View Full Version : Virtumonde dll 8 entries, Virtumonde 2 entries
Hi,
My browser was acting funny ( symptoms: unable to search in Google, some sites refuses to open, some site ads are replaced with junk adult ads etc)
I did a scan with SpyBot and got these results shown up in red:
doubleclick - tracking cookie,
fastclick - tracking cookie,
mediaplex - tracking cookie
Virtumonde - 2 entries
Virtumonde.dll - 8 entries
Tried deleting them but Spybot hung on Virtumonde dll and I lost my patience and quit . Spybot also got jammed in safemode so I rebooted to normal mode and deleted the others.
When faced with serious problems like this I prefer to reinstall the OS and other programs but I am unable to do even that. The os setup files gets copied, the system reboots and then.....zilch,...nothing happens except the old os reboots (no OS install setup code in the boot menu)
TIA :)
--------------------------------------------------------------
Here is my HJT result:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:30 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe ??????
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\HDD Thermometer\HDD Thermometer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbguard.exe
C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbserver.exe
C:\Program Files\IPCheck Server Monitor 5\IPCheckProbe.exe
C:\Program Files\IPCheck Server Monitor 5\IPCheckServer.exe
C:\Program Files\IPCheck Server Monitor 5\IPCheckServer.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O3 - Toolbar: &Netcraft Toolbar - {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - C:\Program Files\Netcraft Toolbar\nctb.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\jmwkqrky.dll",s
O4 - HKLM\..\Run: [c44708a2] rundll32.exe "C:\WINDOWS\system32\nndryghm.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Program Files\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB2609] command /c del "C:\WINDOWS\system32\dqlhwipj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2242] cmd /c del "C:\WINDOWS\system32\dqlhwipj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7830] command /c del "C:\WINDOWS\system32\hgGwVMFU.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9882] cmd /c del "C:\WINDOWS\system32\hgGwVMFU.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB849] command /c del "C:\WINDOWS\system32\ohsukjxw.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3201] cmd /c del "C:\WINDOWS\system32\ohsukjxw.dll_old"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205358557234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205652980468
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://service.futuremark.com/virtualmark/tc/MSC3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Bandwidth Controller Server (bcserver) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbserver.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: IPCheck Server Monitor Local/Remote Probe Module (IPCProbeService) - Paessler AG - C:\Program Files\IPCheck Server Monitor 5\IPCheckProbe.exe
O23 - Service: IPCheck Server Monitor Webserver Module (IPCServerService) - Paessler AG - C:\Program Files\IPCheck Server Monitor 5\IPCheckServer.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SandraLite\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SandraLite\RpcSandraSrv.exe
--
[B]End of HJT file
----------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 28, 2008 5:34:45 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/04/2008
Kaspersky Anti-Virus database records: 727826
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
L:\
Scan Statistics
Total number of scanned objects 336823
Number of viruses found 19
Number of infected objects 45
Number of suspicious objects 0
Duration of the scan process 03:14:20
Infected Object Name Virus Name Last Action
C:\Documents and Settings\admin\ntuser.dat Object is locked skipped
C:\Documents and Settings\admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\username\Application Data\Apple Computer\Safari\PubSub\Database\Database.sqlite3 Object is locked skipped
C:\Documents and Settings\username\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\username\Local Settings\Application Data\Apple Computer\Safari\Cache.db Object is locked skipped
C:\Documents and Settings\username\Local Settings\Application Data\Apple Computer\Safari\WebpageIcons.db Object is locked skipped
C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\username\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\username\Local Settings\Temp\Perflib_Perfdata_2bc.dat Object is locked skipped
C:\Documents and Settings\username\Local Settings\Temp\~DF891B.tmp Object is locked skipped
C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\8QM4ZQYK\kriv[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.qrj skipped
C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\B8J4UR0P\CA5WUTHN Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\UMI0RM6Q\idkfa[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.qri skipped
C:\Documents and Settings\username\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\username\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\IPCheck Server Monitor 5\firebird\security2.fdb Object is locked skipped
C:\Program Files\IPCheck Server Monitor 5\firebird\WINDOWS.lck Object is locked skipped
C:\Program Files\IPCheck Server Monitor 5\IPCBACKUP.FDB Object is locked skipped
C:\Program Files\IPCheck Server Monitor 5\IPCHECK.FDB Object is locked skipped
C:\Program Files\IPCheck Server Monitor 5\log\ipcerror.log Object is locked skipped
C:\Program Files\IPCheck Server Monitor 5\log\ipcweb20080428.log Object is locked skipped
C:\Program Files\IPCheck Server Monitor 5\log\remerr.log Object is locked skipped
C:\System Volume Information\_restore{1B5A7CA2-368E-48E2-997F-F9638DAEFA7B}\RP1\A0003125.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\System Volume Information\_restore{1B5A7CA2-368E-48E2-997F-F9638DAEFA7B}\RP1\A0003126.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrh skipped
C:\System Volume Information\_restore{1B5A7CA2-368E-48E2-997F-F9638DAEFA7B}\RP1\A0004125.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrj skipped
C:\System Volume Information\_restore{1B5A7CA2-368E-48E2-997F-F9638DAEFA7B}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\NetLimit.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dqlhwipj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qri skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ljJYQGaA.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qne skipped
C:\WINDOWS\system32\msclwroq.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\ohsukjxw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrg skipped
