 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGP.EXE /P31 "EPSON Stylus Photo RX530 Series" /O6 "USB003" /M "Stylus Photo RX530"
O4 - HKLM\..\Run: [Warning: do not remove it! (system)] cfpsys.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\oeeciyjm.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/141p/html/gtdownlr.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130294512171
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9757187-3C80-430A-81CB-5920DB8FEDBB}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{BECA0916-9CC8-40F5-B896-6163D70B7B35}: Domain = vic.bigpond.net.au
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ColdFusion 8 .NET Service - Unknown owner - C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe
O23 - Service: ColdFusion 8 Application Server - Macromedia Inc. - C:\ColdFusion8\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion 8 ODBC Agent - Unknown owner - C:\ColdFusion8\db\slserver54\bin\swagent.exe
O23 - Service: ColdFusion 8 ODBC Server - Unknown owner - C:\ColdFusion8\db\slserver54\bin\swstrtr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 ODBC Agent - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swagent.exe
O23 - Service: ColdFusion MX 7 ODBC Server - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swstrtr.exe
O23 - Service: ColdFusion MX 7 Search Server - Verity, Inc. - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 10129 bytes
knoxdigit
2007-10-03, 02:06
--- Search result list ---
Microsoft.WindowsSecurityCenter.FirewallDisabled: [SBI $29AE0E3B] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall
Microsoft.WindowsSecurityCenter.FirewallDisabled: [SBI $99843A42] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall
Virtumonde: [SBI $42352499] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1180542748-3423215851-1689598375-1005\Software\Microsoft\rdfa
Virtumonde: [SBI $47E741CD] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws
Virtumonde: [SBI $7342F9D9] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1180542748-3423215851-1689598375-1005\Software\Microsoft\aldd
Virtumonde.rtk: [SBI $4CDCC3D5] Tracking cookie (Internet Explorer: Jon Viney) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---
2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-09-28 unins000.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2007-09-26 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-09-26 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-09-26 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-09-26 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-09-12 Includes\Malware.sbi (*)
2007-09-26 Includes\MalwareC.sbi (*)
2007-09-05 Includes\PUPS.sbi (*)
2007-09-26 Includes\PUPSC.sbi (*)
2007-09-26 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-09-26 Includes\SecurityC.sbi (*)
2007-09-12 Includes\Spybots.sbi (*)
2007-09-26 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-09-12 Includes\Trojans.sbi (*)
2007-09-26 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll
Hello knoxdigit and welcome to the Forums :)
You're infected.
Please rename HijackThis.exe to skanneri.exe
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
knoxdigit
2007-10-06, 07:42
Here are the two reports as per your instructions. Also I think my cpu might have additional infections since I first posted if that matters...
VundoFix V6.5.9
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.
Scan started at 3:13:55 PM 6/10/2007
Listing files found while scanning....
C:\windows\system32\boeherhp.dll
C:\WINDOWS\system32\budlxgxb.dll
C:\WINDOWS\system32\bxgxldub.ini
C:\windows\system32\diqxwrgs.dll
C:\windows\system32\fovcwgmb.dll
C:\windows\system32\mbomjjot.dll
C:\windows\system32\nmlgdarp.dll
C:\windows\system32\oqstv.bak1
C:\windows\system32\oqstv.bak2
C:\windows\system32\oqstv.ini
C:\windows\system32\oqstv.ini2
C:\windows\system32\oqstv.tmp
C:\windows\system32\rhyipgxy.dll
C:\windows\system32\rulywffx.dll
C:\windows\system32\vtsqo.dll
Beginning removal...
Attempting to delete C:\windows\system32\boeherhp.dll
C:\windows\system32\boeherhp.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\budlxgxb.dll
C:\WINDOWS\system32\budlxgxb.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\bxgxldub.ini
C:\WINDOWS\system32\bxgxldub.ini Has been deleted!
Attempting to delete C:\windows\system32\diqxwrgs.dll
C:\windows\system32\diqxwrgs.dll Has been deleted!
Attempting to delete C:\windows\system32\fovcwgmb.dll
C:\windows\system32\fovcwgmb.dll Has been deleted!
Attempting to delete C:\windows\system32\mbomjjot.dll
C:\windows\system32\mbomjjot.dll Has been deleted!
Attempting to delete C:\windows\system32\nmlgdarp.dll
C:\windows\system32\nmlgdarp.dll Has been deleted!
Attempting to delete C:\windows\system32\oqstv.bak1
C:\windows\system32\oqstv.bak1 Has been deleted!
Attempting to delete C:\windows\system32\oqstv.bak2
C:\windows\system32\oqstv.bak2 Has been deleted!
Attempting to delete C:\windows\system32\oqstv.ini
C:\windows\system32\oqstv.ini Has been deleted!
Attempting to delete C:\windows\system32\oqstv.ini2
C:\windows\system32\oqstv.ini2 Has been deleted!
Attempting to delete C:\windows\system32\oqstv.tmp
C:\windows\system32\oqstv.tmp Has been deleted!
Attempting to delete C:\windows\system32\rhyipgxy.dll
C:\windows\system32\rhyipgxy.dll Has been deleted!
Attempting to delete C:\windows\system32\rulywffx.dll
C:\windows\system32\rulywffx.dll Has been deleted!
Attempting to delete C:\windows\system32\vtsqo.dll
C:\windows\system32\vtsqo.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\budlxgxb.dll
C:\WINDOWS\system32\budlxgxb.dll Has been deleted!
Attempting to delete C:\windows\system32\oqstv.ini
C:\windows\system32\oqstv.ini Has been deleted!
Attempting to delete C:\windows\system32\oqstv.ini2
C:\windows\system32\oqstv.ini2 Has been deleted!
