Virtumonde [Archive] - Safer-Networking Forums

View Full Version : Virtumonde

midas38

2007-10-21, 23:47

Can't seem to get rid of this thing so I am looking for help. When I run Spyware Doctor it can't get rid of it in the C:\windows\system32\ssqpm.dll

I did a Kaspersky online scan but it is screwing up and won't let me save the log or do anything with it now that it is done.

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:28 AM, on 1/7/2003
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\Config\lsass.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=0&fs=1&fsa=1&fsat=1296000&_lang=EN&lc=1033
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {804A90F5-6A3B-49E6-AA70-3C21085A5B91} - C:\windows\System32\ssqpm.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\windows\system32\jyspvixp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\windows\system32\jyspvixp.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [UpdReg] C:\windows\UpdReg.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL0
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [DevconDefaultDB] C:\windows\READREG /PSCONV={NO} /FAIL=1
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA4658] command /c del "C:\WINDOWS\system32\jgerwpiy.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5182] cmd /c del "C:\WINDOWS\system32\jgerwpiy.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Zach\Desktop\vundofix.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\FilePlanet\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Tacd] "C:\windows\TSKS~1\alg.exe" --ru -vt yazb
O4 - HKCU\..\Run: [DDC] C:\windows\system32\ujsiuldl.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\windows\System32\Macromed\Flash\GetFlash.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1947] command /c del "C:\WINDOWS\system32\jgerwpiy.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7879] cmd /c del "C:\WINDOWS\system32\jgerwpiy.exe_tobedeleted"
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Download with TrueDownloader! - C:\Program Files\TrueDownloader\TrueDownloader.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&4&04.00.07.02&unknown&unknown&http://www.toyota.com/vehicles/2005/corolla/ext360.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.1.99.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124285179468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124285169421
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O20 - Winlogon Notify: jyspvixp - C:\windows\SYSTEM32\jyspvixp.dll
O20 - Winlogon Notify: nnnkjjg - C:\windows\SYSTEM32\nnnkjjg.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\windows\System32\CTsvcCDA.exe
O23 - Service: DomainService - - C:\windows\system32\ujsiuldl.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\windows\System32\UAService7.exe

--
End of file - 10085 bytes

midas38

2007-10-22, 00:24

cobofix dialog

ComboFix 07-10-21.1** - Zach 2003-01-07 14:09:40.1 - NTFSx86 NETWORK
Running from: C:\Documents and Settings\Zach\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Zach\Desktop\internet.lnk
C:\Documents and Settings\Zach\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Zach\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Zach\Favorites\Online Security Guide.lnk
C:\Program Files\Hammer.dll
C:\windows\cookies.ini
C:\windows\system32\drivers\sfsync02.sys
C:\windows\system32\drivers\sfsync03.sys
C:\windows\system32\jyspvixp.dllbox
C:\WINDOWS\system32\mpqss.bak1
C:\WINDOWS\system32\mpqss.ini
C:\windows\system32\ssqpm.dll
C:\windows\system32\wl.exe
C:\windows\tsks~1
C:\windows\tsks~1\alg.exe
C:\windows\tsks~1\T?sks\

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_SFSYNC02
-------\LEGACY_SFSYNC03
-------\DomainService
-------\sfsync02
-------\sfsync03

((((((((((((((((((((((((( Files Created from 2002-12-07 to 2003-01-07 )))))))))))))))))))))))))))))))
.