C:\WINDOWS\system32\onfvwmrh.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\puegmmgb.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\qnljjhbd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qri skipped
C:\WINDOWS\system32\smejnurr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrj skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_72c.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\PROGRAM FILES\+ CMS New\Joomla\server\SlimFTPd_3.16.exe/data.rar/SlimFTPd/SlimFTPd.exe Infected: not-a-virus:Server-FTP.Win32.SlimFTPd.316 skipped
E:\PROGRAM FILES\+ CMS New\Joomla\server\SlimFTPd_3.16.exe/data.rar Infected: not-a-virus:Server-FTP.Win32.SlimFTPd.316 skipped
E:\PROGRAM FILES\+ CMS New\Joomla\server\SlimFTPd_3.16.exe RarSFX: infected - 2 skipped
E:\PROGRAM FILES\+ SOUND\Download_smrproa.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
E:\PROGRAM FILES\+ TOOLS\Network Monitor\FinitySoftNetworkMonitor.exe/stream/data0006 Infected: not-a-virus:Monitor.Win32.NetMon.c skipped
E:\PROGRAM FILES\+ TOOLS\Network Monitor\FinitySoftNetworkMonitor.exe/stream Infected: not-a-virus:Monitor.Win32.NetMon.c skipped
E:\PROGRAM FILES\+ TOOLS\Network Monitor\FinitySoftNetworkMonitor.exe NSIS: infected - 2 skipped
E:\PROGRAM FILES\+SECURITY\SmitFraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
E:\PROGRAM FILES\+SECURITY\SmitFraudFix\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
E:\PROGRAM FILES\+SECURITY\SmitFraudFix\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
E:\PROGRAM FILES\+SECURITY\SmitFraudFix\SmitfraudFix.exe RarSFX: infected - 2 skipped
E:\PROGRAM FILES\+SECURITY\SmitFraudFix\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped
E:\PROGRAM FILES\RealVNC PC2PC\vnc-3.3.7-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
E:\PROGRAM FILES\RealVNC PC2PC\vnc-3.3.7-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
E:\PROGRAM FILES\RealVNC PC2PC\vnc-3.3.7-x86_win32.exe/data0004 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
E:\PROGRAM FILES\RealVNC PC2PC\vnc-3.3.7-x86_win32.exe Inno: infected - 3 skipped
E:\PROGRAM FILES\RealVNC PC2PC\vnc-3.3.7-x86_win32.zip/vnc-3.3.7-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
E:\PROGRAM FILES\RealVNC PC2PC\vnc-3.3.7-x86_win32.zip/vnc-3.3.7-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
E:\PROGRAM FILES\RealVNC PC2PC\vnc-3.3.7-x86_win32.zip/vnc-3.3.7-x86_win32.exe/data0004 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
E:\PROGRAM FILES\RealVNC PC2PC\vnc-3.3.7-x86_win32.zip/vnc-3.3.7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
E:\PROGRAM FILES\RealVNC PC2PC\vnc-3.3.7-x86_win32.zip ZIP: infected - 4 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{1B5A7CA2-368E-48E2-997F-F9638DAEFA7B}\RP1\change.log Object is locked skipped
F:\OTHER CONTENT\MISCfromDdrive\from CD\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe/data.rar/axdlplug.dll Infected: not-a-virus:AdWare.Win32.PluginDL.a skipped
F:\OTHER CONTENT\MISCfromDdrive\from CD\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe/data.rar/buddy.exe Infected: Trojan.Win32.Obfuscated.s skipped
F:\OTHER CONTENT\MISCfromDdrive\from CD\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe/data.rar/setup2.exe Infected: not-a-virus:AdWare.Win32.PluginDL.a skipped
F:\OTHER CONTENT\MISCfromDdrive\from CD\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe/data.rar Infected: not-a-virus:AdWare.Win32.PluginDL.a skipped
F:\OTHER CONTENT\MISCfromDdrive\from CD\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe RarSFX: infected - 4 skipped
F:\OTHER CONTENT\old docs\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe/data.rar/axdlplug.dll Infected: not-a-virus:AdWare.Win32.PluginDL.a skipped
F:\OTHER CONTENT\old docs\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe/data.rar/buddy.exe Infected: Trojan.Win32.Obfuscated.s skipped
F:\OTHER CONTENT\old docs\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe/data.rar/setup2.exe Infected: not-a-virus:AdWare.Win32.PluginDL.a skipped
F:\OTHER CONTENT\old docs\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe/data.rar Infected: not-a-virus:AdWare.Win32.PluginDL.a skipped
F:\OTHER CONTENT\old docs\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe RarSFX: infected - 4 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
End of Kaspersky Scan process
----------------------------------------------------------------
random/random
2008-04-28, 21:37
We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post the combofix log and a new HijackThis log as a reply to this topic.
Combofix log:
ComboFix 08-04-27.3 - username 2008-04-29 3:54:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.656 [GMT 5.5:30]
Running from: C:\Documents and Settings\username\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\eOXycccf.ini
C:\WINDOWS\system32\eOXycccf.ini2
C:\WINDOWS\system32\fcgxjifj.ini
C:\WINDOWS\system32\gqjkcvsu.dll
C:\WINDOWS\system32\hrmwvfno.ini
C:\WINDOWS\system32\IPsvDfhk.ini
C:\WINDOWS\system32\IPsvDfhk.ini2
C:\WINDOWS\system32\jfijxgcf.dll
C:\WINDOWS\system32\jkkJyYpO.dll
C:\WINDOWS\system32\ljJYQGaA.dll
C:\WINDOWS\system32\LnTsrBeg.ini
C:\WINDOWS\system32\LnTsrBeg.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\OpYyJkkj.ini
C:\WINDOWS\system32\OpYyJkkj.ini2
C:\WINDOWS\system32\phbmuljq.ini
C:\WINDOWS\system32\rmhvhxhv.ini
C:\WINDOWS\system32\rrunjems.ini
C:\WINDOWS\system32\tbgudnlp.dll
C:\WINDOWS\system32\tdahtgge.dll
C:\WINDOWS\system32\UFMVwGgh.ini
C:\WINDOWS\system32\UFMVwGgh.ini2
.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.
2008-04-29 03:53 . 2008-04-29 03:53 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-28 21:46 . 2004-08-03 22:59 250,032 -rahs---- C:\ntldr
2008-04-28 14:31 . 2008-04-28 14:31 95,296 --------- C:\WINDOWS\system32\nndryghm.dll_old
2008-04-28 14:31 . 2008-04-28 17:36 578 --ahs---- C:\WINDOWS\system32\mhgyrdnn.ini
2008-04-28 01:13 . 2008-04-28 01:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-27 23:36 . 2008-04-27 23:36 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-27 23:36 . 2008-04-27 23:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-27 21:27 . 2008-04-27 22:33 <DIR> d-------- C:\Program Files\RegCleaner
2008-04-26 12:57 . 2008-04-27 20:38 354 --ahs---- C:\WINDOWS\system32\uplkyscj.ini
2008-04-24 23:23 . 2008-04-28 16:08 617 --a------ C:\WINDOWS\wininit.ini
2008-04-24 22:33 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-24 22:33 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-24 22:33 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-24 03:03 . 2008-04-25 14:48 1,063,075,840 --a------ C:\WINDOWS\MEMORY.DMP
2008-04-24 01:41 . 2008-04-29 03:44 <DIR> d-------- C:\Program Files\Netcraft Toolbar