Attempting to delete C:\windows\system32\vtsqo.dll
C:\windows\system32\vtsqo.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:33 PM, on 6/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGP.EXE
C:\WINDOWS\system32\cfpsys.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\skanneri.exe.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telstra BigPond Home Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A0C4D21-F696-45F2-8966-3E1F5172DB7B} - C:\WINDOWS\system32\vtsqo.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\bpwbb2ad.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo RX530 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGP.EXE /P31 "EPSON Stylus Photo RX530 Series" /O6 "USB003" /M "Stylus Photo RX530"
O4 - HKLM\..\Run: [Warning: do not remove it! (system)] cfpsys.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/141p/html/gtdownlr.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130294512171
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9757187-3C80-430A-81CB-5920DB8FEDBB}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{BECA0916-9CC8-40F5-B896-6163D70B7B35}: Domain = vic.bigpond.net.au
O20 - Winlogon Notify: hggdeec - hggdeec.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ColdFusion 8 .NET Service - Unknown owner - C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe
O23 - Service: ColdFusion 8 Application Server - Macromedia Inc. - C:\ColdFusion8\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion 8 ODBC Agent - Unknown owner - C:\ColdFusion8\db\slserver54\bin\swagent.exe
O23 - Service: ColdFusion 8 ODBC Server - Unknown owner - C:\ColdFusion8\db\slserver54\bin\swstrtr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 ODBC Agent - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swagent.exe
O23 - Service: ColdFusion MX 7 ODBC Server - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swstrtr.exe
O23 - Service: ColdFusion MX 7 Search Server - Verity, Inc. - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 11797 bytes
Hi :)
Ok...the story continues..
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
knoxdigit
2007-10-08, 12:39
Here is the combofix report. thanks
ComboFix 07-10-07.2 - Jon Viney 08/10/2007 19:36:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.428 [GMT 10:00]
Running from: C:\Documents and Settings\Jon Viney\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aajbrfip.ini
C:\WINDOWS\system32\acopjrru.dll
C:\WINDOWS\system32\aebtnisy.ini
C:\WINDOWS\system32\aetxcync.dll
C:\WINDOWS\system32\ajwuwmlb.ini
C:\WINDOWS\system32\akawarna.dll
C:\WINDOWS\system32\anrawaka.ini
C:\WINDOWS\system32\aqqlhaxd.dll
C:\WINDOWS\system32\atthqvnq.dll
C:\WINDOWS\system32\axyihogp.dll
C:\WINDOWS\system32\ayfdkqjc.dll
C:\WINDOWS\system32\bbkxhaqc.dll
C:\WINDOWS\system32\bblsbpap.dll
C:\WINDOWS\system32\bertbsqs.ini
C:\WINDOWS\system32\blmwuwja.dll
C:\WINDOWS\system32\bnaskqbx.ini
C:\WINDOWS\system32\bwljbtjm.dll
C:\WINDOWS\system32\bwvyywlj.ini
C:\WINDOWS\system32\cabmvnnh.dll
C:\WINDOWS\system32\cbggtukf.ini
C:\WINDOWS\system32\cbkijdeg.ini
C:\WINDOWS\system32\cjqkdfya.ini
C:\WINDOWS\system32\cnhclykv.ini
C:\WINDOWS\system32\cnycxtea.ini
C:\WINDOWS\system32\cpuhqbbd.ini
C:\WINDOWS\system32\cqahxkbb.ini
C:\WINDOWS\system32\cqnchtoi.ini
C:\WINDOWS\system32\csdknevn.dll
C:\WINDOWS\system32\cwidccwi.ini
C:\WINDOWS\system32\cxuoxoql.ini
C:\WINDOWS\system32\cydshtoq.dll
C:\WINDOWS\system32\dbbqhupc.dll
C:\WINDOWS\system32\dcjlalyu.ini
C:\WINDOWS\system32\debcmwvk.ini
C:\WINDOWS\system32\dpruxhcm.dll
C:\WINDOWS\system32\drbymcep.ini
C:\WINDOWS\system32\dupojmvm.ini
C:\WINDOWS\system32\dxahlqqa.ini
C:\WINDOWS\system32\eaexxxik.dll
C:\WINDOWS\system32\eahsowoe.ini