2003-01-13 13:57 450,560 --a--c--- C:\WINDOWS\system32\dllcache\jscript.dll
2003-01-07 14:10 4,672 --a------ C:\WINDOWS\system32\lwrwoswf.exe
2003-01-07 14:07 75,328 --a------ C:\WINDOWS\system32\jkihrenl.exe
2003-01-07 14:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2003-01-07 11:02 77,376 --a------ C:\WINDOWS\system32\ihiyuleg.dll
2003-01-07 11:01 83,008 --a------ C:\WINDOWS\system32\trallvli.dll
2003-01-07 10:59 75,328 --a------ C:\WINDOWS\system32\lpiptdkt.exe
2003-01-07 10:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2003-01-07 10:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2003-01-07 10:14 <DIR> d-------- C:\Program Files\RegCure
2003-01-07 09:43 <DIR> d-------- C:\VundoFix Backups
2003-01-07 09:42 75,328 --a------ C:\WINDOWS\system32\scrioaaf.exe
2003-01-05 17:46 <DIR> d-------- C:\Program Files\Spyware Doctor
2003-01-05 17:46 <DIR> d-------- C:\Documents and Settings\Zach\Application Data\PC Tools
2003-01-05 17:46 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2003-01-05 17:46 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2003-01-05 17:46 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2003-01-05 17:46 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2003-01-05 17:46 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2003-01-05 17:36 83,008 --a------ C:\WINDOWS\system32\vgaishlg.dll
2003-01-05 17:36 83,008 --a------ C:\WINDOWS\system32\ohlwjtlv.dll
2003-01-05 17:33 83,008 --a------ C:\WINDOWS\system32\vqrjstln.dll
2003-01-05 17:33 83,008 --a------ C:\WINDOWS\system32\tkpdclka.dll
2003-01-05 17:33 83,008 --a------ C:\WINDOWS\system32\qkomvkmh.dll
2003-01-05 17:33 83,008 --a------ C:\WINDOWS\system32\njtaoqac.dll
2003-01-05 17:30 83,008 --a------ C:\WINDOWS\system32\qipaakci.dll
2003-01-05 17:30 83,008 --a------ C:\WINDOWS\system32\gsblchcw.dll
2003-01-05 17:30 83,008 --a------ C:\WINDOWS\system32\chgnoywt.dll
2003-01-05 17:27 83,008 --a------ C:\WINDOWS\system32\yvxbtiai.dll
2003-01-05 17:27 83,008 --a------ C:\WINDOWS\system32\uvfrxpkm.dll
2003-01-05 17:27 83,008 --a------ C:\WINDOWS\system32\bpwdbqwl.dll
2003-01-05 17:24 83,008 --a------ C:\WINDOWS\system32\jsjkaddd.dll
2003-01-05 17:24 83,008 --a------ C:\WINDOWS\system32\inonntye.dll
2003-01-05 17:24 83,008 --a------ C:\WINDOWS\system32\effvlhhy.dll
2003-01-05 17:21 83,008 --a------ C:\WINDOWS\system32\gbqgotwj.dll
2003-01-05 17:21 83,008 --a------ C:\WINDOWS\system32\ecbcmfng.dll
2003-01-05 17:21 83,008 --a------ C:\WINDOWS\system32\cwlxdies.dll
2003-01-05 17:18 83,008 --a------ C:\WINDOWS\system32\srvwthdc.dll
2003-01-05 17:18 83,008 --a------ C:\WINDOWS\system32\oxfimalk.dll
2003-01-05 17:18 83,008 --a------ C:\WINDOWS\system32\cadmaffh.dll
2003-01-05 17:15 83,008 --a------ C:\WINDOWS\system32\mcxrayhb.dll
2003-01-05 17:15 83,008 --a------ C:\WINDOWS\system32\hnksahip.dll
2003-01-05 17:12 75,328 --a------ C:\WINDOWS\system32\ujsiuldl.exe
2003-01-05 16:55 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2003-01-05 16:55 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2003-01-05 16:55 0 --a------ C:\WINDOWS\PowerReg.dat
2003-01-03 17:44 1,392,671 --------- C:\WINDOWS\system32\msvbvm60.dll
2003-01-03 17:44 151,552 --a------ C:\WINDOWS\system32\scrrun.dll
2003-01-03 17:43 3,584 --a--c--- C:\WINDOWS\system32\dllcache\comcat.dll
2003-01-03 17:43 3,584 --a------ C:\WINDOWS\system32\comcat.dll
2003-01-01 19:44 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2003-01-01 15:30 339,968 --------- C:\WINDOWS\system32\jyspvixp.dll
2003-01-01 15:29 389,184 --a------ C:\WINDOWS\system32\xbyfbjkg.exe