2008-04-23 23:35 . 2008-04-23 23:35 <DIR> d-------- C:\Program Files\WatchMouse Site Monitor
2008-04-23 21:58 . 2008-04-23 21:58 1,024 --ah----- C:\Documents and Settings\Default User\NTUSER.DAT.LOG
2008-04-23 21:53 . 2004-08-04 00:56 562,176 --a--c--- C:\WINDOWS\system32\dllcache\fxsst.dll
2008-04-23 21:52 . 2004-08-04 00:56 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-04-23 21:50 . 2008-04-23 21:50 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-04-23 21:50 . 2008-04-23 21:50 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-04-23 21:50 . 2008-04-23 21:50 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-04-23 21:50 . 2008-04-23 21:50 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-04-23 21:50 . 2008-04-23 21:50 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-04-23 21:50 . 2008-04-23 21:50 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-04-23 21:28 . 2001-08-23 21:30 13,107,200 --a------ C:\WINDOWS\system32\oembios.bin
2008-04-23 21:27 . 2001-08-23 20:30 3,440,660 --a------ C:\WINDOWS\system32\drivers\gm.dls
2008-04-23 17:21 . 2008-04-23 17:22 <DIR> d-------- C:\Program Files\HoverIP
2008-04-23 16:00 . 2008-04-23 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-23 15:39 . 2008-04-23 15:39 <DIR> d-------- C:\Documents and Settings\username\Application Data\Lavasoft
2008-04-23 15:06 . 2008-04-27 21:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-23 15:06 . 2008-04-24 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-23 15:05 . 2008-04-23 16:01 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-23 07:40 . 2008-04-29 03:04 109,813 --a------ C:\WINDOWS\BMc7743b3e.xml
2008-04-21 08:19 . 2007-03-02 14:05 393,216 --a------ C:\WINDOWS\system32\GDS32.DLL
2008-04-21 08:18 . 2008-04-21 08:23 <DIR> d-------- C:\Program Files\IPCheck Server Monitor 5
2008-04-21 08:09 . 2008-04-25 09:06 <DIR> d-------- C:\Program Files\Webserver Stress Tool 7
2008-04-20 16:58 . 2008-04-28 09:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-20 16:58 . 2008-04-20 16:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-10 03:32 . 2008-04-10 03:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-04-06 21:13 . 2008-04-06 21:13 <DIR> d-------- C:\Program Files\ISO Recorder
2008-04-05 23:18 . 2008-04-05 23:18 <DIR> d-------- C:\Program Files\NasBackup
2008-04-03 15:32 . 2008-04-03 15:32 <DIR> d-------- C:\Program Files\Webinaria
2008-04-03 03:40 . 2008-04-03 03:40 <DIR> d-------- C:\Program Files\WindowShoot
2008-03-31 15:34 . 2008-04-15 17:58 1,213 --a------ C:\todo.html
2008-03-30 09:55 . 2008-03-30 09:55 <DIR> d-------- C:\Program Files\Right Picture Download Manager
2008-03-30 09:55 . 2008-03-30 09:55 <DIR> d-------- C:\Documents and Settings\username\Application Data\Rightfiles
2008-03-30 08:41 . 2008-03-30 08:41 <DIR> d-------- C:\Program Files\WinHTTrack
2008-03-28 22:58 . 2008-04-25 11:15 17,844 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-03-28 22:41 . 2008-03-28 22:41 <DIR> d-------- C:\Program Files\Safari
2008-03-28 22:41 . 2008-03-28 22:41 <DIR> d-------- C:\Documents and Settings\username\Application Data\Apple Computer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 22:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\HDD Thermometer
2008-04-23 16:36 --------- d-----w C:\Program Files\Opera
2008-04-23 14:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-23 10:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-22 21:26 --------- d-----w C:\Program Files\VisualRoute Lite Edition
2008-04-19 16:43 --------- d-----w C:\Program Files\SpeedFan
2008-04-02 10:03 --------- d-----w C:\Program Files\Avast4
2008-03-29 15:58 --------- d-----w C:\Documents and Settings\username\Application Data\Skype
2008-03-29 15:55 --------- d-----w C:\Documents and Settings\username\Application Data\skypePM
2008-03-25 18:38 --------- d-----w C:\Program Files\SandraLite
2008-03-25 12:46 --------- d-----w C:\Program Files\The KMPlayer
2008-03-21 22:34 --------- d-----w C:\Program Files\Seagate
2008-03-21 12:02 --------- d-----w C:\Program Files\Java
2008-03-21 11:56 --------- d-----w C:\Program Files\Common Files\Java
2008-03-21 08:06 --------- d-----w C:\Program Files\Hidden Utilities XP
2008-03-17 19:34 --------- d-----w C:\Program Files\BitTorrent
2008-03-17 15:22 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-17 13:51 216,064 ----a-w C:\WINDOWS\system32\drivers\bcim.sys
2008-03-17 13:51 --------- d-----w C:\Program Files\Bandwidth Controller Standard Server
2008-03-17 13:51 --------- d-----w C:\Program Files\Bandwidth Controller Standard Client
2008-03-17 10:21 --------- d-----w C:\Documents and Settings\username\Application Data\Locktime
2008-03-17 10:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Locktime
2008-03-17 01:29 --------- d-----w C:\Program Files\CPU Usage Resource Kit
2008-03-17 01:25 --------- d-----w C:\Program Files\DiskResourceKit
2008-03-16 22:22 --------- d-----w C:\Program Files\AIDA32 - Enterprise System Information
2008-03-13 21:53 --------- d-----w C:\Program Files\Microsoft Virtual PC
2008-03-13 19:42 --------- d-----w C:\Documents and Settings\username\Application Data\Sync App Settings
2008-03-13 19:24 --------- d-----w C:\Program Files\PowerQuest
2008-03-13 06:17 --------- d-----w C:\Program Files\Eraser
2008-03-13 01:45 --------- d-----w C:\Documents and Settings\admin\Application Data\Comodo
2008-03-13 01:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Seagate
2008-03-13 00:49 --------- d-----w C:\Program Files\Softnik Technologies
2008-03-13 00:46 --------- d-----w C:\Documents and Settings\username\Application Data\Screaming Bee
2008-03-13 00:45 --------- d-----w C:\Program Files\Common Files\Screaming Bee
2008-03-13 00:44 --------- d-----w C:\Program Files\MorphVOX Junior
2008-03-13 00:38 --------- d-----w C:\Program Files\PC Wizard 2008
2008-03-13 00:26 --------- d-----w C:\Program Files\DebugMode
2008-03-13 00:25 --------- d-----w C:\Program Files\TweakMASTER
2008-03-13 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hagel Technologies
2008-03-13 00:23 --------- d-----w C:\Program Files\Index.dat Suite
2008-03-13 00:22 --------- d-----w C:\Program Files\HDD Thermometer
2008-03-13 00:22 --------- d-----w C:\Documents and Settings\username\Application Data\HDD Thermometer
2008-03-13 00:21 --------- d-----w C:\Program Files\YourWare Solutions
2008-03-13 00:20 --------- d-----w C:\Program Files\Disk Investigator
2008-03-13 00:14 --------- d-----w C:\Program Files\FreshDevices
2008-03-13 00:13 --------- d-----w C:\Program Files\Mydrivers
2008-03-12 23:58 --------- d-----w C:\Program Files\Terragen
2008-03-12 23:57 --------- d-----w C:\Program Files\Google
2008-03-12 23:51 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-12 23:26 --------- d-----w C:\Program Files\Common Files\Vbox