C:\WINDOWS\system32\ebpdfbfw.dll
C:\WINDOWS\system32\ecgkayxy.ini
C:\WINDOWS\system32\ecmuadwk.ini
C:\WINDOWS\system32\edggnppq.ini
C:\WINDOWS\system32\edumsxpu.dll
C:\WINDOWS\system32\efcerfnt.ini
C:\WINDOWS\system32\eiqprvrk.ini
C:\WINDOWS\system32\eowoshae.dll
C:\WINDOWS\system32\eqwkfjvw.ini
C:\WINDOWS\system32\eqysqlnl.dll
C:\WINDOWS\system32\esxgstcf.dll
C:\WINDOWS\system32\esxkngsk.ini
C:\WINDOWS\system32\excborui.dll
C:\WINDOWS\system32\exmgcvor.ini
C:\WINDOWS\system32\exuepkqq.ini
C:\WINDOWS\system32\fcitcwws.ini
C:\WINDOWS\system32\fctsgxse.ini
C:\WINDOWS\system32\fgvnnbsg.dll
C:\WINDOWS\system32\fhlhpsiv.ini
C:\WINDOWS\system32\fiqjcqkt.ini
C:\WINDOWS\system32\fkutggbc.dll
C:\WINDOWS\system32\frhhdnww.ini
C:\WINDOWS\system32\fsokqfbq.ini
C:\WINDOWS\system32\fwgsyiil.dll
C:\WINDOWS\system32\gbfwlgeg.ini
C:\WINDOWS\system32\gedjikbc.dll
C:\WINDOWS\system32\geglwfbg.dll
C:\WINDOWS\system32\gfcpkjdt.ini
C:\WINDOWS\system32\gsbnnvgf.ini
C:\WINDOWS\system32\guouqgco.ini
C:\WINDOWS\system32\gvvrxhsl.dll
C:\WINDOWS\system32\gxeguweq.dll
C:\WINDOWS\system32\gxwmyqmo.ini
C:\WINDOWS\system32\gyuusqkp.dll
C:\WINDOWS\system32\hggttjgk.dll
C:\WINDOWS\system32\hgvqqfww.dll
C:\WINDOWS\system32\hnnvmbac.ini
C:\WINDOWS\system32\hnuwygcl.ini
C:\WINDOWS\system32\hnyvsgax.ini
C:\WINDOWS\system32\hpcwwgiw.dll
C:\WINDOWS\system32\hrkixfyv.dll
C:\WINDOWS\system32\hvgfadwu.dll
C:\WINDOWS\system32\icbpywcj.ini
C:\WINDOWS\system32\igmpckpj.ini
C:\WINDOWS\system32\ihlvwbxl.ini
C:\WINDOWS\system32\intuiswp.dll
C:\WINDOWS\system32\iothcnqc.dll
C:\WINDOWS\system32\ipkvpccq.dll
C:\WINDOWS\system32\ipnegnay.ini
C:\WINDOWS\system32\iurobcxe.ini
C:\WINDOWS\system32\iwccdiwc.dll
C:\WINDOWS\system32\jcwypbci.dll
C:\WINDOWS\system32\jiioqgcy.ini
C:\WINDOWS\system32\jixiemuo.dll
C:\WINDOWS\system32\jlwyyvwb.dll
C:\WINDOWS\system32\jnotpntv.ini
C:\WINDOWS\system32\jpkcpmgi.dll
C:\WINDOWS\system32\kdpmjtrk.dll
C:\WINDOWS\system32\kfsdsdix.ini
C:\WINDOWS\system32\kgjttggh.ini
C:\WINDOWS\system32\kixxxeae.ini
C:\WINDOWS\system32\klivefkm.ini
C:\WINDOWS\system32\knhhsvqm.dll
C:\WINDOWS\system32\krtjmpdk.ini
C:\WINDOWS\system32\krvrpqie.dll
C:\WINDOWS\system32\ksgnkxse.dll
C:\WINDOWS\system32\kvwmcbed.dll
C:\WINDOWS\system32\kwdaumce.dll
C:\WINDOWS\system32\lcgywunh.dll
C:\WINDOWS\system32\lfmyfriy.dll
C:\WINDOWS\system32\liiysgwf.ini
C:\WINDOWS\system32\ljtairkl.ini
C:\WINDOWS\system32\lkriatjl.dll
C:\WINDOWS\system32\lnlqsyqe.ini
C:\WINDOWS\system32\lqoachey.dll
C:\WINDOWS\system32\lqoxouxc.dll
C:\WINDOWS\system32\lshxrvvg.ini
C:\WINDOWS\system32\ltkadujv.ini
C:\WINDOWS\system32\lxbwvlhi.dll
C:\WINDOWS\system32\lxpnttvv.dll
C:\WINDOWS\system32\mchxurpd.ini
C:\WINDOWS\system32\mijqmqbw.dll
C:\WINDOWS\system32\mjtbjlwb.ini
C:\WINDOWS\system32\mjvnfclo.dll
C:\WINDOWS\system32\mkfevilk.dll
C:\WINDOWS\system32\mmthwcpu.ini
C:\WINDOWS\system32\mpdejivq.ini
C:\WINDOWS\system32\mqvshhnk.ini
C:\WINDOWS\system32\mryleugq.dll
C:\WINDOWS\system32\msikqqmt.dll
C:\WINDOWS\system32\mvmjopud.dll
C:\WINDOWS\system32\neoxxckv.dll
C:\WINDOWS\system32\nevmlhau.dll
C:\WINDOWS\system32\ntwsuxux.ini
C:\WINDOWS\system32\nvenkdsc.ini
C:\WINDOWS\system32\ocgquoug.dll
C:\WINDOWS\system32\oethqxlt.dll
C:\WINDOWS\system32\oirixqks.dll
C:\WINDOWS\system32\olcfnvjm.ini
C:\WINDOWS\system32\omqymwxg.dll
C:\WINDOWS\system32\opfsuwnp.ini
C:\WINDOWS\system32\oqstv.bak2
C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\oqstv.tmp
C:\WINDOWS\system32\oumeixij.ini
C:\WINDOWS\system32\oyhrnfft.ini
C:\WINDOWS\system32\oymxypmu.dll
C:\WINDOWS\system32\papbslbb.ini
C:\WINDOWS\system32\pbmjtdwt.ini
C:\WINDOWS\system32\pecmybrd.dll
C:\WINDOWS\system32\peojyvpt.ini
C:\WINDOWS\system32\pgohiyxa.ini
C:\WINDOWS\system32\pifrbjaa.dll
