PDA

View Full Version : "virtumonde" resisting =(


m77jj
2008-04-03, 01:05
Hi, i recently got this malware or virus and i have no idea how i got this. At first i thought this is "yet another spyware" to remove with a couple of clicks but this is something different. Once i realised i couldnt remove this using spybot, i visited this forum to see what else i can do by myself without bothering others. I checked some posts titled with this malware ("virtumonde according to spybot S&D) but i realised i cant remove it by myself....Anyways, to the topic: i got some log files from HiJackThis, Combofix, Vundofix and VirtumundoBeGone (VBG):


HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:01:11, on 03.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {789D35E2-529E-4B4C-B62C-7A9CA4C212CE} - C:\WINDOWS\system32\awvvw.dll (file missing)
O2 - BHO: (no name) - {7F3D6086-4433-4F33-A4FB-5A64F24158D2} - C:\WINDOWS\system32\ddccc.dll (file missing)
O2 - BHO: (no name) - {C05984E7-F4C6-45F9-955D-5B5A65C04B71} - C:\WINDOWS\system32\mllmn.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [5cced6e5] rundll32.exe "C:\WINDOWS\system32\mhtnfqas.dll",b
O4 - HKLM\..\Run: [BM5ffde579] Rundll32.exe "C:\WINDOWS\system32\yrvhprjj.dll",s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: cbxxxxy - cbxxxxy.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5872 bytes
------------------------------------------------
m77jj
2008-04-03, 01:06
ComboFix 08-04-02.1 - m77JJ 2008-04-03 0:30:18.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.682 [GMT 3:00]
Running from: D:\Downloads\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-04-02 22:22 . 2008-04-02 22:22 <DIR> d-------- C:\VundoFix Backups
2008-04-02 22:02 . 2008-04-02 22:02 <DIR> d-------- C:\Program Files\ParetoLogic
2008-04-02 22:02 . 2008-04-02 22:02 <DIR> d-------- C:\Program Files\Common Files\ParetoLogic
2008-04-02 22:02 . 2008-04-02 22:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-04-02 21:50 . 2008-04-02 21:50 <DIR> d-------- C:\Program Files\Java
2008-04-02 21:50 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-02 21:48 . 2008-04-02 21:48 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-02 21:37 . 2008-04-02 21:37 294 ---hs---- C:\WINDOWS\system32\hjxswfbv.ini
2008-04-02 21:21 . 2008-04-02 21:21 <DIR> d-------- C:\Documents and Settings\m77JJ\Application Data\Media Player Classic
2008-04-02 21:19 . 2008-04-02 21:19 38 --a------ C:\WINDOWS\avisplitter.INI
2008-04-02 21:17 . 2008-04-02 21:17 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-04-02 21:17 . 2004-01-11 23:00 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-04-02 21:17 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-04-02 18:56 . 2008-04-02 20:28 374 --a------ C:\WINDOWS\wininit.ini
2008-04-02 18:32 . 2008-04-02 18:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-02 18:32 . 2008-04-02 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-02 18:28 . 2008-04-02 18:28 <DIR> d-------- C:\Downloads
2008-04-02 18:16 . 2008-04-02 18:16 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-02 18:16 . 2006-10-04 17:06 1,197,294 --a------ C:\WINDOWS\system32\dllcache\SET134.tmp
2008-04-02 18:15 . 2008-04-02 18:15 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-02 18:15 . 2008-04-02 18:15 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-02 18:06 . 2008-04-02 18:06 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-02 18:05 . 2008-04-02 18:05 <DIR> d-------- C:\WINDOWS\%DownloadedProgramFiles%
2008-04-02 18:05 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-02 04:05 . 2008-04-02 04:05 369,479 --a------ C:\WINDOWS\d_eJay3.inf
2008-04-02 02:41 . 2008-04-02 02:41 <DIR> d-------- C:\Program Files\uTorrent
2008-04-02 02:41 . 2008-04-02 02:41 <DIR> d-------- C:\Documents and Settings\m77JJ\Application Data\uTorrent
2008-04-02 02:31 . 2000-05-01 23:02 97,280 --a------ C:\WINDOWS\system\ccrpbds5.dll
2008-04-02 02:29 . 2008-04-02 02:29 <DIR> d-------- C:\Program Files\FastMount
2008-04-02 02:25 . 2008-04-02 02:25 <DIR> d-------- C:\Program Files\DAEMON Tools
2008-04-02 02:20 . 2008-04-02 02:20 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-04-02 02:17 . 2008-04-02 02:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
2008-04-02 02:16 . 2008-04-02 02:16 <DIR> d-------- C:\Program Files\Siber Systems
2008-04-02 02:11 . 2008-04-02 02:11 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-02 02:11 . 2008-04-02 02:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-02 02:11 . 2008-04-02 02:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 02:04 . 2008-04-02 02:04 <DIR> d-------- C:\Program Files\FlashGet
2008-04-02 02:04 . 2004-08-04 12:00 359,040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.flg
2008-04-02 01:59 . 2008-04-02 01:59 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-04-02 01:59 . 2008-04-02 01:59 <DIR> d-------- C:\Documents and Settings\m77JJ\Application Data\Thunderbird
2008-04-02 01:56 . 2008-04-02 01:56 1,158 --a------ C:\WINDOWS\mozver.dat
2008-04-02 01:55 . 2008-04-02 01:55 <DIR> d-------- C:\Documents and Settings\m77JJ\Application Data\SiteAdvisor
2008-04-02 01:55 . 2008-04-02 01:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-02 01:55 . 2008-04-02 01:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-02 01:52 . 2008-04-02 01:52 <DIR> d-------- C:\Documents and Settings\m77JJ\Application Data\Talkback
2008-04-02 01:52 . 2008-04-02 01:52 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-02 01:38 . 2008-04-02 01:38 <DIR> d-------- C:\Program Files\Eset
2008-04-02 01:38 . 2008-04-02 01:36 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-04-02 01:38 . 2008-04-02 01:36 298,104 --a------ C:\WINDOWS\system32\imon.dll
2008-04-02 01:38 . 2008-04-02 01:36 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-04-02 01:34 . 2008-04-02 01:34 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-04-02 01:33 . 2008-04-02 01:33 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-04-02 01:26 . 2006-08-01 15:02 49,152 -ra------ C:\WINDOWS\system32\ChCfg.exe
2008-04-02 01:25 . 2008-04-02 01:25 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2008-04-02 01:25 . 2008-04-02 01:25 <DIR> d-------- C:\Program Files\Realtek AC97
2008-04-02 01:25 . 2008-04-02 01:25 <DIR> d-------- C:\Program Files\AvRack
2008-04-02 01:23 . 2008-04-02 01:23 <DIR> d-------- C:\WINDOWS\nview
2008-04-02 01:23 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-04-02 01:23 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-04-02 01:23 . 2008-04-02 01:31 163,353 --a------ C:\WINDOWS\system32\nvapps.xml
2008-04-02 01:23 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-04-02 01:21 . 2008-04-02 01:21 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-02 01:20 . 2008-04-02 01:20 <DIR> d-------- C:\Program Files\VIA
2008-04-02 01:20 . 2008-04-02 01:20 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-02 01:20 . 2007-09-20 10:43 331,184 --------- C:\WINDOWS\system32\difxapi.dll
2008-04-02 01:18 . 2008-04-02 01:18 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2008-04-02 01:18 . 2008-04-02 01:18 <DIR> d-------- C:\Program Files\DIFX
2008-04-02 01:18 . 2006-07-01 22:39 36,864 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 23:16 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-04-01 17:54 --------- d-----w C:\Program Files\Symantec
2008-04-01 17:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-01 17:54 --------- d-----w C:\Documents and Settings\m77JJ\Application Data\Symantec
2008-04-01 17:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-01 17:52 --------- d-----w C:\Program Files\WinUHA
2008-04-01 17:38 --------- d-----w C:\Program Files\microsoft frontpage
.