2008-03-12 23:08 --------- d-----w C:\Documents and Settings\username\Application Data\AdobeUM
2008-03-12 23:05 --------- d-----w C:\Program Files\Ulead Systems
2008-03-12 23:01 --------- d-----w C:\Program Files\7-Zip
2008-03-12 22:51 --------- d-----w C:\Program Files\QuickTime
2008-03-12 22:50 --------- d-----w C:\Program Files\Apple Software Update
2008-03-12 22:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-12 22:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-12 22:45 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-12 22:44 --------- d-----w C:\Program Files\Skype
2008-03-12 22:44 --------- d-----w C:\Program Files\Common Files\Skype
2008-03-12 22:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-03-12 22:37 --------- d-----w C:\Program Files\Windows Live
2008-03-12 22:28 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-12 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-12 21:47 --------- d-----w C:\Program Files\Allway Sync
2008-03-12 21:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sync App Settings
2008-03-12 21:33 400,864 ----a-w C:\WINDOWS\system32\drivers\timntr.sys
2008-03-12 21:33 32,768 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-03-12 21:33 120,992 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2008-03-12 21:33 --------- d-----w C:\Program Files\Common Files\Seagate
2008-03-12 20:01 --------- d-----w C:\Documents and Settings\username\Application Data\Comodo
2008-03-12 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2008-03-12 19:59 --------- d-----w C:\Program Files\Comodo
2008-03-12 18:26 --------- d-----w C:\Program Files\microsoft frontpage
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5976CC32-A62F-476B-9CFD-3FFC38E8438D}]
C:\WINDOWS\system32\hgGwVMFU.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA3041B-8276-48D4-B391-7B3B6D158402}]
C:\WINDOWS\system32\fcccyXOe.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD213644-E2F1-4AFB-9F19-52177361DA8F}]
C:\WINDOWS\system32\khfDvsPI.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DFC957B7-6F49-4EF1-9A33-3FAF032E60A1}]
C:\WINDOWS\system32\geBrsTnL.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 00:13 1591808]
"RSD_HDDThermo"="C:\Program Files\HDD Thermometer\HDD Thermometer.exe" [2005-04-01 22:32 215040]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2008-03-13 01:29 1115728]
"SystemTray"="SysTray.Exe" [2001-08-23 20:30 3072 C:\WINDOWS\system32\systray.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\system32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 22:59 44544]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJYQGaA]
ljJYQGaA.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttt]
C:\WINDOWS\system32\ssttt.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-08-08 17:51 148760 C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-08-08 18:00 1945424 C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMc7743b3e]
C:\WINDOWS\system32\gqjkcvsu.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c44708a2]
C:\WINDOWS\system32\jfijxgcf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
--a------ 2007-08-08 17:47 1169456 C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
--a------ 2006-03-31 14:36 634880 C:\Program Files\Eraser\eraser.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FmctrlTray]
-ra------ 2001-08-20 19:17 270336 C:\WINDOWS\system32\fmctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 20:16 286720 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TweakMASTER]
--a------ 2006-11-27 15:25 283168 C:\Program Files\TweakMASTER\TMTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USSShReg]
--a------ 1997-11-23 04:16 20992 C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\SandraLite\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SandraLite\\RpcSandraSrv.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\IPCheck Server Monitor 5\\IPCheckServer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-30 00:01]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-30 00:05]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbguard.exe [2007-03-02 14:05]
R2 IPCProbeService;IPCheck Server Monitor Local/Remote Probe Module;C:\Program Files\IPCheck Server Monitor 5\IPCheckProbe.exe [2008-01-25 18:44]
R2 IPCServerService;IPCheck Server Monitor Webserver Module;C:\Program Files\IPCheck Server Monitor 5\IPCheckServer.exe [2008-01-25 18:44]
R2 SBKUPNT;SBKUPNT;C:\WINDOWS\system32\Drivers\SBKUPNT.SYS [2001-07-13 13:56]
R2 Vcs;Vcs support;C:\WINDOWS\system32\Drivers\Vcs.sys [2003-04-15 18:07]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbserver.exe [2007-03-02 14:05]
R3 gameport;FM801 PCI Joystick;C:\WINDOWS\system32\DRIVERS\fmjoy.sys [2001-11-02 08:19]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys [2007-12-19 01:09]
R3 svgam;svgam;C:\WINDOWS\system32\DRIVERS\svgam.sys [2006-10-22 09:54]
R3 wdm_fm801;FM801 PCI Audio (WDM);C:\WINDOWS\system32\drivers\fm801.sys [2001-11-02 12:03]
S3 IMNPF;IMFirewall Packet Filter;C:\WINDOWS\system32\drivers\imnpf.sys [2006-09-25 15:32]
S4 WFilterd;WFilterd;C:\Program Files\IMFirewall\WFilter\webservd.exe []
.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 15:46:37 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 03:58:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bcserver]
"ImagePath"="C:\Program Files\Bandwidth Controller Standard Server\bcserver.service"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-29 4:04:02 - machine was rebooted [username]
ComboFix-quarantined-files.txt 2008-04-28 22:33:58
Pre-Run: 12,298,063,872 bytes free
Post-Run: 12,247,552,000 bytes free
286
End of Combofix log
--------------------------------------------------------------
HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:53 AM, on 4/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\HDD Thermometer\HDD Thermometer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbguard.exe
C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbserver.exe
C:\Program Files\IPCheck Server Monitor 5\IPCheckProbe.exe
C:\Program Files\IPCheck Server Monitor 5\IPCheckServer.exe
C:\Program Files\IPCheck Server Monitor 5\IPCheckServer.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5976CC32-A62F-476B-9CFD-3FFC38E8438D} - C:\WINDOWS\system32\hgGwVMFU.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: (no name) - {8CA3041B-8276-48D4-B391-7B3B6D158402} - C:\WINDOWS\system32\fcccyXOe.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common
Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CD213644-E2F1-4AFB-9F19-52177361DA8F} - C:\WINDOWS\system32\khfDvsPI.dll (file missing)
O2 - BHO: (no name) - {DFC957B7-6F49-4EF1-9A33-3FAF032E60A1} - C:\WINDOWS\system32\geBrsTnL.dll (file missing)
