Virtumonde and Virtumonde.dll ...need a boost. [Archive]

View Full Version : Virtumonde and Virtumonde.dll ...need a boost.

Rickster

2008-04-28, 18:02

Hi,
Like several others I have been bitten by Virtumonde/Virtumonde.dll ...after trying all other attempts...I have downloaded combofix, HijackThis and ATF Cleaner.
I have used combofix before on other viruses and have to admit it rocks...If you could give me a boost on what magic formula I need to paste in notepad (save to the desktop) and then drag-n-drop over into combofix...it would be much appreciated.
P.S. If I understand Combofix right...each fix is tailored individually to each persons setup along with their Combofix log and HiJackThis log...is that correct?...or is there a place you can go to get this info otherwise?

Below is my Combofix log and HiJackThis log for your review.

COMBO FIX LOG!
ComboFix 08-04-27.1 - Ricky 2008-04-28 4:02:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.451 [GMT -5:00]
Running from: C:\Documents and Settings\Ricky\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\123messenger.per
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\licencia.txt
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bbjoaxet.ini
C:\WINDOWS\system32\fccbXnNh.dll
C:\WINDOWS\system32\jkkKcBtS.dll
C:\WINDOWS\system32\lVyGhPXx.ini
C:\WINDOWS\system32\lVyGhPXx.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\PqqYHkkj.ini
C:\WINDOWS\system32\PqqYHkkj.ini2
C:\WINDOWS\system32\xXPhGyVl.dll
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-27 21:05 . 2008-04-27 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-26 08:51 . 2008-04-26 08:51 <DIR> d-------- C:\Documents and Settings\Administrator.RB\Application Data\AVG7
2008-04-25 22:26 . 2008-04-25 22:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-25 15:28 . 2008-04-25 15:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-25 15:05 . 2008-04-25 15:05 107,072 --------- C:\WINDOWS\system32\vgemysro.dll_old
2008-04-25 15:05 . 2008-04-25 15:05 105,536 --------- C:\WINDOWS\system32\uwmygeoj.dll_old
2008-04-25 00:42 . 2008-04-25 08:17 1,509,177 ---hs---- C:\WINDOWS\system32\xsylnvla.ini
2008-04-24 00:44 . 2008-04-24 11:33 1,504,807 ---hs---- C:\WINDOWS\system32\slaljnfb.ini
2008-04-24 00:40 . 2008-04-26 10:53 109,738 --a------ C:\WINDOWS\BMa7360230.xml
2008-04-23 12:16 . 2008-04-23 12:16 36,352 --a------ C:\WINDOWS\system32\CBXPPMCC.DLL.vir
2008-04-23 11:55 . 2008-04-23 17:42 121 --a------ C:\WINDOWS\bdagent.INI
2008-04-23 11:10 . 2007-10-18 00:16 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-23 11:10 . 2007-10-18 00:15 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-23 11:10 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-23 11:10 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-23 11:09 . 2008-04-24 16:54 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-23 11:09 . 2008-04-23 11:09 <DIR> d-------- C:\Documents and Settings\Ricky\Application Data\PC Tools
2008-04-23 11:09 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-04-22 16:04 . 2008-04-22 16:07 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-22 07:52 . 2008-04-23 11:08 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-04-21 12:50 . 2008-04-21 12:50 <DIR> d-------- C:\Documents and Settings\Monique\Application Data\WeatherBug
2008-04-20 03:10 . 2008-04-20 03:10 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-17 10:14 . 2008-04-17 10:14 1,025 --a------ C:\WINDOWS\system32\sysprs7.tgz
2008-04-17 10:14 . 2008-04-17 10:14 1,025 --a------ C:\WINDOWS\system32\sysprs7.dll
2008-04-17 10:14 . 2008-04-17 10:14 1,025 --a------ C:\WINDOWS\system32\clauth2.dll
2008-04-17 10:14 . 2008-04-17 10:14 1,025 --a------ C:\WINDOWS\system32\clauth1.dll
2008-04-17 10:14 . 2008-04-17 11:19 352 --a------ C:\WINDOWS\system32\lsprst7.tgz
2008-04-17 10:14 . 2008-04-17 11:19 338 --a------ C:\WINDOWS\system32\lsprst7.dll
2008-04-17 10:14 . 2008-04-17 11:18 87 --a------ C:\WINDOWS\system32\ssprs.tgz
2008-04-17 10:14 . 2008-04-17 11:18 73 --a------ C:\WINDOWS\system32\ssprs.dll
2008-04-17 10:13 . 2008-04-17 10:13 <DIR> d-------- C:\Program Files\Rainbow Technologies
2008-04-17 09:54 . 2000-11-17 10:11 192,512 --a------ C:\WINDOWS\system32\ltkrn60n.dll
2008-04-17 09:54 . 2000-11-17 10:16 78,608 --a------ C:\WINDOWS\system32\vb5db.dll