2002-12-30 09:53 12,160 --a------ C:\WINDOWS\system32\drivers\ctgame.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-15 05:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-15 05:21 --------- d-----w C:\Program Files\Realtek AC97
2007-10-15 05:21 --------- d-----w C:\Program Files\Realtek
2007-10-15 05:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2007-10-15 05:19 --------- d-----w C:\Program Files\AMD
2007-10-14 21:00 --------- d-----w C:\Program Files\Creative
2007-10-14 20:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Creative
2007-10-14 19:31 --------- d-----w C:\Program Files\MSI
2007-10-14 18:24 96,256 ----a-w C:\windows\system32\drivers\sptd3773.sys
2007-10-14 17:29 --------- d-----w C:\Program Files\Steam
2007-10-14 06:27 --------- d-----w C:\Program Files\Azureus
2007-10-13 06:32 --------- d-----w C:\windows\system32\config\systemprofile\Application Data\Xfire
2007-10-13 06:32 --------- d-----w C:\windows\system32\config\systemprofile\Application Data\Xfire
2007-10-13 06:30 --------- d-s---w C:\Program Files\Xfire
2007-10-09 04:30 --------- d-----w C:\Documents and Settings\Zach\Application Data\Xfire
2007-10-08 05:14 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Xfire
2007-10-08 04:39 --------- d-----w C:\Program Files\Google
2007-10-05 10:49 13,056 ----a-w C:\windows\system32\drivers\FlashSys.sys
2007-09-17 08:07 6,853,088 ----a-w C:\windows\system32\drivers\nv4_mini.sys
2007-09-06 00:04 --------- d-----w C:\Program Files\OpenAL
2007-09-05 23:49 --------- d-----w C:\Documents and Settings\Zach\Application Data\Gearbox Software
2007-06-02 05:28 95,488 ----a-r C:\windows\system32\drivers\Rtnicxp.sys
2007-02-09 11:10 574,464 ----a-w C:\windows\system32\drivers\ntfs.sys
2006-12-14 03:41 --------- d-----w C:\Program Files\PowerISO
2006-12-14 00:26 --------- d-----w C:\Program Files\Java
2006-12-08 01:29 --------- d-----w C:\Program Files\PlayLinc
2006-12-06 04:09 --------- d-----w C:\Documents and Settings\Zach\Application Data\IGN_DLM
2006-11-23 22:20 --------- d-----w C:\Documents and Settings\Zach\Application Data\InstallShield
2006-11-06 08:28 30,988 ----a-w C:\windows\system32\drivers\scdemu.sys
2006-10-21 20:36 --------- d-----w C:\Documents and Settings\Zach\Application Data\Talkback
2006-10-19 21:40 --------- d-----w C:\Program Files\MSXML 4.0
2006-10-13 10:23 163,584 ----a-w C:\windows\system32\drivers\nwrdr.sys
2006-09-13 01:04 --------- d-----w C:\Program Files\FlashFXP
2006-09-13 00:57 --------- d-----w C:\Program Files\mIRC
2006-09-12 03:43 --------- d-----w C:\Documents and Settings\Zach\Application Data\FlashFXP
2006-09-08 04:53 502,368 ----a-w C:\windows\system32\drivers\amon.sys
2006-08-29 07:54 10,664 ----a-w C:\windows\system32\drivers\gan_adapter.sys
2006-08-27 19:07 223,128 ----a-w C:\windows\system32\drivers\dtscsi.sys
2006-08-27 19:07 --------- d-----w C:\Program Files\DAEMON Tools
2006-08-27 19:04 643,072 ----a-w C:\windows\system32\drivers\sptd.sys
2006-08-24 03:39 --------- d-----w C:\Program Files\Nero
2006-08-24 03:39 --------- d-----w C:\Program Files\Common Files\Ahead
2006-08-24 03:38 --------- d-----w C:\Program Files\Ahead
2006-08-24 03:04 --------- d-----w C:\Program Files\SlySoft
2006-08-24 02:49 --------- d-----w C:\Program Files\CDBurnerXP Pro 3
2006-08-24 02:32 --------- d-----w C:\Program Files\DC++
2006-08-21 09:14 128,896 ------w C:\windows\system32\drivers\fltmgr.sys
2006-08-16 09:37 225,664 ----a-w C:\windows\system32\drivers\tcpip6.sys
2006-08-14 10:34 332,928 ----a-w C:\windows\system32\drivers\srv.sys
2006-08-11 21:56 8,192 ----a-w C:\windows\system32\drivers\pfmodnt.sys
2006-08-11 21:45 78,336 ----a-w C:\windows\system32\drivers\emupia2k.sys