O3 - Toolbar: &Netcraft Toolbar - {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - C:\Program Files\Netcraft
Toolbar\nctb.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Program Files\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma
Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite
Edition\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program
Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program
Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program
Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet
Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205358557234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205652980468
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) -
http://service.futuremark.com/virtualmark/tc/MSC3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ljJYQGaA - ljJYQGaA.dll (file missing)
O20 - Winlogon Notify: ssttt - C:\WINDOWS\system32\ssttt.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware
2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common
Files\Seagate\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Bandwidth Controller Server (bcserver) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project -
C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project -
C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbserver.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: IPCheck Server Monitor Local/Remote Probe Module (IPCProbeService) - Paessler AG - C:\Program
Files\IPCheck Server Monitor 5\IPCheckProbe.exe
O23 - Service: IPCheck Server Monitor Webserver Module (IPCServerService) - Paessler AG - C:\Program
Files\IPCheck Server Monitor 5\IPCheckServer.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program
Files\SandraLite\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program
Files\SandraLite\RpcSandraSrv.exe
--
End of file - 7903 bytes
random/random
2008-04-29, 18:33
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard
File::
C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\8QM4ZQYK\kriv[1]
C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\B8J4UR0P\CA5WUTHN
C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\UMI0RM6Q\idkfa[1]
C:\WINDOWS\system32\dqlhwipj.dll
C:\WINDOWS\system32\msclwroq.dll
C:\WINDOWS\system32\ohsukjxw.dll
C:\WINDOWS\system32\onfvwmrh.dll
C:\WINDOWS\system32\puegmmgb.dll
C:\WINDOWS\system32\qnljjhbd.dll
C:\WINDOWS\system32\smejnurr.dll
C:\WINDOWS\system32\nndryghm.dll_old
C:\WINDOWS\system32\mhgyrdnn.ini
C:\WINDOWS\system32\uplkyscj.ini
C:\WINDOWS\BMc7743b3e.xml
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5976CC32-A62F-476B-9CFD-3FFC38E8438D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA3041B-8276-48D4-B391-7B3B6D158402}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD213644-E2F1-4AFB-9F19-52177361DA8F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DFC957B7-6F49-4EF1-9A33-3FAF032E60A1}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJYQGaA]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttt]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMc7743b3e]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c44708a2]
Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://images.malwareremoval.com/cfscript/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Combofix log
ComboFix 08-04-27.3 - username 2008-04-30 5:45:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.712 [GMT 5.5:30]
Running from: C:\Documents and Settings\username\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\username\Desktop\CFscript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\8QM4ZQYK\kriv[1]
C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\B8J4UR0P\CA5WUTHN
C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\UMI0RM6Q\idkfa[1]
C:\WINDOWS\BMc7743b3e.xml
C:\WINDOWS\system32\dqlhwipj.dll
C:\WINDOWS\system32\mhgyrdnn.ini
C:\WINDOWS\system32\msclwroq.dll
C:\WINDOWS\system32\nndryghm.dll_old
C:\WINDOWS\system32\ohsukjxw.dll
C:\WINDOWS\system32\onfvwmrh.dll
C:\WINDOWS\system32\puegmmgb.dll
C:\WINDOWS\system32\qnljjhbd.dll
C:\WINDOWS\system32\smejnurr.dll
C:\WINDOWS\system32\uplkyscj.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BMc7743b3e.xml
C:\WINDOWS\system32\mhgyrdnn.ini
C:\WINDOWS\system32\uplkyscj.ini
.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.
2008-04-29 03:53 . 2008-04-29 03:53 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-28 21:46 . 2004-08-03 22:59 250,032 -rahs---- C:\ntldr
2008-04-28 01:13 . 2008-04-28 01:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-27 23:36 . 2008-04-27 23:36 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-27 23:36 . 2008-04-27 23:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-27 21:27 . 2008-04-27 22:33 <DIR> d-------- C:\Program Files\RegCleaner
2008-04-24 23:23 . 2008-04-28 16:08 617 --a------ C:\WINDOWS\wininit.ini
2008-04-24 22:33 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-24 22:33 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-24 22:33 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-24 03:03 . 2008-04-25 14:48 1,063,075,840 --a------ C:\WINDOWS\MEMORY.DMP
2008-04-24 01:41 . 2008-04-30 05:33 <DIR> d-------- C:\Program Files\Netcraft Toolbar
2008-04-23 23:35 . 2008-04-23 23:35 <DIR> d-------- C:\Program Files\WatchMouse Site Monitor
2008-04-23 21:58 . 2008-04-23 21:58 1,024 --ah----- C:\Documents and Settings\Default User\NTUSER.DAT.LOG
2008-04-23 21:53 . 2004-08-04 00:56 562,176 --a--c--- C:\WINDOWS\system32\dllcache\fxsst.dll
2008-04-23 21:52 . 2004-08-04 00:56 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-04-23 21:50 . 2008-04-23 21:50 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-04-23 21:50 . 2008-04-23 21:50 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-04-23 21:50 . 2008-04-23 21:50 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-04-23 21:50 . 2008-04-23 21:50 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-04-23 21:50 . 2008-04-23 21:50 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-04-23 21:50 . 2008-04-23 21:50 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-04-23 21:28 . 2001-08-23 21:30 13,107,200 --a------ C:\WINDOWS\system32\oembios.bin
2008-04-23 21:27 . 2001-08-23 20:30 3,440,660 --a------ C:\WINDOWS\system32\drivers\gm.dls
2008-04-23 17:21 . 2008-04-23 17:22 <DIR> d-------- C:\Program Files\HoverIP
2008-04-23 16:00 . 2008-04-23 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-23 15:39 . 2008-04-23 15:39 <DIR> d-------- C:\Documents and Settings\username\Application Data\Lavasoft
2008-04-23 15:06 . 2008-04-27 21:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-23 15:06 . 2008-04-24 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-23 15:05 . 2008-04-23 16:01 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-21 08:19 . 2007-03-02 14:05 393,216 --a------ C:\WINDOWS\system32\GDS32.DLL