C:\WINDOWS\system32\pjkgfevx.dll
C:\WINDOWS\system32\pkqsuuyg.ini
C:\WINDOWS\system32\pnwusfpo.dll
C:\WINDOWS\system32\pooehlrw.dll
C:\WINDOWS\system32\ppeyrcrs.ini
C:\WINDOWS\system32\pwsiutni.ini
C:\WINDOWS\system32\qbfqkosf.dll
C:\WINDOWS\system32\qccpvkpi.ini
C:\WINDOWS\system32\qewugexg.ini
C:\WINDOWS\system32\qguelyrm.ini
C:\WINDOWS\system32\qhpeantq.dll
C:\WINDOWS\system32\qlkmyxbt.dll
C:\WINDOWS\system32\qnvqhtta.ini
C:\WINDOWS\system32\qothsdyc.ini
C:\WINDOWS\system32\qppnggde.dll
C:\WINDOWS\system32\qqdhbofx.ini
C:\WINDOWS\system32\qqkpeuxe.dll
C:\WINDOWS\system32\qqvmxoey.ini
C:\WINDOWS\system32\qtnaephq.ini
C:\WINDOWS\system32\qtqawdpx.dll
C:\WINDOWS\system32\qvijedpm.dll
C:\WINDOWS\system32\rjdhnwiy.dll
C:\WINDOWS\system32\rovcgmxe.dll
C:\WINDOWS\system32\sjumnmgw.dll
C:\WINDOWS\system32\skqxirio.ini
C:\WINDOWS\system32\sogdgrct.ini
C:\WINDOWS\system32\sqsbtreb.dll
C:\WINDOWS\system32\srcryepp.dll
C:\WINDOWS\system32\svpejajv.dll
C:\WINDOWS\system32\swwcticf.dll
C:\WINDOWS\system32\syeexsdv.ini
C:\WINDOWS\system32\tbxymklq.ini
C:\WINDOWS\system32\tcrgdgos.dll
C:\WINDOWS\system32\tdjkpcfg.dll
C:\WINDOWS\system32\tffnrhyo.dll
C:\WINDOWS\system32\tfnmkskw.dll
C:\WINDOWS\system32\thndxqnu.dll
C:\WINDOWS\system32\thrpivwy.dll
C:\WINDOWS\system32\tkgflwsy.dll
C:\WINDOWS\system32\tkqcjqif.dll
C:\WINDOWS\system32\tlxqhteo.ini
C:\WINDOWS\system32\tmqqkism.ini
C:\WINDOWS\system32\tnfrecfe.dll
C:\WINDOWS\system32\tpvyjoep.dll
C:\WINDOWS\system32\twdtjmbp.dll
C:\WINDOWS\system32\tywmhrvw.dll
C:\WINDOWS\system32\uahlmven.ini
C:\WINDOWS\system32\ubjjffty.dll
C:\WINDOWS\system32\umpyxmyo.ini
C:\WINDOWS\system32\unqxdnht.ini
C:\WINDOWS\system32\upcwhtmm.dll
C:\WINDOWS\system32\upxsmude.ini
C:\WINDOWS\system32\uqwywxpx.ini
C:\WINDOWS\system32\urrjpoca.ini
C:\WINDOWS\system32\utqbxsyx.ini
C:\WINDOWS\system32\uwdafgvh.ini
C:\WINDOWS\system32\uxmhfiev.ini
C:\WINDOWS\system32\uylaljcd.dll
C:\WINDOWS\system32\vdofvxlv.ini
C:\WINDOWS\system32\vdsxeeys.dll
C:\WINDOWS\system32\veifhmxu.dll
C:\WINDOWS\system32\visphlhf.dll
C:\WINDOWS\system32\vjajepvs.ini
C:\WINDOWS\system32\vjudaktl.dll
C:\WINDOWS\system32\vkcxxoen.ini
C:\WINDOWS\system32\vkylchnc.dll
C:\WINDOWS\system32\vlxvfodv.dll
C:\WINDOWS\system32\vnoswqvw.ini
C:\WINDOWS\system32\vtnptonj.dll
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\vvttnpxl.ini
C:\WINDOWS\system32\vyfxikrh.ini
C:\WINDOWS\system32\wbqmqjim.ini
C:\WINDOWS\system32\wehomdnx.dll
C:\WINDOWS\system32\wfbfdpbe.ini
C:\WINDOWS\system32\wgmnmujs.ini
C:\WINDOWS\system32\wigwwcph.ini
C:\WINDOWS\system32\wjlhmbso.dll
C:\WINDOWS\system32\wkskmnft.ini
C:\WINDOWS\system32\wrlheoop.ini
C:\WINDOWS\system32\wvjfkwqe.dll
C:\WINDOWS\system32\wvqwsonv.dll
C:\WINDOWS\system32\wvrhmwyt.ini
C:\WINDOWS\system32\wwfqqvgh.ini
C:\WINDOWS\system32\wwndhhrf.dll
C:\WINDOWS\system32\xagsvynh.dll
C:\WINDOWS\system32\xbqksanb.dll
C:\WINDOWS\system32\xfobhdqq.dll
C:\WINDOWS\system32\xhkwkfvy.dll
C:\WINDOWS\system32\xidsdsfk.dll
C:\WINDOWS\system32\xndmohew.ini
C:\WINDOWS\system32\xpdwaqtq.ini
C:\WINDOWS\system32\xpxwywqu.dll
C:\WINDOWS\system32\xuxuswtn.dll
C:\WINDOWS\system32\xvefgkjp.ini
C:\WINDOWS\system32\xvetuddy.ini
C:\WINDOWS\system32\xysxbqtu.dll
C:\WINDOWS\system32\yangenpi.dll
C:\WINDOWS\system32\ycgqoiij.dll
C:\WINDOWS\system32\yddutevx.dll
C:\WINDOWS\system32\yehcaoql.ini
C:\WINDOWS\system32\yeoxmvqq.dll
C:\WINDOWS\system32\yirfymfl.ini
C:\WINDOWS\system32\yiwnhdjr.ini
C:\WINDOWS\system32\ysintbea.dll
C:\WINDOWS\system32\yswlfgkt.ini
C:\WINDOWS\system32\ytffjjbu.ini
C:\WINDOWS\system32\yvfkwkhx.ini
C:\WINDOWS\system32\ywviprht.ini
C:\WINDOWS\system32\yxyakgce.dll
knoxdigit
2007-10-08, 12:40
.
((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.