2006-08-11 21:45 766,976 ----a-w C:\windows\system32\drivers\ha10kx2k.sys
2006-08-11 21:45 7,168 ----a-w C:\windows\system32\drivers\ctprxy2k.sys
2006-08-11 21:45 502,272 ----a-w C:\windows\system32\drivers\ctac32k.sys
2006-08-11 21:45 499,584 ----a-w C:\windows\system32\drivers\ctaud2k.sys
2006-08-11 21:45 180,224 ----a-w C:\windows\system32\drivers\haP17v2k.sys
2006-08-11 21:45 154,112 ----a-w C:\windows\system32\drivers\haP16v2k.sys
2006-08-11 21:45 143,872 ----a-w C:\windows\system32\drivers\ctsfm2k.sys
2006-08-11 21:45 116,224 ----a-w C:\windows\system32\drivers\ctoss2k.sys
2006-08-11 21:45 1,110,016 ----a-w C:\windows\system32\drivers\ha20x2k.sys
2006-07-13 08:48 202,240 ----a-w C:\windows\system32\drivers\rmcast.sys
2006-06-14 09:00 82,944 ----a-w C:\windows\system32\drivers\wdmaud.sys
2006-06-14 08:47 6,400 ----a-w C:\windows\system32\drivers\splitter.sys
2006-06-14 08:47 172,416 ----a-w C:\windows\system32\drivers\kmixer.sys
2006-05-05 09:47 174,592 ----a-w C:\windows\system32\drivers\rdbss.sys
2006-05-05 09:41 453,120 ----a-w C:\windows\system32\drivers\mrxsmb.sys
2006-04-20 11:51 359,808 ----a-w C:\windows\system32\drivers\tcpip.sys
2006-03-17 00:33 262,784 ------w C:\windows\system32\drivers\http.sys
2006-02-25 05:44 --------- d-----w C:\Documents and Settings\Zach\Application Data\Petroglyph
2006-02-25 05:43 --------- d-----w C:\Documents and Settings\Zach\Application Data\LucasArts
2006-02-15 00:22 142,464 ----a-w C:\windows\system32\drivers\aec.sys
2006-02-12 22:25 --------- d-----w C:\Program Files\trillian
2006-02-12 20:07 --------- d-----w C:\Program Files\Setup Files
2006-02-12 07:02 --------- d-----w C:\Documents and Settings\Espie\Application Data\AdobeUM
2006-02-11 22:38 --------- d-----r C:\Program Files\Support.com
2006-02-11 20:20 --------- d-----w C:\Program Files\SupportSoft
2006-02-11 20:20 --------- d-----w C:\Program Files\Qwest QuickConnect
2005-12-24 02:04 --------- d-----w C:\Program Files\CoH Hero Builder
2005-12-12 14:21 --------- d-----w C:\Documents and Settings\Espie\Application Data\Logitech
2005-12-11 22:50 --------- d-----w C:\Program Files\Teamspeak2_RC2
2005-12-11 03:04 --------- d-----w C:\Program Files\Chikka
2005-12-06 01:05 --------- d-----w C:\Documents and Settings\Zach\Application Data\My Games
2005-12-03 16:31 --------- d-----w C:\Program Files\Logitech
2005-12-03 16:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2005-12-02 05:09 --------- d-----w C:\Documents and Settings\Zach\Application Data\Creative
2005-11-11 00:06 340,704 ----a-w C:\windows\system32\drivers\ctdvda2k.sys
2005-11-03 14:40 63,488 ----a-w C:\windows\system32\drivers\sfvfs02.sys
2005-10-29 20:31 --------- d-----w C:\Program Files\NVIDIA Corporation
2005-10-29 20:31 --------- d-----w C:\Program Files\Common Files\NVIDIA Shared
2005-10-02 03:54 --------- d-----w C:\Documents and Settings\Zach\Application Data\MSN6
2005-10-02 03:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2005-09-23 13:31 --------- d-----w C:\Program Files\FilePlanet
2005-09-17 15:41 --------- d-----w C:\Program Files\GameSpy Arcade
2005-09-06 21:02 1,365,888 ----a-w C:\windows\system32\drivers\CTMMFILT.SYS
2005-09-04 19:36 --------- d-----w C:\Program Files\RedBedlam
2005-08-20 16:27 --------- d-----w C:\Program Files\Netscape
2005-08-10 12:44 50,688 ----a-w C:\windows\system32\drivers\sfdrv01.sys
2005-07-27 04:20 --------- d-----w C:\Documents and Settings\Zach\Application Data\teamspeak2
2005-07-21 01:03 --------- d-----w C:\Documents and Settings\Zach\Application Data\Ventrilo
2005-07-21 00:48 --------- d-----w C:\Program Files\Ventrilo
.