2008-04-17 09:54 . 2000-11-17 10:12 73,216 --a------ C:\WINDOWS\system32\Odbctl32.dll
2008-04-17 09:54 . 2000-11-17 10:12 62,863 --a------ C:\WINDOWS\system32\Odbcjtnw.hlp
2008-04-17 09:54 . 2000-11-17 10:12 3,176 --a------ C:\WINDOWS\system32\Odbcjtnw.cnt
2008-04-17 09:53 . 2008-04-17 09:53 <DIR> d-------- C:\WINDOWS\Rainbow Technologies
2008-04-17 09:53 . 2008-04-17 10:18 <DIR> d-------- C:\2020V61
2008-04-17 09:53 . 1998-11-11 15:06 57,856 --a------ C:\WINDOWS\system32\CAITF32.DLL
2008-04-17 09:53 . 1998-11-11 15:07 56,832 --a------ C:\WINDOWS\system32\CALAUNCH.EXE
2008-04-16 09:49 . 2008-04-16 09:49 <DIR> d-------- C:\Program Files\CCleaner
2008-04-15 21:16 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl
2008-04-15 12:50 . 2008-04-15 12:51 <DIR> d-------- C:\Program Files\BackRex Outlook Express Backup
2008-04-14 15:57 . 2008-04-14 15:57 <DIR> d--hs---- C:\Diskeeper
2008-04-14 12:00 . 2008-04-14 12:00 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2008-04-14 12:00 . 2008-04-14 12:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-04-14 11:22 . 2008-04-14 11:29 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-14 10:49 . 2008-04-14 10:49 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-10 13:45 . 2008-04-27 10:08 <DIR> d-------- C:\Program Files\XoftSpySE
2008-04-08 12:10 . 2008-04-08 12:10 8,627 --a------ C:\WINDOWS\system32\PAV_FOG.OPC
2008-04-08 11:52 . 2008-04-08 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2008-04-08 11:46 . 2008-04-08 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Backup
2008-04-08 11:45 . 2001-07-30 16:40 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-04-08 11:20 . 2008-04-23 17:00 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2008-04-07 14:05 . 2008-04-07 14:05 <DIR> d-------- C:\Documents and Settings\Administrator.RB\Application Data\SUPERAntiSpyware.com
2008-04-07 14:05 . 2008-04-07 14:05 <DIR> d-------- C:\Documents and Settings\Administrator.RB\Application Data\Spyware Terminator
2008-04-07 12:06 . 2008-04-07 12:06 51,355 --a------ C:\WINDOWS\system32\muzika.xm
2008-04-07 10:50 . 2008-04-07 10:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-07 10:49 . 2008-04-24 16:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-07 10:49 . 2008-04-07 10:49 <DIR> d-------- C:\Documents and Settings\Ricky\Application Data\SUPERAntiSpyware.com
2008-04-07 10:35 . 2008-04-25 08:19 <DIR> d-------- C:\Documents and Settings\Ricky\Application Data\Spyware Terminator
2008-04-07 10:35 . 2008-04-24 21:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-04-07 10:35 . 2008-04-07 10:35 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-04-07 10:34 . 2008-04-27 15:53 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-04-07 10:07 . 2008-02-27 16:52 49,152 --a------ C:\WINDOWS\ArmAccess.dll
2008-04-07 09:55 . 2008-04-23 11:08 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-06 17:38 . 2008-04-06 17:38 <DIR> d-------- C:\Documents and Settings\Administrator.RB\Application Data\Webroot
2008-04-06 17:38 . 2008-04-06 17:38 <DIR> d-------- C:\Documents and Settings\Administrator.RB\Application Data\PC Tools
2008-04-06 12:35 . 2008-04-06 12:35 <DIR> d-------- C:\Documents and Settings\Administrator.RB\Application Data\Lavasoft
2008-04-06 05:20 . 2008-04-06 05:20 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-05 15:56 . 2008-04-05 15:56 <DIR> d-------- C:\WINDOWS\uprjiefj
2008-04-05 15:56 . 2008-04-07 13:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ybwfifwf
2008-04-05 15:55 . 2008-04-05 15:55 67,584 --a------ C:\Documents and Settings\All Users\Application Data\tarkhsfo.dll
2008-04-04 14:34 . 2008-04-04 14:34 5 --a------ C:\WINDOWS\cejokill.ini
2008-04-04 14:33 . 2008-04-04 14:33 5 --a------ C:\WINDOWS\cejokiij.ini
2008-04-04 14:32 . 2008-04-04 14:32 5 --a------ C:\WINDOWS\cejokipo.ini
2008-04-04 14:32 . 2008-04-04 14:32 5 --a------ C:\WINDOWS\cejokinc.ini
2008-04-04 14:32 . 2008-04-04 14:32 5 --a------ C:\WINDOWS\cejokiac.ini
2008-04-04 14:31 . 2008-04-04 14:31 5 --a------ C:\WINDOWS\cejokioi.ini
2008-04-04 14:31 . 2008-04-04 14:31 5 --a------ C:\WINDOWS\cejokign.ini
2008-04-04 14:31 . 2008-04-04 14:31 5 --a------ C:\WINDOWS\cejokifi.ini
2008-04-04 14:31 . 2008-04-04 14:31 5 --a------ C:\WINDOWS\cejokico.ini