2007-10-08 19:32 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-06 15:13 <DIR> d-------- C:\VundoFix Backups
2007-10-03 12:44 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-02 11:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-02 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-02 10:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-01 20:03 <DIR> d-------- C:\THE_NUMBER_23
2007-09-28 13:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-28 13:13 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-28 13:12 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-09-28 13:12 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-09-28 13:12 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-09-28 13:12 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-09-28 13:12 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-09-28 13:12 <DIR> d-------- C:\Documents and Settings\Jon Viney\Application Data\PC Tools
2007-09-28 13:11 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-09-28 12:58 <DIR> d-------- C:\Documents and Settings\Jon Viney\Application Data\GetRightToGo
2007-09-25 17:07 <DIR> d-------- C:\Documents and Settings\Jon Viney\workspace
2007-09-25 14:50 <DIR> d-------- C:\Eclipse
2007-09-25 13:34 22 --ah----- C:\qpmd8379.bin
2007-09-25 13:33 36,864 --a------ C:\WINDOWS\system32\cfperfmon_8.dll
2007-09-25 13:28 <DIR> d-------- C:\ColdFusion8
2007-09-25 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-09-25 12:58 <DIR> d-------- C:\Program Files\Bonjour
2007-09-25 12:47 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-09-24 18:06 75,500 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-09-10 18:39 <DIR> d-------- C:\Program Files\BearFlix
2007-09-10 18:28 <DIR> d-------- C:\Documents and Settings\Jon Viney\Application Data\BearShare
2007-09-10 17:52 <DIR> d-------- C:\Documents and Settings\Jon Viney\Shared
2007-09-10 17:51 <DIR> d-------- C:\Documents and Settings\Jon Viney\Incomplete
2007-09-10 17:51 <DIR> d-------- C:\Documents and Settings\Jon Viney\Application Data\LimeWire
2007-09-10 17:50 <DIR> d-------- C:\Program Files\LimeWire
2007-09-10 17:35 <DIR> d-------- C:\Program Files\BearShare Applications
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 19:19 --------- d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-10-05 10:36 --------- d-------- C:\Documents and Settings\Jon Viney\Application Data\MySQL
2007-10-01 19:51 --------- d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-01 10:26 19507 --a------ C:\WINDOWS\system32\drivers\sonypvl3.sys
2007-09-29 00:42 --------- d-------- C:\Documents and Settings\Jon Viney\Application Data\Skype
2007-09-28 14:07 --------- d-------- C:\Program Files\BulletProofSoft.com
2007-09-27 10:23 --------- d-------- C:\Program Files\QuickTime
2007-09-25 18:29 --------- d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-02 13:44 --------- d-------- C:\Program Files\Common Files\Ahead
2007-09-02 13:44 --------- d-------- C:\Program Files\Ahead
2007-09-01 11:33 --------- d-------- C:\Program Files\Telstra
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-05 20:26 1778 --a------ C:\Program Files\pkgindex.txt
2007-06-05 20:02 290816 --a------ C:\Program Files\VOICENT_SMART_DOWNLOAD5.exe
2006-08-29 11:32 31117 --a------ C:\Program Files\FixVTS1.403.zip
2006-08-29 11:20 115304 --a------ C:\Program Files\RipIt4Me.zip
2003-10-01 08:04:08 121,856 --sha-w C:\WINDOWS\system32\cfpsys.exe
2001-11-08 06:14:34 793 --sha-w C:\WINDOWS\system32\cfpsys.exe.manifest
2006-02-09 13:54:19 80 --sha-r C:\WINDOWS\system32\F561D0C03F.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-06 19:47]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-11 15:50]
"EPSON Stylus Photo RX530 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGP.exe" [2005-04-07 14:00]
"Warning: do not remove it! (system)"="cfpsys.exe" [2003-10-01 18:04 C:\WINDOWS\system32\cfpsys.exe]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-08-01 15:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-07 16:39]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 16:40]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-07 16:36]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-09-20 15:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 16:12]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"= C:\WINDOWS\system32\bmpsap.dll [2006-06-01 17:54 114688]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggdeec]
hggdeec.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jon Viney^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
backup=C:\WINDOWS\pss\Cyber-shot Viewer Media Check Tool.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\batterymiser]
"C:\Program Files\LG Software\Battery Miser 2005\batterymiser.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigPondWirelessBroadbandCM]
"C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe" -tsr
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
C:\Program Files\NetComm\NB2\dslagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]
C:\Program Files\NetComm\NB2\dslstat.exe icon
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAShCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Instant Buzz Daemon]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPO3]
"C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe" -aUtOsTaRtFrOmReG
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeybdUtility]
"C:\Program Files\LG Software\On Screen Display\Hotkey.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LG Intelligent Update]
"C:\Program Files\lg_swupdate\autoupdate.exe" Gilautouc
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MiniMax]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
"C:\Program Files\Spyware Doctor\SDTrayApp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
R0 sonypvl3;sonypvl3;C:\WINDOWS\system32\drivers\sonypvl3.sys
R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
R1 Ndisipo;NDIS Protocol Driver for IPO3;C:\WINDOWS\system32\DRIVERS\ndisipo.sys
R1 sonypvf3;sonypvf3;C:\WINDOWS\system32\drivers\sonypvf3.sys
R1 sonypvt3;sonypvt3;C:\WINDOWS\system32\drivers\sonypvt3.sys
R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall;"C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
R2 OneCareMP;OneCare AntiSpyware and AntiVirus;"C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"
R3 lgsnd_filter;lgsnd_filter;C:\WINDOWS\system32\drivers\lgsnd_filter.sys
R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys
S1 sonypvd3;Sony DVD Handycam;C:\WINDOWS\system32\DRIVERS\sonypvd3.sys
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\cmo_bus.sys
S3 cmo_mdfl;Data Modem @ CDMA Filter;C:\WINDOWS\system32\DRIVERS\cmo_mdfl.sys
S3 cmo_mdm;Data Modem @ CDMA Drivers;C:\WINDOWS\system32\DRIVERS\cmo_mdm.sys
S3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\cmo_serd.sys
S3 cmusbnet;WAN Driver @ 3GPP (6280);C:\WINDOWS\system32\DRIVERS\cmusbnet.sys
S3 cmusbser;%CMUSBSER%;C:\WINDOWS\system32\DRIVERS\cmusbser.sys
S3 ColdFusion 8 .NET Service;ColdFusion 8 .NET Service;C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe
S3 ColdFusion 8 Application Server;ColdFusion 8 Application Server;"C:\ColdFusion8\runtime\bin\jrunsvc.exe"
S3 ColdFusion 8 ODBC Agent;ColdFusion 8 ODBC Agent;C:\ColdFusion8\db\slserver54\bin\swagent.exe "ColdFusion 8 ODBC Agent"
S3 ColdFusion 8 ODBC Server;ColdFusion 8 ODBC Server;C:\ColdFusion8\db\slserver54\bin\swstrtr.exe "ColdFusion 8 ODBC Server"
S3 ColdFusion MX 7 Application Server;ColdFusion MX 7 Application Server;"C:\CFusionMX7\runtime\bin\jrunsvc.exe"
S3 ColdFusion MX 7 ODBC Agent;ColdFusion MX 7 ODBC Agent;C:\CFusionMX7\db\slserver54\bin\swagent.exe "ColdFusion MX 7 ODBC Agent"
S3 ColdFusion MX 7 ODBC Server;ColdFusion MX 7 ODBC Server;C:\CFusionMX7\db\slserver54\bin\swstrtr.exe "ColdFusion MX 7 ODBC Server"
S3 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server;"C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1
S3 elDiag;Diagostics Port Device Driver;C:\WINDOWS\system32\DRIVERS\FTD2XX.sys
S3 elUsbCardBus;elu132.sys device driver;C:\WINDOWS\system32\DRIVERS\elu132.sys
S3 wanusb;NetComm Home USB ADSL WAN Modem;C:\WINDOWS\system32\DRIVERS\gwausb.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a2127d9-2f46-11db-bc7b-000df0300101}]
AutoRun\command- E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39370ec8-7729-11da-ba91-00e0910a2110}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
Open\command- Boot.exe e
.