midas38

2007-10-22, 00:25

more of the combofix

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{804A90F5-6A3B-49E6-AA70-3C21085A5B91}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2003-01-01 15:30 339968 --------- C:\windows\system32\jyspvixp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\windows\system32\jyspvixp.dll [2003-01-01 15:30 339968]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
"NvCplDaemon"="C:\windows\system32\NvCpl.dll" [2007-09-17 00:07]
"nwiz"="nwiz.exe" [2007-09-17 00:07 C:\WINDOWS\system32\nwiz.exe]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 19:51]
"UpdReg"="C:\windows\UpdReg.EXE" [2000-05-11 01:00]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2005-11-18 23:33]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-09-07 20:53]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 12:28 C:\WINDOWS\KHALMNPR.Exe]
"NvMediaCenter"="C:\windows\system32\NvMcTray.dll" [2007-09-17 00:07]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 23:56]
"AsioReg"="REGSVR32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\regsvr32.exe]
"CtxfiReg"="CTXFIREG.exe" [2006-08-11 13:53 C:\WINDOWS\system32\CTXFIREG.EXE]
"CTHelper"="CTHELPER.EXE" [2006-08-11 13:56 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"DevconDefaultDB"="C:\windows\READREG /PSCONV={NO} /FAIL=1" []
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 20:42 C:\WINDOWS\SOUNDMAN.EXE]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2003-01-05 21:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-03 23:56]
"LDM"="\Program\BackWeb-8876480.exe" []
"Creative MediaSource Go"="C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe" [2003-02-20 10:30]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe" [2002-11-21 09:33]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-10-07 20:40]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 14:18]
"igndlm.exe"="C:\Program Files\FilePlanet\Download Manager\DLM.exe" [2006-11-07 17:22]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-13 22:56]
"Tacd"="C:\windows\TSKS~1\alg.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\windows\System32\Macromed\Flash\GetFlash.exe
"SpybotDeletingB1947"=command /c del "C:\WINDOWS\system32\jgerwpiy.exe_tobedeleted"
"SpybotDeletingD7879"=cmd /c del "C:\WINDOWS\system32\jgerwpiy.exe_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA4658"=command /c del "C:\WINDOWS\system32\jgerwpiy.exe_tobedeleted"
"SpybotDeletingC5182"=cmd /c del "C:\WINDOWS\system32\jgerwpiy.exe_tobedeleted"
"VundoFix"="C:\Documents and Settings\Zach\Desktop\vundofix.exe"