2008-04-04 14:30 . 2008-04-04 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Wave Arts
2008-04-04 14:27 . 2008-04-04 14:27 <DIR> d-------- C:\Program Files\Wave Arts
2008-04-04 14:12 . 2007-10-12 19:21 17,408 --------- C:\WINDOWS\system32\minimp3.exe
2008-04-04 14:06 . 2008-04-04 14:06 <DIR> d-------- C:\Program Files\PSPaudioware
2008-04-04 13:59 . 2008-04-04 13:59 <DIR> d-------- C:\Program Files\PSP_AUDIOWARE
2008-04-04 13:59 . 2005-09-04 17:46 4,059,136 --a------ C:\WINDOWS\system32\PSP MasterComp.dll
2008-04-03 17:27 . 2008-04-03 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Audio Ease
2008-04-03 17:27 . 2007-10-06 12:12 54,156 --a------ C:\WINDOWS\system32\QTFont.qfn
2008-04-03 17:27 . 2007-10-05 21:04 1,409 --a------ C:\WINDOWS\system32\QTFont.for
2008-04-03 17:00 . 2008-04-03 17:00 <DIR> d-------- C:\Program Files\Roger Nichols Digital, Inc
2008-04-03 16:12 . 2008-04-03 16:35 <DIR> d-------- C:\Audio
2008-04-03 14:48 . 2008-04-03 14:49 <DIR> d-------- C:\Documents and Settings\Audio
2008-04-03 12:16 . 2008-04-03 12:16 <DIR> d-------- C:\Program Files\Common Files\Steinberg
2008-04-03 11:27 . 2008-04-03 11:27 <DIR> d-------- C:\Program Files\PSP Audioware
2008-04-03 11:21 . 2008-04-03 11:21 <DIR> d-------- C:\Program Files\PSP VintageWarmer
2008-04-03 11:21 . 2002-03-20 22:22 905,290 --a------ C:\WINDOWS\system32\libmmd.dll
2008-04-03 11:09 . 2008-04-03 11:09 <DIR> d-------- C:\WINDOWS\Recent
2008-04-03 11:03 . 2008-04-16 10:10 <DIR> d-------- C:\Program Files\Antares
2008-04-03 10:56 . 2008-04-03 11:06 <DIR> d-------- C:\Program Files\Antares Audio Technologies
2008-04-02 23:05 . 2008-04-02 23:05 <DIR> d-------- C:\Documents and Settings\Ricky\Images
2008-04-02 22:42 . 2008-04-02 22:42 <DIR> d-------- C:\Program Files\Native Instruments
2008-03-30 13:46 . 2008-04-02 23:07 <DIR> d-------- C:\Documents and Settings\Ricky\Audio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 09:10 --------- d-----w C:\Program Files\SPAMfighter
2008-04-27 14:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-27 14:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-26 03:28 --------- d-----w C:\Program Files\Lavasoft
2008-04-26 03:28 --------- d-----w C:\Documents and Settings\Ricky\Application Data\Lavasoft
2008-04-26 03:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-25 13:10 --------- d-----w C:\Documents and Settings\Ricky\Application Data\uTorrent
2008-04-24 02:05 34,312 ----a-w C:\Documents and Settings\Ricky\Application Data\GDIPFONTCACHEV1.DAT
2008-04-23 22:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-19 15:44 --------- d-----w C:\Documents and Settings\Ricky\Application Data\WeatherBug
2008-04-10 05:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-05 18:34 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-04-03 22:27 --------- d-----w C:\Documents and Settings\Ricky\Application Data\Audio Ease
2008-04-03 18:36 --------- d-----w C:\Documents and Settings\Ricky\Application Data\Steinberg
2008-04-03 18:19 --------- d-----w C:\Program Files\Steinberg
2008-03-31 22:15 --------- d-----w C:\Program Files\NovaLogic
2008-03-30 21:05 --------- d-----w C:\Program Files\IK Multimedia
2008-03-26 22:27 --------- d-----w C:\Documents and Settings\Ricky\Application Data\Waves Preferences
2008-03-26 19:30 --------- d-----w C:\Documents and Settings\Ricky\Application Data\Waves
2008-03-26 19:20 --------- d-----w C:\Program Files\Waves
2008-03-24 01:53 --------- d-----w C:\Program Files\Common Files\iZotope
2008-03-24 01:52 --------- d-----w C:\Documents and Settings\Ricky\Application Data\InstallShield
2008-03-23 17:50 --------- d-----w C:\Documents and Settings\Ricky\Application Data\Waves Audio
2008-03-23 17:43 72,032 ----a-w C:\WINDOWS\system32\drivers\TPkd.sys
2008-03-23 17:43 27,328 ----a-w C:\WINDOWS\system32\drivers\iLokDrvr.sys
2008-03-23 17:38 --------- d-----w C:\Program Files\The KMPlayer
2008-03-12 16:09 --------- d-----w C:\Documents and Settings\Ricky\Application Data\Leadertech
2008-03-11 12:59 --------- d-----w C:\Program Files\Java
2008-03-03 00:52 4,940 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Config\incstore.bin
2008-02-20 02:46 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-07 19:04 796,672 ----a-w C:\WINDOWS\GPInstall.exe
.