Contents of the 'Scheduled Tasks' folder
"2005-10-25 10:57:11 C:\WINDOWS\Tasks\WTR.job"
- C:\Program Files\BulletProofSoft.com\WinTrace Remover\B03C3662
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 20:27:43
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-08 20:32:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-08 20:32
.
--- E O F ---
Hi again and sorry for the delay.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\bmpsap.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggdeec]
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
knoxdigit
2007-10-10, 01:47
ComboFix 07-10-07.2 - Jon Viney 2007-10-10 9:58:32.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.231 [GMT 11:00]
Running from: C:\Documents and Settings\Jon Viney\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jon Viney\Desktop\CFScript.txt
* Created a new restore point
FILE::
C:\WINDOWS\system32\bmpsap.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\bmpsap.dll
.
((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.
2007-10-08 20:32 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-06 16:13 <DIR> d-------- C:\VundoFix Backups
2007-10-02 12:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-02 12:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-02 11:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-01 21:03 <DIR> d-------- C:\THE_NUMBER_23
2007-09-28 14:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-28 14:13 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-28 14:12 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-09-28 14:12 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-09-28 14:12 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-09-28 14:12 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-09-28 14:12 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-09-28 14:12 <DIR> d-------- C:\Documents and Settings\Jon Viney\Application Data\PC Tools
2007-09-28 14:11 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-09-28 13:58 <DIR> d-------- C:\Documents and Settings\Jon Viney\Application Data\GetRightToGo
2007-09-25 18:07 <DIR> d-------- C:\Documents and Settings\Jon Viney\workspace
2007-09-25 15:50 <DIR> d-------- C:\Eclipse
2007-09-25 14:34 22 --ah----- C:\qpmd8379.bin
2007-09-25 14:33 36,864 --a------ C:\WINDOWS\system32\cfperfmon_8.dll
2007-09-25 14:28 <DIR> d-------- C:\ColdFusion8
2007-09-25 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-09-25 13:58 <DIR> d-------- C:\Program Files\Bonjour
2007-09-25 13:47 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-09-24 19:06 75,500 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-09-10 19:39 <DIR> d-------- C:\Program Files\BearFlix
2007-09-10 19:28 <DIR> d-------- C:\Documents and Settings\Jon Viney\Application Data\BearShare
2007-09-10 18:52 <DIR> d-------- C:\Documents and Settings\Jon Viney\Shared
2007-09-10 18:51 <DIR> d-------- C:\Documents and Settings\Jon Viney\Incomplete
2007-09-10 18:51 <DIR> d-------- C:\Documents and Settings\Jon Viney\Application Data\LimeWire
2007-09-10 18:50 <DIR> d-------- C:\Program Files\LimeWire
2007-09-10 18:35 <DIR> d-------- C:\Program Files\BearShare Applications
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-09 20:15 --------- d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-10-05 11:36 --------- d-------- C:\Documents and Settings\Jon Viney\Application Data\MySQL
2007-10-01 20:51 --------- d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-01 11:26 19507 --a------ C:\WINDOWS\system32\drivers\sonypvl3.sys
2007-09-29 01:42 --------- d-------- C:\Documents and Settings\Jon Viney\Application Data\Skype
2007-09-28 15:07 --------- d-------- C:\Program Files\BulletProofSoft.com
2007-09-27 11:23 --------- d-------- C:\Program Files\QuickTime
2007-09-25 19:29 --------- d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-02 14:44 --------- d-------- C:\Program Files\Common Files\Ahead
2007-09-02 14:44 --------- d-------- C:\Program Files\Ahead
2007-09-01 12:33 --------- d-------- C:\Program Files\Telstra
2007-06-05 21:26 1778 --a------ C:\Program Files\pkgindex.txt
2007-06-05 21:02 290816 --a------ C:\Program Files\VOICENT_SMART_DOWNLOAD5.exe
2006-08-29 12:32 31117 --a------ C:\Program Files\FixVTS1.403.zip
2006-08-29 12:20 115304 --a------ C:\Program Files\RipIt4Me.zip
2003-10-01 08:04:08 121,856 --sha-w C:\WINDOWS\system32\cfpsys.exe
2001-11-08 06:14:34 793 --sha-w C:\WINDOWS\system32\cfpsys.exe.manifest
2006-02-09 13:54:19 80 --sha-r C:\WINDOWS\system32\F561D0C03F.dll
.
((((((((((((((((((((((((((((( snapshot@2007-10-08_20.30.00.60 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 135,168 2007-09-27 22:06:08 C:\WINDOWS\catchme.exe
----a-w 163,328 2007-03-12 23:57:10 C:\WINDOWS\erdnt\subs\ERDNT.EXE
----a-w 64,592 2007-10-09 23:12:26 C:\WINDOWS\system32\perfc009.dat
----a-w 409,712 2007-10-09 23:12:26 C:\WINDOWS\system32\perfh009.dat
----a-w 279,552 2007-10-04 23:07:31 C:\WINDOWS\system32\swreg.exe
.