------- Sigcheck -------

2008-04-02 02:16 14336 8b399460a5f3e6686368484fef2f11d6 C:\WINDOWS\system32\svchost.exe

2004-08-04 12:00 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
2004-08-04 12:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{789D35E2-529E-4B4C-B62C-7A9CA4C212CE}]
C:\WINDOWS\system32\awvvw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F3D6086-4433-4F33-A4FB-5A64F24158D2}]
C:\WINDOWS\system32\ddccc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C05984E7-F4C6-45F9-955D-5B5A65C04B71}]
C:\WINDOWS\system32\mllmn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"ParetoLogic Anti-Spyware"="C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" [2007-08-01 13:56 2643312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 16:45 114688]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50 204800]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-02 01:36 949376]
"5cced6e5"="C:\WINDOWS\system32\mhtnfqas.dll" [ ]
"BM5ffde579"="C:\WINDOWS\system32\yrvhprjj.dll" [ ]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-08-04 15:00 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= C:\Program Files\ParetoLogic\Anti-Spyware\PASShlExt.dll [2007-10-24 21:59 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxxxy]
cbxxxxy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\5cced6e5]
C:\WINDOWS\system32\mhtnfqas.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
--a------ 2007-08-08 15:53 88024 C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM5ffde579]
C:\WINDOWS\system32\vjtvlepw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
--a------ 2007-06-29 14:44 1990704 C:\Program Files\FlashGet\FlashGet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
--a--c--- 2002-08-14 15:21 94208 D:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GhostStartService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-09-21 17:49]
R1 GhPciScan;GhostPciScanner;D:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 15:11]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2008-04-02 02:16]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2008-04-02 02:16]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2008-04-02 02:16]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2008-04-02 02:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2008-04-02 19:02:42 C:\WINDOWS\Tasks\ParetoLogic Update.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\Pareto_Update.exe
"2008-04-02 19:02:44 C:\WINDOWS\Tasks\ParetoLogic Anti-Spyware.job"
- C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
"2008-04-02 19:03:06 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 00:30:53
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-03 0:31:05
ComboFix-quarantined-files.txt 2008-04-02 21:31:06
ComboFix2.txt 2008-04-02 21:17:22
Pre-Run: 7,067,312,128 bytes free
Post-Run: 7,060,488,192 bytes free
----------------------------------------



VundoFix V7.0.3

Scan started at 20:53:38 02.04.2008

Listing files found while scanning....

No infected files were found.


VundoFix V7.0.3

Scan started at 22:22:30 02.04.2008

Listing files found while scanning....

C:\windows\system32\awvvw.dll
C:\windows\system32\wvvwa.ini
C:\windows\system32\wvvwa.ini2

Beginning removal...

Attempting to delete C:\windows\system32\awvvw.dll
C:\windows\system32\awvvw.dll Has been deleted!

Attempting to delete C:\windows\system32\wvvwa.ini
C:\windows\system32\wvvwa.ini Has been deleted!

Attempting to delete C:\windows\system32\wvvwa.ini2
C:\windows\system32\wvvwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V7.0.3

Scan started at 22:58:50 02.04.2008

Listing files found while scanning....

No infected files were found.


VundoFix V7.0.3

Scan started at 23:24:42 02.04.2008

Listing files found while scanning....

No infected files were found.


VundoFix V7.0.3

Scan started at 00:26:02 03.04.2008

Listing files found while scanning....

No infected files were found.


Beginning removal...
------------------------------------------



[04/03/2008, 0:23:20] - VirtumundoBeGone v1.5 ( "D:\Downloads\VirtumundoBeGone.exe" )
[04/03/2008, 0:23:28] - Detected System Information:
[04/03/2008, 0:23:28] - Windows Version: 5.1.2600, Service Pack 2
[04/03/2008, 0:23:28] - Current Username: m77JJ (Admin)
[04/03/2008, 0:23:28] - Windows is in NORMAL mode.
[04/03/2008, 0:23:28] - Searching for Browser Helper Objects:
[04/03/2008, 0:23:28] - BHO 1: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (FGCatchUrl)
[04/03/2008, 0:23:28] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[04/03/2008, 0:23:28] - BHO 3: {724d43a9-0d85-11d4-9908-00400523e39a} ()
[04/03/2008, 0:23:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 0:23:28] - Checking for HKLM\...\Winlogon\Notify\roboform
[04/03/2008, 0:23:28] - Key not found: HKLM\...\Winlogon\Notify\roboform, continuing.
[04/03/2008, 0:23:28] - BHO 4: {789D35E2-529E-4B4C-B62C-7A9CA4C212CE} ()
[04/03/2008, 0:23:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 0:23:28] - Checking for HKLM\...\Winlogon\Notify\awvvw
[04/03/2008, 0:23:28] - Key not found: HKLM\...\Winlogon\Notify\awvvw, continuing.
[04/03/2008, 0:23:28] - BHO 5: {7F3D6086-4433-4F33-A4FB-5A64F24158D2} ()
[04/03/2008, 0:23:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 0:23:28] - Checking for HKLM\...\Winlogon\Notify\ddccc
[04/03/2008, 0:23:28] - Key not found: HKLM\...\Winlogon\Notify\ddccc, continuing.
[04/03/2008, 0:23:28] - BHO 6: {C05984E7-F4C6-45F9-955D-5B5A65C04B71} ()
[04/03/2008, 0:23:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 0:23:28] - Checking for HKLM\...\Winlogon\Notify\mllmn
[04/03/2008, 0:23:28] - Key not found: HKLM\...\Winlogon\Notify\mllmn, continuing.
[04/03/2008, 0:23:28] - BHO 7: {F156768E-81EF-470C-9057-481BA8380DBA} (FlashGet GetFlash Class)
[04/03/2008, 0:23:28] - Finished Searching Browser Helper Objects
[04/03/2008, 0:23:28] - Finishing up...
[04/03/2008, 0:23:28] - Nothing found! Exiting...
----------------------------------------

i have no idea what to do now as i realised i cant remove that malware by myself. I even tried a couple of spyware removal tools from symantec and other virus experts, tried removal in safe mode and tried a couple of spyware removers. Most of them didnt even detect or the ones that detected have removed some stuff but then when i restart my system the spyware comes back and writes itself to the system =(