<pre>
----a-w 179,971 2005-08-28 01:31:55 C:\Documents and Settings\Ricky\Desktop\MISC\AQUARIUM\Fish-crack .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SPAMfighter Agent"="C:\Program Files\SPAMfighter\SFAgent.exe" [2007-10-25 15:29 308880]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-04-07 10:35 2957824]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TurboNote.lnk - C:\Program Files\TurboNote\tbnote.exe [2006-02-09 22:02:54 199168]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"vidc.ffds"= C:\Program Files\Codec Pack Ultimate\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\CODECP~1\Filters\wmv9vcm.dll
"SENTINEL"= snti386.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^20-20 Shortcut Bar.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\20-20 Shortcut Bar.lnk
backup=C:\WINDOWS\pss\20-20 Shortcut Bar.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk.disabled
backup=C:\WINDOWS\pss\Acrobat Assistant.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk.disabled
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 15:08 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"AIM"=C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
"Steam"="C:\Program Files\Steam\Steam.exe" -silent
"Weather"=C:\Program Files\AWS\WeatherBug\Weather.exe 1
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroCheck"=C:\WINDOWS\system32\\NeroCheck.exe
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Ulead AutoDetector v2"=C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"BMa7360230"=Rundll32.exe "C:\WINDOWS\system32\uwmygeoj.dll",s

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\TurboNote\\tbnote.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\SpywareBlaster\\spywareblaster.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-06-05 11:07]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-04-07 10:35]
R2 SPAMfighter Update Service;SPAMfighter Update Service;"C:\Program Files\SPAMfighter\sfus.exe" [2007-10-25 15:29]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 20:08]
R3 ELNK3;3Com EtherLink III;C:\WINDOWS\system32\DRIVERS\elnk3.sys [2001-08-17 07:10]
S1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys []
S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys []
S4 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2002-10-24 04:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\ONSPCLCK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad589b2e-eb5d-11db-a94e-00105acda11a}]
\Shell\AutoRun\command - H:\ONSPCLCK.exe

.
Contents of the 'Scheduled Tasks' folder
"2006-10-26 23:27:58 C:\WINDOWS\Tasks\1 Copernic Intra-Daily ~RB Ricky.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2006-10-26 23:27:58 C:\WINDOWS\Tasks\2 Copernic Daily ~RB Ricky.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2006-10-26 23:27:58 C:\WINDOWS\Tasks\3 Copernic Weekly ~RB Ricky.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2006-10-26 23:27:58 C:\WINDOWS\Tasks\4 Copernic Monthly ~RB Ricky.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2008-04-28 07:00:04 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2008-04-28 09:10:14 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-28 07:07:17 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 04:10:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-28 4:14:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-28 09:14:17
ComboFix2.txt 2008-04-10 04:57:28

Pre-Run: 27,067,596,800 bytes free
Post-Run: 26,976,288,768 bytes free

317 --- E O F --- 2008-04-20 08:15:44
_________________________________________________________

HiJackThis Log!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:06 AM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TurboNote\tbnote.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3040] command /c del "C:\WINDOWS\system32\uwmygeoj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4792] cmd /c del "C:\WINDOWS\system32\uwmygeoj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3923] command /c del "C:\WINDOWS\system32\vgemysro.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9700] cmd /c del "C:\WINDOWS\system32\vgemysro.dll_old"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [SpybotDeletingB4738] command /c del "C:\WINDOWS\system32\uwmygeoj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2985] cmd /c del "C:\WINDOWS\system32\uwmygeoj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3006] command /c del "C:\WINDOWS\system32\vgemysro.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6851] cmd /c del "C:\WINDOWS\system32\vgemysro.dll_old"
O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - D:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - D:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145973662636
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O24 - Desktop Component 0: (no name) - http://www.paulharvey.com/graphics/images/bkgrnd.gif

--
End of file - 7634 bytes

Your help in this matter is much appreciated...thank you!

Blade81

2008-04-30, 19:50

Hi

ComboFix is powerful tool and you shouldn't use it without supervision.

Do you recognize following files? If not upload them to http://virusscan.jotti.org and post back the results:
C:\WINDOWS\system32\minimp3.exe
C:\WINDOWS\cejokill.ini
C:\WINDOWS\cejokiij.ini
C:\WINDOWS\cejokipo.ini
C:\WINDOWS\cejokinc.ini

Start hjt, do a system scan, check (if found):
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\RunOnce: [SpybotDeletingA3040] command /c del "C:\WINDOWS\system32\uwmygeoj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4792] cmd /c del "C:\WINDOWS\system32\uwmygeoj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3923] command /c del "C:\WINDOWS\system32\vgemysro.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9700] cmd /c del "C:\WINDOWS\system32\vgemysro.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4738] command /c del "C:\WINDOWS\system32\uwmygeoj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2985] cmd /c del "C:\WINDOWS\system32\uwmygeoj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3006] command /c del "C:\WINDOWS\system32\vgemysro.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6851] cmd /c del "C:\WINDOWS\system32\vgemysro.dll_old"

Close browsers and other windows. Click fix checked.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\vgemysro.dll_old
C:\WINDOWS\system32\uwmygeoj.dll_old
C:\WINDOWS\system32\xsylnvla.ini
C:\WINDOWS\system32\slaljnfb.ini
C:\WINDOWS\BMa7360230.xml
C:\WINDOWS\system32\CBXPPMCC.DLL.vir
C:\WINDOWS\system32\muzika.xm
C:\Documents and Settings\All Users\Application Data\tarkhsfo.dll

Folder::
C:\WINDOWS\uprjiefj
C:\Documents and Settings\All Users\Application Data\ybwfifwf

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BMa7360230"=-

Save this as
CFScript

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log too (without forgetting above meantioned ComboFix resultant log).

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.

Rickster

2008-05-01, 17:51

Hi Blade81,
Once again you are the best.....you and ComboFix rock........I followed your directions and went first to the recommended website (http://virusscan.jotti.org) to checkout the files you wanted me to check...they came back clean....by the way that website is cool..

C:\WINDOWS\system32\minimp3.exe -clean
C:\WINDOWS\cejokill.ini - clean
C:\WINDOWS\cejokiij.ini - clean
C:\WINDOWS\cejokipo.ini - clean
C:\WINDOWS\cejokinc.ini - clean

I also started hjt...did a system scan and found:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)

which I removed.......

I then moved on to drag-n-dropping your CFScript into ComboFix......worked GREAT....below are my final ComboFix Log and HJT log.....

ComboFix Log (final log)

ComboFix 08-04-27.1 - Ricky 2008-04-30 15:56:35.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.419 [GMT -5:00]
Running from: C:\Documents and Settings\Ricky\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ricky\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\tarkhsfo.dll
C:\WINDOWS\BMa7360230.xml
C:\WINDOWS\system32\CBXPPMCC.DLL.vir
C:\WINDOWS\system32\muzika.xm
C:\WINDOWS\system32\slaljnfb.ini
C:\WINDOWS\system32\uwmygeoj.dll_old
C:\WINDOWS\system32\vgemysro.dll_old
C:\WINDOWS\system32\xsylnvla.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\tarkhsfo.dll
C:\Documents and Settings\All Users\Application Data\ybwfifwf
C:\WINDOWS\BMa7360230.xml
C:\WINDOWS\system32\CBXPPMCC.DLL.vir
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\muzika.xm
C:\WINDOWS\system32\slaljnfb.ini
C:\WINDOWS\system32\ssprs.dll
C:\WINDOWS\system32\xsylnvla.ini
C:\WINDOWS\uprjiefj
C:\WINDOWS\uprjiefj\1.png
C:\WINDOWS\uprjiefj\2.png
C:\WINDOWS\uprjiefj\3.png
C:\WINDOWS\uprjiefj\4.png
C:\WINDOWS\uprjiefj\5.png
C:\WINDOWS\uprjiefj\6.png
C:\WINDOWS\uprjiefj\7.png
C:\WINDOWS\uprjiefj\8.png
C:\WINDOWS\uprjiefj\9.png
C:\WINDOWS\uprjiefj\bottom-rc.gif
C:\WINDOWS\uprjiefj\config.png
C:\WINDOWS\uprjiefj\content.png
C:\WINDOWS\uprjiefj\download.gif
C:\WINDOWS\uprjiefj\frame-bg.gif
C:\WINDOWS\uprjiefj\frame-bottom-left.gif
C:\WINDOWS\uprjiefj\frame-h1bg.gif
C:\WINDOWS\uprjiefj\head.png
C:\WINDOWS\uprjiefj\icon.png
C:\WINDOWS\uprjiefj\indexwp.html
C:\WINDOWS\uprjiefj\main.css
C:\WINDOWS\uprjiefj\memory-prots.png
C:\WINDOWS\uprjiefj\net.png
C:\WINDOWS\uprjiefj\pc-mag.gif
C:\WINDOWS\uprjiefj\pc.gif
C:\WINDOWS\uprjiefj\poloska1.png
C:\WINDOWS\uprjiefj\poloska2.png
C:\WINDOWS\uprjiefj\poloska3.png
C:\WINDOWS\uprjiefj\promowp1.html
C:\WINDOWS\uprjiefj\promowp2.html
C:\WINDOWS\uprjiefj\promowp3.html
C:\WINDOWS\uprjiefj\promowp4.html
C:\WINDOWS\uprjiefj\promowp5.html
C:\WINDOWS\uprjiefj\reg.png
C:\WINDOWS\uprjiefj\repair.png
C:\WINDOWS\uprjiefj\scr-1.png
C:\WINDOWS\uprjiefj\scr-2.png
C:\WINDOWS\uprjiefj\start.png
C:\WINDOWS\uprjiefj\styles.css
C:\WINDOWS\uprjiefj\Thumbs.db
C:\WINDOWS\uprjiefj\top-rc.gif
C:\WINDOWS\uprjiefj\vline.gif
C:\WINDOWS\uprjiefj\wp.png