----a-w 135,168 2007-09-27 23:06:08 C:\WINDOWS\catchme.exe
----a-w 163,328 2007-03-13 00:57:10 C:\WINDOWS\erdnt\subs\ERDNT.EXE
----a-w 64,592 2007-09-28 03:16:40 C:\WINDOWS\system32\perfc009.dat
----a-w 409,712 2007-09-28 03:16:40 C:\WINDOWS\system32\perfh009.dat
----a-w 279,552 2007-10-05 00:07:31 C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-06 20:47]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-11 16:50]
"EPSON Stylus Photo RX530 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGP.exe" [2005-04-07 15:00]
"Warning: do not remove it! (system)"="cfpsys.exe" [2003-10-01 19:04 C:\WINDOWS\system32\cfpsys.exe]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-08-01 16:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-07 17:39]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 17:40]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-07 17:36]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-09-20 16:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 17:12]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Jon Viney^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
backup=C:\WINDOWS\pss\Cyber-shot Viewer Media Check Tool.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\batterymiser]
"C:\Program Files\LG Software\Battery Miser 2005\batterymiser.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigPondWirelessBroadbandCM]
"C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\BigPond_CM.exe" -tsr
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
C:\Program Files\NetComm\NB2\dslagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]
C:\Program Files\NetComm\NB2\dslstat.exe icon
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAShCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Instant Buzz Daemon]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPO3]
"C:\Program Files\LG Software\IP Operator 2005\IP Operator 2005.exe" -aUtOsTaRtFrOmReG
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeybdUtility]
"C:\Program Files\LG Software\On Screen Display\Hotkey.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LG Intelligent Update]
"C:\Program Files\lg_swupdate\autoupdate.exe" Gilautouc
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MiniMax]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
"C:\Program Files\Spyware Doctor\SDTrayApp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
R0 sonypvl3;sonypvl3;C:\WINDOWS\system32\drivers\sonypvl3.sys
R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
R1 Ndisipo;NDIS Protocol Driver for IPO3;C:\WINDOWS\system32\DRIVERS\ndisipo.sys
R1 sonypvf3;sonypvf3;C:\WINDOWS\system32\drivers\sonypvf3.sys
R1 sonypvt3;sonypvt3;C:\WINDOWS\system32\drivers\sonypvt3.sys
R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall;"C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
R2 OneCareMP;OneCare AntiSpyware and AntiVirus;"C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"
R3 lgsnd_filter;lgsnd_filter;C:\WINDOWS\system32\drivers\lgsnd_filter.sys
R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys
S1 sonypvd3;Sony DVD Handycam;C:\WINDOWS\system32\DRIVERS\sonypvd3.sys
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\cmo_bus.sys
S3 cmo_mdfl;Data Modem @ CDMA Filter;C:\WINDOWS\system32\DRIVERS\cmo_mdfl.sys
S3 cmo_mdm;Data Modem @ CDMA Drivers;C:\WINDOWS\system32\DRIVERS\cmo_mdm.sys
S3 cmo_serd;Data Modem @ CDMA Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\cmo_serd.sys
S3 cmusbnet;WAN Driver @ 3GPP (6280);C:\WINDOWS\system32\DRIVERS\cmusbnet.sys
S3 cmusbser;%CMUSBSER%;C:\WINDOWS\system32\DRIVERS\cmusbser.sys
S3 ColdFusion 8 .NET Service;ColdFusion 8 .NET Service;C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe
S3 ColdFusion 8 Application Server;ColdFusion 8 Application Server;"C:\ColdFusion8\runtime\bin\jrunsvc.exe"
S3 ColdFusion 8 ODBC Agent;ColdFusion 8 ODBC Agent;C:\ColdFusion8\db\slserver54\bin\swagent.exe "ColdFusion 8 ODBC Agent"
S3 ColdFusion 8 ODBC Server;ColdFusion 8 ODBC Server;C:\ColdFusion8\db\slserver54\bin\swstrtr.exe "ColdFusion 8 ODBC Server"
S3 ColdFusion MX 7 Application Server;ColdFusion MX 7 Application Server;"C:\CFusionMX7\runtime\bin\jrunsvc.exe"
S3 ColdFusion MX 7 ODBC Agent;ColdFusion MX 7 ODBC Agent;C:\CFusionMX7\db\slserver54\bin\swagent.exe "ColdFusion MX 7 ODBC Agent"
S3 ColdFusion MX 7 ODBC Server;ColdFusion MX 7 ODBC Server;C:\CFusionMX7\db\slserver54\bin\swstrtr.exe "ColdFusion MX 7 ODBC Server"
S3 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server;"C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1
S3 elDiag;Diagostics Port Device Driver;C:\WINDOWS\system32\DRIVERS\FTD2XX.sys
S3 elUsbCardBus;elu132.sys device driver;C:\WINDOWS\system32\DRIVERS\elu132.sys
S3 wanusb;NetComm Home USB ADSL WAN Modem;C:\WINDOWS\system32\DRIVERS\gwausb.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a2127d9-2f46-11db-bc7b-000df0300101}]
AutoRun\command- E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39370ec8-7729-11da-ba91-00e0910a2110}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
Open\command- Boot.exe e
.
Contents of the 'Scheduled Tasks' folder
"2005-10-25 10:57:11 C:\WINDOWS\Tasks\WTR.job"
- C:\Program Files\BulletProofSoft.com\WinTrace Remover\B03C3662
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-10 10:26:35
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-10 10:40:58 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-10 10:40
C:\ComboFix2.txt ... 2007-10-08 21:32
.