C:\Documents and Settings\Zach\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2007-10-02 15:56:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jyspvixp]
jyspvixp.dll 2003-01-01 15:30 339968 C:\WINDOWS\system32\jyspvixp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkjjg]
nnnkjjg.dll 2007-10-14 09:24 35840 C:\WINDOWS\system32\nnnkjjg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\windows\System32\ssqpm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CoreCenter.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CoreCenter.lnk
backup=C:\windows\pss\CoreCenter.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DigiCell.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DigiCell.lnk
backup=C:\windows\pss\DigiCell.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Perstray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Perstray.lnk
backup=C:\windows\pss\Perstray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Zach^Start Menu^Programs^Startup^Connection Manager.lnk]
path=C:\Documents and Settings\Zach\Start Menu\Programs\Startup\Connection Manager.lnk
backup=C:\WINDOWS\pss\Connection Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Zach^Start Menu^Programs^Startup^Trillian.lnk]
path=C:\Documents and Settings\Zach\Start Menu\Programs\Startup\Trillian.lnk
backup=C:\windows\pss\Trillian.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AceGain LiveUpdate]
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01]
"C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LCDMon]
"C:\Program Files\Logitech\G-series Software\LCDMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch LGDCore]
"C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveMonitor]
C:\Program Files\MSI\Live Update 3\LMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\windows\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
C:\Program Files\Saitek\Software\Profiler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiMfd]
C:\Program Files\Saitek\Software\SaiMfd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart]
C:\Program Files\Saitek\Software\SaiSmart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmdprovidersbc]
"c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

S3 ctgame;Game Port;C:\windows\system32\DRIVERS\ctgame.sys
S3 DigiCellDriver;DigiCellDriver;\??\C:\Program Files\MSI\DigiCell\NTGLM7X.sys
S3 GcKernel;Microsoft SideWinder Value Add - Filter Driver;C:\windows\system32\DRIVERS\GcKernel.sys
S3 hamachi_oem;PlayLinc Adapter;C:\windows\system32\DRIVERS\gan_adapter.sys
S3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver;C:\windows\system32\DRIVERS\HIDSwvd.sys
S3 SaiH0255;SaiH0255;C:\windows\system32\DRIVERS\SaiH0255.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command - E:\AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2003-01-07 18:14:15 C:\windows\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2003-01-07 18:14:15 C:\windows\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2003-01-07 14:24:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2003-01-07 14:27:39 - machine was rebooted
.
--- E O F ---

tashi

2007-11-05, 21:12

Hello.

Because of the amount of posts in your thread, helpers probably thought you were already being assisted. :sad:

Copy and paste that information in your next post if the content will take no more than two posts to do so.
If the result of your anti-virus scan is extremely long, please do not post it, but rather inform us when posting the HJT log.

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Start with ONLY the Two Logs We Ask For in Our Sticky Topic, NOT CF etc (http://forums.spybot.info/showthread.php?t=16806)

For people waiting who have not resolved their problem, we have a sticky topic:
The Waiting Room: Post here if waiting for help longer than four days (http://forums.spybot.info/forumdisplay.php?f=37)

However if members waiting for assistance do not post in the waiting room, their topic is archived.

If you need the thread re-opened, please send me a private message (pm) and provide a link.

Regards. :)