2008-04-21 08:18 . 2008-04-21 08:23 <DIR> d-------- C:\Program Files\IPCheck Server Monitor 5
2008-04-21 08:09 . 2008-04-25 09:06 <DIR> d-------- C:\Program Files\Webserver Stress Tool 7
2008-04-20 16:58 . 2008-04-28 09:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-20 16:58 . 2008-04-20 16:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-10 03:32 . 2008-04-10 03:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-04-06 21:13 . 2008-04-06 21:13 <DIR> d-------- C:\Program Files\ISO Recorder
2008-04-05 23:18 . 2008-04-05 23:18 <DIR> d-------- C:\Program Files\NasBackup
2008-04-03 15:32 . 2008-04-03 15:32 <DIR> d-------- C:\Program Files\Webinaria
2008-04-03 03:40 . 2008-04-03 03:40 <DIR> d-------- C:\Program Files\WindowShoot
2008-03-31 15:34 . 2008-04-15 17:58 1,213 --a------ C:\todo.html
2008-03-30 09:55 . 2008-03-30 09:55 <DIR> d-------- C:\Program Files\Right Picture Download Manager
2008-03-30 09:55 . 2008-03-30 09:55 <DIR> d-------- C:\Documents and Settings\username\Application Data\Rightfiles
2008-03-30 08:41 . 2008-03-30 08:41 <DIR> d-------- C:\Program Files\WinHTTrack
2008-03-28 22:58 . 2008-04-25 11:15 17,844 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-03-28 22:41 . 2008-03-28 22:41 <DIR> d-------- C:\Program Files\Safari
2008-03-28 22:41 . 2008-03-28 22:41 <DIR> d-------- C:\Documents and Settings\username\Application Data\Apple Computer
2008-03-27 01:16 . 2008-03-27 01:16 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-26 00:08 . 2008-03-26 00:08 <DIR> d-------- C:\Program Files\SandraLite
2008-03-23 18:07 . 2008-03-23 18:07 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2008-03-23 18:00 . 2008-03-23 18:00 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-03-22 04:04 . 2008-04-23 16:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-21 17:37 . 2008-03-21 17:37 <DIR> d-------- C:\WINDOWS\Sun
2008-03-21 17:33 . 2008-04-29 18:59 <DIR> d-------- C:\Program Files\VisualRoute Lite Edition
2008-03-21 17:33 . 2008-04-29 18:59 <DIR> d-------- C:\Documents and Settings\username\vw
2008-03-21 17:32 . 2008-03-21 17:32 <DIR> d-------- C:\Program Files\Java
2008-03-21 17:32 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-21 17:26 . 2008-03-21 17:26 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-21 13:36 . 2008-03-21 13:36 <DIR> d-------- C:\Program Files\Hidden Utilities XP
2008-03-20 13:59 . 2008-03-20 14:04 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-19 07:57 . 2008-03-19 07:57 657 --a------ C:\boot.ini.save
2008-03-18 01:04 . 2008-03-18 01:04 <DIR> d-------- C:\Program Files\BitTorrent
2008-03-17 21:04 . 2007-02-07 01:27 765,952 --a------ C:\WINDOWS\system32\bgd.dll
2008-03-17 20:52 . 2007-06-13 10:10 221,184 --a------ C:\WINDOWS\system32\impcap.dll
2008-03-17 20:52 . 2007-06-13 10:10 57,344 --a------ C:\WINDOWS\system32\IMPacket.dll
2008-03-17 20:52 . 2007-06-13 10:10 49,152 --a------ C:\WINDOWS\system32\IMWanPacket.dll
2008-03-17 20:52 . 2006-09-25 15:32 33,456 --a------ C:\WINDOWS\system32\drivers\imnpf.sys
2008-03-17 19:21 . 2008-03-17 19:21 <DIR> d-------- C:\Program Files\Bandwidth Controller Standard Client
2008-03-17 19:21 . 2008-03-17 19:21 216,064 --a------ C:\WINDOWS\system32\drivers\bcim.sys
2008-03-17 17:46 . 2008-03-17 19:21 <DIR> d-------- C:\Program Files\Bandwidth Controller Standard Server
2008-03-17 17:31 . 2008-03-17 17:31 0 --a------ C:\ipconfig
2008-03-17 15:51 . 2008-03-17 15:51 <DIR> d-------- C:\Documents and Settings\username\Application Data\Locktime
2008-03-17 15:49 . 2008-03-17 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-03-17 06:59 . 2008-03-17 06:59 <DIR> d-------- C:\Program Files\CPU Usage Resource Kit
2008-03-17 06:50 . 2008-03-17 06:55 <DIR> d-------- C:\Program Files\DiskResourceKit
2008-03-17 02:38 . 2008-03-17 02:38 0 --a------ C:\find
2008-03-16 14:19 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-16 14:19 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-15 13:08 . 2008-03-15 13:08 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-15 04:10 . 2008-03-15 04:10 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-15 01:45 . 2008-04-22 17:50 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-14 02:08 . 2008-03-14 03:23 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-03-14 01:12 . 2008-03-14 01:12 <DIR> d-------- C:\Documents and Settings\username\Application Data\Sync App Settings
2008-03-14 01:09 . 2008-04-07 00:15 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-14 00:54 . 2008-03-14 00:54 <DIR> d-------- C:\Program Files\PowerQuest
2008-03-13 07:15 . 2008-03-13 07:15 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Comodo
2008-03-13 07:14 . 2008-04-03 23:52 <DIR> d-------- C:\Documents and Settings\admin
2008-03-13 07:14 . 2008-04-29 06:12 1,024 --ah----- C:\Documents and Settings\admin\ntuser.dat.LOG
2008-03-13 06:45 . 2008-04-24 23:41 1,430,808 --a------ C:\WINDOWS\system32\AutoPartNt.exe
2008-03-13 06:45 . 2008-04-24 23:43 1,024 --a------ C:\WINDOWS\system32\AutoPartNt.let
2008-03-13 06:41 . 2008-03-13 06:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Seagate
2008-03-13 06:19 . 2008-03-13 06:19 <DIR> d-------- C:\Program Files\Softnik Technologies
2008-03-13 06:16 . 2008-03-13 06:16 <DIR> d-------- C:\Documents and Settings\username\Application Data\Screaming Bee
2008-03-13 06:15 . 2008-03-13 06:15 <DIR> d-------- C:\Program Files\Common Files\Screaming Bee
2008-03-13 06:13 . 2008-03-13 06:14 <DIR> d-------- C:\Program Files\MorphVOX Junior
2008-03-13 06:08 . 2008-03-13 06:08 <DIR> d-------- C:\Program Files\PC Wizard 2008
2008-03-13 06:08 . 2007-09-15 15:11 27,136 --a------ C:\WINDOWS\system32\PCWizard.cpl
2008-03-13 04:59 . 2008-04-23 19:30 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-03-13 04:59 . 2008-03-17 20:52 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-03-13 04:56 . 2008-03-13 04:56 <DIR> d-------- C:\Program Files\Common Files\Vbox
2008-03-13 04:38 . 2008-03-13 04:38 <DIR> d-------- C:\Documents and Settings\username\Application Data\AdobeUM
2008-03-13 04:37 . 2008-03-13 05:00 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-13 04:36 . 2008-03-13 04:36 <DIR> d-------- C:\WINDOWS\Cache
2008-03-13 04:36 . 2008-04-30 02:41 4,378 --a------ C:\WINDOWS\ULEAD32.INI
2008-03-13 04:36 . 2008-03-28 11:05 78 --ah----- C:\WINDOWS\system32\damp10.uns
2008-03-13 04:35 . 2008-03-13 04:35 <DIR> d-------- C:\Program Files\Ulead Systems
2008-03-13 04:35 . 2008-03-13 04:35 <DIR> d-------- C:\Documents and Settings\username\WINDOWS
2008-03-13 04:31 . 2008-03-13 04:31 <DIR> d-------- C:\Program Files\7-Zip
2008-03-13 04:20 . 2008-03-13 04:21 <DIR> d-------- C:\Program Files\QuickTime