--- E O F ---
knoxdigit
2007-10-10, 01:48
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:27 AM, on 10/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGP.EXE
C:\WINDOWS\system32\cfpsys.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\skanneri.exe.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\bpwbb2ad.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo RX530 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGP.EXE /P31 "EPSON Stylus Photo RX530 Series" /O6 "USB003" /M "Stylus Photo RX530"
O4 - HKLM\..\Run: [Warning: do not remove it! (system)] cfpsys.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/141p/html/gtdownlr.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130294512171
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9757187-3C80-430A-81CB-5920DB8FEDBB}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{BECA0916-9CC8-40F5-B896-6163D70B7B35}: Domain = vic.bigpond.net.au
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ColdFusion 8 .NET Service - Unknown owner - C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe
O23 - Service: ColdFusion 8 Application Server - Macromedia Inc. - C:\ColdFusion8\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion 8 ODBC Agent - Unknown owner - C:\ColdFusion8\db\slserver54\bin\swagent.exe
O23 - Service: ColdFusion 8 ODBC Server - Unknown owner - C:\ColdFusion8\db\slserver54\bin\swstrtr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 ODBC Agent - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swagent.exe
O23 - Service: ColdFusion MX 7 ODBC Server - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swstrtr.exe
O23 - Service: ColdFusion MX 7 Search Server - Verity, Inc. - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 11167 bytes
Hello :)
We'll continue...
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
knoxdigit
2007-10-11, 14:05
Hi Mr_Jak3,
I ran Dr Web as per your instructions here is the report...
GoogleMon.exe;C:\Program Files\GoogleMon;Probably DLOADER.Trojan;Moved.;
Giljabi.exe;C:\Program Files\lg_swupdate;Probably BACKDOOR.Trojan;Moved.;
totdown.exe;C:\Program Files\lg_swupdate;Probably BACKDOOR.Trojan;Moved.;
totsetup.exe;C:\Program Files\lg_swupdate;Probably BACKDOOR.Trojan;Moved.;
A0142665.dll;C:\System Volume Information\_restore{07C888CE-636F-47B9-BA61-169539C651AB}\RP538;Trojan.Virtumod;Deleted.;
A0153051.dll;C:\System Volume Information\_restore{07C888CE-636F-47B9-BA61-169539C651AB}\RP550;Trojan.Virtumod.211;Deleted.;
A0153086.dll;C:\System Volume Information\_restore{07C888CE-636F-47B9-BA61-169539C651AB}\RP551;Trojan.Virtumod;Deleted.;
A0153087.dll;C:\System Volume Information\_restore{07C888CE-636F-47B9-BA61-169539C651AB}\RP551;Trojan.Virtumod;Deleted.;
A0153088.dll;C:\System Volume Information\_restore{07C888CE-636F-47B9-BA61-169539C651AB}\RP551;Trojan.Virtumod;Deleted.;
A0153089.dll;C:\System Volume Information\_restore{07C888CE-636F-47B9-BA61-169539C651AB}\RP551;Trojan.Virtumod;Deleted.;
A0153090.dll;C:\System Volume Information\_restore{07C888CE-636F-47B9-BA61-169539C651AB}\RP551;Trojan.Virtumod;Deleted.;
A0153092.dll;C:\System Volume Information\_restore{07C888CE-636F-47B9-BA61-169539C651AB}\RP551;Trojan.Virtumod;Deleted.;
A0153093.dll;C:\System Volume Information\_restore{07C888CE-636F-47B9-BA61-169539C651AB}\RP551;Trojan.Virtumod;Deleted.;
A0153239.dll;C:\System Volume Information\_restore{07C888CE-636F-47B9-BA61-169539C651AB}\RP553;Trojan.Virtumod;Deleted.;
A0153408.exe;C:\System Volume Information\_restore{07C888CE-636F-47B9-BA61-169539C651AB}\RP553;Trojan.MulDrop.origin;Incurable.Moved.;
A0154992.dll;C:\System Volume Information\_restore{07C888CE-636F-47B9-BA61-169539C651AB}\RP557;Trojan.PWS.Legmir.origin;Incurable.Moved.;
boeherhp.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
diqxwrgs.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
fovcwgmb.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
mbomjjot.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
nmlgdarp.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
rhyipgxy.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
rulywffx.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
And HijackThis...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:09 PM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGP.EXE
C:\WINDOWS\system32\cfpsys.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\skanneri.exe.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: BigPond Wireless Broadband 2.0 Auto Dial - {DB92EC3F-697D-4C3B-9A3B-3ABBD23D4A85} - C:\Program Files\Telstra\BigPond Wireless Broadband 2.7.3\bpwbb2ad.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo RX530 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGP.EXE /P31 "EPSON Stylus Photo RX530 Series" /O6 "USB003" /M "Stylus Photo RX530"
O4 - HKLM\..\Run: [Warning: do not remove it! (system)] cfpsys.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/141p/html/gtdownlr.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130294512171
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9757187-3C80-430A-81CB-5920DB8FEDBB}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{BECA0916-9CC8-40F5-B896-6163D70B7B35}: Domain = vic.bigpond.net.au
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ColdFusion 8 .NET Service - Unknown owner - C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe
O23 - Service: ColdFusion 8 Application Server - Macromedia Inc. - C:\ColdFusion8\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion 8 ODBC Agent - Unknown owner - C:\ColdFusion8\db\slserver54\bin\swagent.exe
O23 - Service: ColdFusion 8 ODBC Server - Unknown owner - C:\ColdFusion8\db\slserver54\bin\swstrtr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 ODBC Agent - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swagent.exe
O23 - Service: ColdFusion MX 7 ODBC Server - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swstrtr.exe
O23 - Service: ColdFusion MX 7 Search Server - Verity, Inc. - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 11134 bytes
Thanks...
Hi again, it is looking clean now :)
You can fix this leftover with HijackThis:
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
You can remove the tools we used.
Then you should update your Java to the latest version (6u3) Start
Control Panel
Add/Remove Programs
Delete the old Java,
J2SE Runtime Environment 6.0 Update 2
Download the latest version of Java Runtime Environment (JRE) 6u1 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it
The pc runs ok now?
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
knoxdigit
2007-10-12, 02:08
Hi Mr_Jak3,
My cpu is running better than ever! Thank you so much for your help, now I can get back to work.
Cheers :bigthumb:
That's great news and you're very welcome :D:
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb: