Virtumonde Removal Help! [Archive] - Safer-Networking Forums

View Full Version : Virtumonde Removal Help!

Chunkosaurus

2008-03-04, 21:21

I need help removing Virtumonde from my system.

Here is the Hijack this scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:02 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PDUiP6210DMon] C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [186f0e0c] rundll32.exe "C:\WINDOWS\system32\agosyvbq.dll",b
O4 - HKLM\..\Run: [BM1b5c3d90] Rundll32.exe "C:\WINDOWS\system32\rpxxfecj.dll",s
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1013018
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146791563360
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 9560 bytes

Chunkosaurus

2008-03-04, 21:49

I don't know where to go from here

Chunkosaurus

2008-03-04, 22:07

ComboFix 08-03-04.3 - Chad 2008-03-04 14:54:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.312 [GMT -6:00]
Running from: C:\Documents and Settings\Chad\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\myglobalsearch
C:\Program Files\myglobalsearch\bar\1.bin\M9PLUGIN.DLL
C:\Program Files\myglobalsearch\bar\1.bin\MGSBAR.DLL
C:\WINDOWS\BM1b5c3d90.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\adefe.ini
C:\WINDOWS\system32\adefe.ini2
C:\WINDOWS\system32\adncvdya.ini
C:\WINDOWS\system32\agosyvbq.dll
C:\WINDOWS\system32\ahcfeetd.dll
C:\WINDOWS\system32\avrlxkyn.dll
C:\WINDOWS\system32\aydvcnda.dll
C:\WINDOWS\system32\bgrqtsgt.dll
C:\WINDOWS\system32\bmiyhrgu.dll
C:\WINDOWS\system32\bpooqmhb.dll
C:\WINDOWS\system32\byfgiukx.dll
C:\WINDOWS\system32\dxcddmhn.dll
C:\WINDOWS\system32\dyidsbbe.dll
C:\WINDOWS\system32\fshkdodu.dll
C:\WINDOWS\system32\funrralk.dll
C:\WINDOWS\system32\gebbaaa.dll
C:\WINDOWS\system32\hcdgjoyp.dll
C:\WINDOWS\system32\hskftfxe.dll
C:\WINDOWS\system32\ifdtacov.dll
C:\WINDOWS\system32\jlpajbpi.dll
C:\WINDOWS\system32\lpbxqqnj.dll
C:\WINDOWS\system32\mpsru.ini
C:\WINDOWS\system32\mpsru.ini2
C:\WINDOWS\system32\mqxincoe.dll
C:\WINDOWS\system32\nhseqcil.dll
C:\WINDOWS\system32\nlwgyiws.dll
C:\WINDOWS\system32\nnmoq.ini
C:\WINDOWS\system32\nnmoq.ini2
C:\WINDOWS\system32\oguserke.dll
C:\WINDOWS\system32\ohrovbah.dll
C:\WINDOWS\system32\onfwputl.dll
C:\WINDOWS\system32\pajxyloa.dll
C:\WINDOWS\system32\pyojgdch.ini
C:\WINDOWS\system32\qbvysoga.ini
C:\WINDOWS\system32\qomnn.dll
C:\WINDOWS\system32\raniervw.dll
C:\WINDOWS\system32\rpxxfecj.dll
C:\WINDOWS\system32\rrogiiai.dll
C:\WINDOWS\system32\sdeqhlyg.dll
C:\WINDOWS\system32\smpblbdr.dll
C:\WINDOWS\system32\tgstqrgb.ini
C:\WINDOWS\system32\thjoqbkw.ini
C:\WINDOWS\system32\tlmsbada.dll
C:\WINDOWS\system32\tonshqkq.dll
C:\WINDOWS\system32\trkemofp.dll
C:\WINDOWS\system32\wdxlsutt.dll
C:\WINDOWS\system32\wkbqojht.dll
C:\WINDOWS\system32\xwyxx.ini
C:\WINDOWS\system32\xwyxx.ini2

.
((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-04 14:17 . 2008-03-04 14:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-02 17:02 . 2008-03-03 15:35 594 ---hs---- C:\WINDOWS\system32\jgwlhdkf.ini
2008-03-02 03:14 . 2008-03-02 15:54 414 ---hs---- C:\WINDOWS\system32\fpcitjus.ini
2008-02-28 14:03 . 2008-02-29 03:03 414 ---hs---- C:\WINDOWS\system32\bapmdtdl.ini
2008-02-27 14:06 . 2008-02-27 14:06 294 --ahs---- C:\WINDOWS\system32\iijxuofm.ini
2008-02-25 18:32 . 2008-02-25 18:33 394 --a------ C:\WINDOWS\capture.ini
2008-02-25 17:50 . 2008-02-25 17:50 <DIR> d-------- C:\Program Files\Common Files\Protexis
2008-02-25 17:50 . 2008-02-25 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-02-24 13:59 . 2008-02-25 09:14 1,494 --ahs---- C:\WINDOWS\system32\mowutywd.ini
2008-02-23 13:58 . 2008-02-24 13:58 1,134 --ahs---- C:\WINDOWS\system32\vyjlvhco.ini
2008-02-22 13:56 . 2008-02-23 13:56 1,014 --ahs---- C:\WINDOWS\system32\wfcjvffx.ini
2008-02-21 14:02 . 2008-02-21 14:02 954 --ahs---- C:\WINDOWS\system32\tdaigoxq.ini
2008-02-20 13:56 . 2008-02-21 13:56 894 --ahs---- C:\WINDOWS\system32\blrlbide.ini
2008-02-19 13:59 . 2008-02-19 13:59 834 --ahs---- C:\WINDOWS\system32\ilahvafe.ini
2008-02-18 13:53 . 2008-02-19 13:53 774 --ahs---- C:\WINDOWS\system32\tsgavhac.ini
2008-02-17 13:53 . 2008-02-17 18:59 654 --ahs---- C:\WINDOWS\system32\ximiblpo.ini
2008-02-16 13:53 . 2008-02-16 13:53 534 --ahs---- C:\WINDOWS\system32\hkmsvslw.ini
2008-02-15 13:53 . 2008-02-15 13:53 474 --ahs---- C:\WINDOWS\system32\gdwucnjf.ini
2008-02-14 14:50 . 2008-02-14 14:50 414 --ahs---- C:\WINDOWS\system32\hnuaiwho.ini
2008-02-13 13:56 . 2008-02-14 13:57 354 --ahs---- C:\WINDOWS\system32\hoyxcxom.ini
2008-02-07 21:15 . 2008-02-07 21:15 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-07 07:17 . 2008-02-07 07:15 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-07 07:17 . 2008-02-07 07:17 3,441 --a------ C:\WINDOWS\unins000.dat
2008-02-07 06:47 . 2008-02-26 07:21 2,828 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-02-07 06:47 . 2008-02-26 07:21 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\24311D9343.sys
2008-02-06 21:10 . 2008-02-07 06:47 <DIR> d-------- C:\Documents and Settings\Chad\Application Data\Corel
2008-02-06 21:07 . 2008-02-06 21:07 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-02-06 21:06 . 2008-02-25 17:28 <DIR> d-------- C:\Program Files\Corel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 17:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-25 21:29 --------- d-----w C:\Documents and Settings\Chad\Application Data\uTorrent
2008-02-11 22:37 6,144 --sha-w C:\Program Files\Thumbs.db
2008-02-07 13:21 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-07 03:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-07 03:06 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-31 17:46 --------- d-----w C:\Program Files\Duncan Amplification
2008-01-22 20:46 --------- d-----w C:\Program Files\uTorrent
2008-01-15 16:32 --------- d-----w C:\Program Files\Lexmark X1100 Series
2007-04-24 16:27 2,006 ----a-w C:\Program Files\INSTALL.LOG
2007-02-12 00:13 81,672 ----a-w C:\Documents and Settings\Chad\Application Data\GDIPFONTCACHEV1.DAT
2004-03-24 18:26 549,486 ----a-w C:\Program Files\Pocket Mechanic.2577.CAB
2004-03-24 18:26 215 ----a-w C:\Program Files\Pocket Mechanic.INI
2003-10-17 18:54 1,078 ----a-w C:\Program Files\Pocket Mechanic.ico
2001-09-28 21:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03DD2EC9-3D59-4FEE-8461-313EC3F1B8B4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29DCAAD6-623F-4A98-BBB2-C99405C51931}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59790271-1916-49DF-8652-A850E7410631}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C688652-398E-4F1F-AF8A-B00C87AB1418}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DC9FB3A-E85E-426B-90A6-44E8C9F33486}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76460D80-480D-40BF-AF0D-3A2D3B8DEF61}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ADF8E0B-0CD6-4A37-8D47-FD032B80FEF3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D977E92-4709-417D-845E-F223444BDC51}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{803D52FC-768B-4B0D-929C-E44B979AA5BF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B967469E-314A-4C19-8223-952572CD0B12}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7355BF4-2FA7-45F1-9563-63B0AC5FF92D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7632969-7A73-42F7-97C8-C2058575859A}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 15:13 1207080]
"NVIEW"="nview.dll" [2003-07-28 13:19 852038 C:\WINDOWS\system32\nview.dll]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-04-07 17:37 1827640]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 13:56 61440]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 04:06 79224]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-22 00:35 180269]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 13:19 4841472]
"nwiz"="nwiz.exe" [2003-07-28 13:19 323584 C:\WINDOWS\system32\nwiz.exe]
"PDUiP6210DMon"="C:\Program Files\Canon\Memory Card Utility\iP6210D\PDUiP6210DMon.exe" [2005-05-06 18:28 69632]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2001-07-03 13:13 81920]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"186f0e0c"="C:\WINDOWS\system32\agosyvbq.dll" [ ]
"BM1b5c3d90"="C:\WINDOWS\system32\rpxxfecj.dll" [ ]

C:\Documents and Settings\Chad\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2006-07-06 08:08:34 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-05-08 19:39:37 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-11-26 12:42:42 692224]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbaaa]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1148480026\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1148480026\\ee\\aim6.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Ring Factory\\RingFactory.exe"=
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 01:00]
R2 PSI_SVC_2;Protexis Licensing V2;"c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [2007-07-24 11:15]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-01-02 14:44]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);C:\WINDOWS\system32\DRIVERS\s115bus.sys [2007-04-23 15:54]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s115mdfl.sys [2007-04-23 15:54]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s115mdm.sys [2007-04-23 15:54]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s115mgmt.sys [2007-04-23 15:54]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s115obex.sys [2007-04-23 15:54]
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 18:50]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 15:02:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-04 15:04:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 21:04:18
.
2008-02-13 09:05:34 --- E O F ---

pskelley

2008-03-06, 13:40

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

http://forums.spybot.info/showthread.php?t=16806

If you still need help, please read and follow the directions. DO NOT run and post a Kaspersky scan now until I request it.
If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.

Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

Post the Vundofix.txt and a new HJT log

Thanks

pskelley

2008-03-13, 11:37

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.