2008-03-13 04:20 . 2008-03-13 04:20 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-13 04:20 . 2008-03-13 04:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-13 04:20 . 2008-03-13 04:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-03-13 04:18 . 2008-03-25 18:16 <DIR> d-------- C:\Program Files\The KMPlayer
2008-03-13 04:15 . 2008-03-29 21:25 <DIR> d-------- C:\Documents and Settings\username\Application Data\skypePM
2008-03-13 04:15 . 2008-03-13 04:15 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-13 04:14 . 2008-03-13 04:14 <DIR> d-------- C:\Program Files\Skype
2008-03-13 04:14 . 2008-03-13 04:14 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-13 04:14 . 2008-03-29 21:28 <DIR> d-------- C:\Documents and Settings\username\Application Data\Skype
2008-03-13 04:13 . 2008-03-13 04:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-03-13 04:11 . 2008-03-13 04:12 <DIR> d-------- C:\Documents and Settings\username\Contacts
2008-03-13 04:08 . 2008-03-13 04:08 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-13 04:03 . 2008-03-13 04:03 512 ---hs---- C:\BOOTSECT.DOS
2008-03-13 03:36 . 2008-03-13 04:07 <DIR> d-------- C:\Program Files\Windows Live
2008-03-13 03:36 . 2008-03-13 03:58 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\HDD Thermometer
2008-04-19 16:43 --------- d-----w C:\Program Files\SpeedFan
2008-03-16 22:22 --------- d-----w C:\Program Files\AIDA32 - Enterprise System Information
2008-03-13 06:17 --------- d-----w C:\Program Files\Eraser
2008-03-13 00:26 --------- d-----w C:\Program Files\DebugMode
2008-03-13 00:25 --------- d-----w C:\Program Files\TweakMASTER
2008-03-13 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hagel Technologies
2008-03-13 00:23 --------- d-----w C:\Program Files\Index.dat Suite
2008-03-13 00:22 --------- d-----w C:\Program Files\HDD Thermometer
2008-03-13 00:22 --------- d-----w C:\Documents and Settings\username\Application Data\HDD Thermometer
2008-03-13 00:21 --------- d-----w C:\Program Files\YourWare Solutions
2008-03-13 00:20 --------- d-----w C:\Program Files\Disk Investigator
2008-03-13 00:14 --------- d-----w C:\Program Files\FreshDevices
2008-03-13 00:13 --------- d-----w C:\Program Files\Mydrivers
2008-03-12 23:58 --------- d-----w C:\Program Files\Terragen
2008-03-12 23:57 --------- d-----w C:\Program Files\Google
2008-03-12 23:51 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-12 18:26 --------- d-----w C:\Program Files\microsoft frontpage
.
((((((((((((((((((((((((((((( snapshot@2008-04-29_ 4.03.45.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 22:28:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-30 00:18:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-28 23:20:11 86,097 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2008-04-30 00:18:46 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5976CC32-A62F-476B-9CFD-3FFC38E8438D}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7296C7A4-E0FC-45D8-A62F-366C54EF72FA}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA3041B-8276-48D4-B391-7B3B6D158402}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD213644-E2F1-4AFB-9F19-52177361DA8F}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB2887B6-E5F2-4B77-94B9-4929F96E5324}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DFC957B7-6F49-4EF1-9A33-3FAF032E60A1}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 00:13 1591808]
"RSD_HDDThermo"="C:\Program Files\HDD Thermometer\HDD Thermometer.exe" [2005-04-01 22:32 215040]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2008-03-13 01:29 1115728]
"SystemTray"="SysTray.Exe" [2001-08-23 20:30 3072 C:\WINDOWS\system32\systray.exe]
"BMc7743b3e"="C:\WINDOWS\system32\dqlhwipj.dll" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\system32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 22:59 44544]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJYQGaA]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttt]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-08-08 17:51 148760 C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-08-08 18:00 1945424 C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
--a------ 2007-08-08 17:47 1169456 C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
--a------ 2006-03-31 14:36 634880 C:\Program Files\Eraser\eraser.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FmctrlTray]
-ra------ 2001-08-20 19:17 270336 C:\WINDOWS\system32\fmctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 20:16 286720 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TweakMASTER]
--a------ 2006-11-27 15:25 283168 C:\Program Files\TweakMASTER\TMTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USSShReg]
--a------ 1997-11-23 04:16 20992 C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\SandraLite\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SandraLite\\RpcSandraSrv.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\IPCheck Server Monitor 5\\IPCheckServer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-30 00:01]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-30 00:05]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbguard.exe [2007-03-02 14:05]
R2 IPCProbeService;IPCheck Server Monitor Local/Remote Probe Module;C:\Program Files\IPCheck Server Monitor 5\IPCheckProbe.exe [2008-01-25 18:44]
R2 IPCServerService;IPCheck Server Monitor Webserver Module;C:\Program Files\IPCheck Server Monitor 5\IPCheckServer.exe [2008-01-25 18:44]
R2 SBKUPNT;SBKUPNT;C:\WINDOWS\system32\Drivers\SBKUPNT.SYS [2001-07-13 13:56]
R2 Vcs;Vcs support;C:\WINDOWS\system32\Drivers\Vcs.sys [2003-04-15 18:07]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbserver.exe [2007-03-02 14:05]
R3 gameport;FM801 PCI Joystick;C:\WINDOWS\system32\DRIVERS\fmjoy.sys [2001-11-02 08:19]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys [2007-12-19 01:09]
R3 svgam;svgam;C:\WINDOWS\system32\DRIVERS\svgam.sys [2006-10-22 09:54]
R3 wdm_fm801;FM801 PCI Audio (WDM);C:\WINDOWS\system32\drivers\fm801.sys [2001-11-02 12:03]
S3 IMNPF;IMFirewall Packet Filter;C:\WINDOWS\system32\drivers\imnpf.sys [2006-09-25 15:32]
S4 WFilterd;WFilterd;C:\Program Files\IMFirewall\WFilter\webservd.exe []
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 05:49:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bcserver]
"ImagePath"="C:\Program Files\Bandwidth Controller Standard Server\bcserver.service"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-30 5:53:47 - machine was rebooted [username]
ComboFix-quarantined-files.txt 2008-04-30 00:23:44
Pre-Run: 12,192,751,616 bytes free
Post-Run: 12,188,819,456 bytes free
298
End of Combofix log
...............................................................................
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:25 AM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\HDD Thermometer\HDD Thermometer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbguard.exe
C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbserver.exe
C:\Program Files\IPCheck Server Monitor 5\IPCheckProbe.exe
C:\Program Files\IPCheck Server Monitor 5\IPCheckServer.exe
C:\Program Files\IPCheck Server Monitor 5\IPCheckServer.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7296C7A4-E0FC-45D8-A62F-366C54EF72FA} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {DB2887B6-E5F2-4B77-94B9-4929F96E5324} - (no file)
O3 - Toolbar: &Netcraft Toolbar - {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - C:\Program Files\Netcraft Toolbar\nctb.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\dqlhwipj.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Program Files\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205358557234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205652980468
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://service.futuremark.com/virtualmark/tc/MSC3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Bandwidth Controller Server (bcserver) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbserver.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: IPCheck Server Monitor Local/Remote Probe Module (IPCProbeService) - Paessler AG - C:\Program Files\IPCheck Server Monitor 5\IPCheckProbe.exe
O23 - Service: IPCheck Server Monitor Webserver Module (IPCServerService) - Paessler AG - C:\Program Files\IPCheck Server Monitor 5\IPCheckServer.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SandraLite\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SandraLite\RpcSandraSrv.exe
--
End of file - 7767 bytes
[B]End of HJT log
random/random
2008-04-30, 19:18
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).
O2 - BHO: (no name) - {7296C7A4-E0FC-45D8-A62F-366C54EF72FA} - (no file)
O2 - BHO: (no name) - {DB2887B6-E5F2-4B77-94B9-4929F96E5324} - (no file)
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\dqlhwipj.dll",s
Then close all windows except HijackThis and click Fix Checked.
Go here (http://www.eset.eu/online-scanner) to run an online scannner from ESET.
[b]Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems.
Eset scan report
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3067 (20080430)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=4a616404fbb9574993f5a0072b54f1f7
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-05-01 12:46:52
# local_time=2008-05-01 06:16:52
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=1164255
# found=12
# scan_time=25959
C:\QooBox\Quarantine\catchme2008-04-29_ 35612.23.zip Win32/Adware.Virtumonde application 45FD2D1220AE036A86C0F7C6A0E9C16C
C:\QooBox\Quarantine\catchme2008-04-29_ 35612.23.zip 蒲IP 蜘kkJyYpO.dll Win32/Adware.Virtumonde application 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\ljJYQGaA.dll.vir Win32/Adware.Virtumonde application D2F0C9C21A8DF06880C51DB457D91059
C:\System Volume Information\_restore{1B5A7CA2-368E-48E2-997F-F9638DAEFA7B}\RP3\A0000119.dll Win32/Adware.Virtumonde application D2F0C9C21A8DF06880C51DB457D91059
F:\OTHER CONTENT\MISCfromDdrive\from CD\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe multiple infiltrations 84373090B6B8D2122424EE6E5B997C9D
F:\OTHER CONTENT\MISCfromDdrive\from CD\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe 舞AR 蒼xdlplug.dll Win32/Adware.ZoneMedia application 00000000000000000000000000000000
F:\OTHER CONTENT\MISCfromDdrive\from CD\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe 舞AR 蓑uddy.exe Win32/Obfuscated.A1 trojan 00000000000000000000000000000000
F:\OTHER CONTENT\MISCfromDdrive\from CD\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe 舞AR 製etup2.exe Win32/Adware.ZoneMedia application 00000000000000000000000000000000
F:\OTHER CONTENT\old docs\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe multiple infiltrations 84373090B6B8D2122424EE6E5B997C9D
F:\OTHER CONTENT\old docs\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe 舞AR 蒼xdlplug.dll Win32/Adware.ZoneMedia application 00000000000000000000000000000000
F:\OTHER CONTENT\old docs\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe 舞AR 蓑uddy.exe Win32/Obfuscated.A1 trojan 00000000000000000000000000000000
F:\OTHER CONTENT\old docs\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe 舞AR 製etup2.exe Win32/Adware.ZoneMedia application 00000000000000000000000000000000
.......................................................................................
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:38:12 PM, on 5/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Process Lasso\processgovernor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Process Lasso\ProcessLasso.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbguard.exe
C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbserver.exe
C:\Program Files\IPCheck Server Monitor 5\IPCheckProbe.exe
C:\Program Files\IPCheck Server Monitor 5\IPCheckServer.exe
C:\Program Files\IPCheck Server Monitor 5\IPCheckServer.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Netcraft Toolbar - {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - C:\Program Files\Netcraft Toolbar\nctb.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ProcessGovernor] C:\Program Files\Process Lasso\processgovernor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Program Files\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProcessSupervisorGUI] C:\Program Files\Process Lasso\ProcessLasso.exe /tray
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205358557234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205652980468
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://service.futuremark.com/virtualmark/tc/MSC3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Bandwidth Controller Server (bcserver) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - C:\Program Files\IPCheck Server Monitor 5\Firebird\bin\fbserver.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: IPCheck Server Monitor Local/Remote Probe Module (IPCProbeService) - Paessler AG - C:\Program Files\IPCheck Server Monitor 5\IPCheckProbe.exe
O23 - Service: IPCheck Server Monitor Webserver Module (IPCServerService) - Paessler AG - C:\Program Files\IPCheck Server Monitor 5\IPCheckServer.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SandraLite\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SandraLite\RpcSandraSrv.exe
--
End of file - 8057 bytes
random/random
2008-05-01, 18:49
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Delete these two files:
F:\OTHER CONTENT\MISCfromDdrive\from CD\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe
F:\OTHER CONTENT\old docs\MiscFiles\axdlplug-1.5.0.0-0147-setup.exe
You now appear to be clean. Congratulations!
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints (http://www.malwarecomplaints.info/index.php), you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.
Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
Turn System Restore off
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.Restart
Turn System Restore on
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Uncheck *Turn off System Restore*.
Click Apply, and then click OK.
Note: only do this once, and not on a regular basis
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here (http://www.update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx) to check for & install updates to Microsoft applications
Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
Keep your non-Microsoft applications updated as well
Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) - I suggest that you run it at least once a month
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
Install SpywareBlaster & make sure to update it regularly
SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster from here (http://www.javacoolsoftware.com/sbdownload.html)
Install and use Spybot Search & Destroy
Instructions are located here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Make sure you update, reimmunize & scan regularly
Make use of the HOSTS file included with Spybot Search & Destroy
Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
Run Spybot Search & Destroy
Click on Mode, and then place a tick next to Advanced mode
Click Yes
In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
Click on Add Spybot-S&D hosts listNote: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
Click Start > Run Type services.msc & click OK
In the list, find the service called DNS Client & double click on it. On the dropdown box, change the setting from automatic to manual. Click OK & then close the Services windowFor a more detailed explanation of the HOSTS file, click here (http://forum.malwareremoval.com/viewtopic.php?t=22187)
Install a-squared Free & update and scan with it regularly
a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here (http://www.emsisoft.com/en/software/free/)
Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer (http://www.emsisoft.com/en/software/antidialer/) which provides some real time protection against premium rate dialers
Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date
It does seem to be cleaned up very well. You people are awesome ..... Thank you very much !
random/random
2008-05-03, 12:57
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me a private message (pm). A valid, working link to the closed topic is required.