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-27 21:05 . 2008-04-27 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-26 08:51 . 2008-04-26 08:51 <DIR> d-------- C:\Documents and Settings\Administrator.RB\Application Data\AVG7
2008-04-25 22:26 . 2008-04-25 22:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-25 15:28 . 2008-04-25 15:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 11:55 . 2008-04-23 17:42 121 --a------ C:\WINDOWS\bdagent.INI
2008-04-23 11:10 . 2007-10-18 00:16 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-23 11:10 . 2007-10-18 00:15 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-23 11:10 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-23 11:10 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-23 11:09 . 2008-04-24 16:54 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-23 11:09 . 2008-04-23 11:09 <DIR> d-------- C:\Documents and Settings\Ricky\Application Data\PC Tools
2008-04-23 11:09 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-04-22 16:04 . 2008-04-22 16:07 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-22 07:52 . 2008-04-23 11:08 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-04-21 12:50 . 2008-04-21 12:50 <DIR> d-------- C:\Documents and Settings\Monique\Application Data\WeatherBug
2008-04-20 03:10 . 2008-04-20 03:10 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-17 10:14 . 2008-04-17 10:14 1,025 --a------ C:\WINDOWS\system32\sysprs7.tgz
2008-04-17 10:14 . 2008-04-17 10:14 1,025 --a------ C:\WINDOWS\system32\sysprs7.dll
2008-04-17 10:14 . 2008-04-17 10:14 1,025 --a------ C:\WINDOWS\system32\clauth2.dll
2008-04-17 10:14 . 2008-04-17 10:14 1,025 --a------ C:\WINDOWS\system32\clauth1.dll
2008-04-17 10:14 . 2008-04-17 11:19 352 --a------ C:\WINDOWS\system32\lsprst7.tgz
2008-04-17 10:14 . 2008-04-17 11:18 87 --a------ C:\WINDOWS\system32\ssprs.tgz
2008-04-17 09:54 . 2000-11-17 10:11 192,512 --a------ C:\WINDOWS\system32\ltkrn60n.dll
2008-04-17 09:54 . 2000-11-17 10:16 78,608 --a------ C:\WINDOWS\system32\vb5db.dll
2008-04-17 09:54 . 2000-11-17 10:12 73,216 --a------ C:\WINDOWS\system32\Odbctl32.dll
2008-04-17 09:54 . 2000-11-17 10:12 62,863 --a------ C:\WINDOWS\system32\Odbcjtnw.hlp
2008-04-17 09:54 . 2000-11-17 10:12 3,176 --a------ C:\WINDOWS\system32\Odbcjtnw.cnt
2008-04-17 09:53 . 2008-04-17 09:53 <DIR> d-------- C:\WINDOWS\Rainbow Technologies
2008-04-17 09:53 . 2008-04-17 10:18 <DIR> d-------- C:\2020V61
2008-04-17 09:53 . 1998-11-11 15:06 57,856 --a------ C:\WINDOWS\system32\CAITF32.DLL
2008-04-17 09:53 . 1998-11-11 15:07 56,832 --a------ C:\WINDOWS\system32\CALAUNCH.EXE
2008-04-16 09:49 . 2008-04-16 09:49 <DIR> d-------- C:\Program Files\CCleaner
2008-04-15 21:16 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl
2008-04-15 12:50 . 2008-04-15 12:51 <DIR> d-------- C:\Program Files\BackRex Outlook Express Backup
2008-04-14 15:57 . 2008-04-14 15:57 <DIR> d--hs---- C:\Diskeeper
2008-04-14 12:00 . 2008-04-14 12:00 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2008-04-14 12:00 . 2008-04-14 12:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-04-14 11:22 . 2008-04-14 11:29 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-14 10:49 . 2008-04-30 09:05 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-10 13:45 . 2008-04-27 10:08 <DIR> d-------- C:\Program Files\XoftSpySE
2008-04-08 12:10 . 2008-04-08 12:10 8,627 --a------ C:\WINDOWS\system32\PAV_FOG.OPC
2008-04-08 11:52 . 2008-04-08 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2008-04-08 11:46 . 2008-04-08 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Backup
2008-04-08 11:45 . 2001-07-30 16:40 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-04-08 11:20 . 2008-04-23 17:00 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2008-04-07 14:05 . 2008-04-07 14:05 <DIR> d-------- C:\Documents and Settings\Administrator.RB\Application Data\SUPERAntiSpyware.com
2008-04-07 14:05 . 2008-04-07 14:05 <DIR> d-------- C:\Documents and Settings\Administrator.RB\Application Data\Spyware Terminator
2008-04-07 10:50 . 2008-04-07 10:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-07 10:49 . 2008-04-24 16:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-07 10:49 . 2008-04-07 10:49 <DIR> d-------- C:\Documents and Settings\Ricky\Application Data\SUPERAntiSpyware.com
2008-04-07 10:35 . 2008-04-29 11:20 <DIR> d-------- C:\Documents and Settings\Ricky\Application Data\Spyware Terminator
2008-04-07 10:35 . 2008-04-24 21:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-04-07 10:35 . 2008-04-07 10:35 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-04-07 10:34 . 2008-04-30 12:01 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-04-07 10:07 . 2008-02-27 16:52 49,152 --a------ C:\WINDOWS\ArmAccess.dll
2008-04-07 09:55 . 2008-04-30 09:06 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-06 17:38 . 2008-04-06 17:38 <DIR> d-------- C:\Documents and Settings\Administrator.RB\Application Data\Webroot
2008-04-06 17:38 . 2008-04-06 17:38 <DIR> d-------- C:\Documents and Settings\Administrator.RB\Application Data\PC Tools
2008-04-06 12:35 . 2008-04-06 12:35 <DIR> d-------- C:\Documents and Settings\Administrator.RB\Application Data\Lavasoft
2008-04-06 05:20 . 2008-04-06 05:20 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-04 14:34 . 2008-04-04 14:34 5 --a------ C:\WINDOWS\cejokill.ini
2008-04-04 14:33 . 2008-04-04 14:33 5 --a------ C:\WINDOWS\cejokiij.ini
2008-04-04 14:32 . 2008-04-04 14:32 5 --a------ C:\WINDOWS\cejokipo.ini
2008-04-04 14:32 . 2008-04-04 14:32 5 --a------ C:\WINDOWS\cejokinc.ini
2008-04-04 14:32 . 2008-04-04 14:32 5 --a------ C:\WINDOWS\cejokiac.ini
2008-04-04 14:31 . 2008-04-04 14:31 5 --a------ C:\WINDOWS\cejokioi.ini
2008-04-04 14:31 . 2008-04-04 14:31 5 --a------ C:\WINDOWS\cejokign.ini
2008-04-04 14:31 . 2008-04-04 14:31 5 --a------ C:\WINDOWS\cejokifi.ini
2008-04-04 14:31 . 2008-04-04 14:31 5 --a------ C:\WINDOWS\cejokico.ini
2008-04-04 14:30 . 2008-04-04 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Wave Arts
2008-04-04 14:27 . 2008-04-04 14:27 <DIR> d-------- C:\Program Files\Wave Arts
2008-04-04 14:12 . 2007-10-12 19:21 17,408 --------- C:\WINDOWS\system32\minimp3.exe
2008-04-04 14:06 . 2008-04-04 14:06 <DIR> d-------- C:\Program Files\PSPaudioware
2008-04-04 13:59 . 2008-04-04 13:59 <DIR> d-------- C:\Program Files\PSP_AUDIOWARE
2008-04-04 13:59 . 2005-09-04 17:46 4,059,136 --a------ C:\WINDOWS\system32\PSP MasterComp.dll
2008-04-03 17:27 . 2008-04-03 17:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Audio Ease
2008-04-03 17:27 . 2007-10-06 12:12 54,156 --a------ C:\WINDOWS\system32\QTFont.qfn
2008-04-03 17:27 . 2007-10-05 21:04 1,409 --a------ C:\WINDOWS\system32\QTFont.for
2008-04-03 17:00 . 2008-04-03 17:00 <DIR> d-------- C:\Program Files\Roger Nichols Digital, Inc
2008-04-03 16:12 . 2008-04-03 16:35 <DIR> d-------- C:\Audio
2008-04-03 14:48 . 2008-04-03 14:49 <DIR> d-------- C:\Documents and Settings\Audio
2008-04-03 12:16 . 2008-04-03 12:16 <DIR> d-------- C:\Program Files\Common Files\Steinberg
2008-04-03 11:27 . 2008-04-03 11:27 <DIR> d-------- C:\Program Files\PSP Audioware
2008-04-03 11:21 . 2008-04-03 11:21 <DIR> d-------- C:\Program Files\PSP VintageWarmer
2008-04-03 11:21 . 2002-03-20 22:22 905,290 --a------ C:\WINDOWS\system32\libmmd.dll
2008-04-03 11:09 . 2008-04-03 11:09 <DIR> d-------- C:\WINDOWS\Recent
2008-04-03 11:03 . 2008-04-16 10:10 <DIR> d-------- C:\Program Files\Antares
2008-04-03 10:56 . 2008-04-03 11:06 <DIR> d-------- C:\Program Files\Antares Audio Technologies
2008-04-02 23:05 . 2008-04-02 23:05 <DIR> d-------- C:\Documents and Settings\Ricky\Images
2008-04-02 22:42 . 2008-04-02 22:42 <DIR> d-------- C:\Program Files\Native Instruments
2008-03-30 13:46 . 2008-04-02 23:07 <DIR> d-------- C:\Documents and Settings\Ricky\Audio
2008-03-27 22:28 . 2008-03-27 22:28 272,409 --a------ C:\WINDOWS\system32\TmpA605875
2008-03-26 21:14 . 2008-03-26 21:14 272,409 --a------ C:\WINDOWS\system32\TmpA1788921
2008-03-26 20:37 . 2008-04-03 17:27 <DIR> d-------- C:\Documents and Settings\Ricky\Application Data\Audio Ease
2008-03-26 14:30 . 2008-03-26 14:30 <DIR> d-------- C:\Documents and Settings\Ricky\Application Data\Waves
2008-03-26 14:29 . 2008-03-26 17:27 <DIR> d-------- C:\Documents and Settings\Ricky\Application Data\Waves Preferences
2008-03-26 14:11 . 2008-03-26 14:20 <DIR> d-------- C:\Program Files\Waves
2008-03-26 12:38 . 2008-04-05 16:16 8 --a------ C:\WINDOWS\system32\mswin32.ocx
2008-03-26 12:26 . 2008-04-05 13:34 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-03-24 18:19 . 2008-03-24 18:19 900,015 --a------ C:\WINDOWS\system32\TmpA77118515
2008-03-24 18:19 . 2008-03-24 18:19 272,409 --a------ C:\WINDOWS\system32\TmpA77143546
2008-03-23 20:53 . 2008-03-23 20:53 <DIR> d-------- C:\Program Files\Common Files\iZotope
2008-03-23 20:52 . 2008-03-23 20:52 <DIR> d-------- C:\Documents and Settings\Ricky\Application Data\InstallShield
2008-03-23 18:24 . 2008-03-23 20:00 16 --a------ C:\WINDOWS\system32\w3data.vss
2008-03-23 18:24 . 2008-03-23 20:00 16 --a------ C:\WINDOWS\msocreg32.dat
2008-03-23 13:27 . 2008-04-03 13:36 <DIR> d-------- C:\Documents and Settings\Ricky\Application Data\Steinberg
2008-03-23 13:13 . 2006-08-01 17:34 765,952 --------- C:\WINDOWS\system32\SYNSOACC.dll
2008-03-23 13:13 . 2006-01-29 12:48 147,456 --------- C:\WINDOWS\system32\SynsoLChk.dll
2008-03-23 13:13 . 2006-01-29 12:48 147,425 --a------ C:\WINDOWS\system32\SYNSOACC-Aide.chm
2008-03-23 13:13 . 2006-01-29 12:48 120,468 --a------ C:\WINDOWS\system32\SYNSOACC-Hilfe.chm
2008-03-23 13:13 . 2006-01-29 12:48 114,279 --a------ C:\WINDOWS\system32\SYNSOACC-Help.chm
2008-03-23 13:13 . 2005-05-09 20:08 33,792 --a------ C:\WINDOWS\system32\drivers\cledx.sys
2008-03-23 13:04 . 2008-04-03 13:19 <DIR> d-------- C:\Program Files\Steinberg
2008-03-23 12:50 . 2008-03-23 12:50 <DIR> d-------- C:\Documents and Settings\Ricky\Application Data\Waves Audio
2008-03-23 12:43 . 2008-03-23 12:43 634,880 --------- C:\WINDOWS\system32\ilinet.dll
2008-03-23 12:43 . 2008-03-23 12:43 72,032 --a------ C:\WINDOWS\system32\drivers\TPkd.sys
2008-03-23 12:43 . 2008-03-23 12:43 27,328 --a------ C:\WINDOWS\system32\drivers\iLokDrvr.sys
2008-03-23 12:43 . 2008-03-23 12:43 785 --------- C:\WINDOWS\Tpkdboot.reg
2008-03-23 00:07 . 2008-03-23 20:52 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2008-03-12 11:09 . 2008-03-12 11:09 <DIR> d-------- C:\Documents and Settings\Ricky\Application Data\Leadertech
2008-03-07 11:52 . 2008-03-07 11:52 <DIR> d-------- C:\Documents and Settings\Ricky\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 20:16 --------- d-----w C:\Documents and Settings\Ricky\Application Data\uTorrent
2008-04-30 16:34 --------- d-----w C:\Program Files\SPAMfighter
2008-04-27 14:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-27 14:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-26 03:28 --------- d-----w C:\Program Files\Lavasoft
2008-04-26 03:28 --------- d-----w C:\Documents and Settings\Ricky\Application Data\Lavasoft
2008-04-26 03:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-24 02:05 34,312 ----a-w C:\Documents and Settings\Ricky\Application Data\GDIPFONTCACHEV1.DAT
2008-04-23 22:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-19 15:44 --------- d-----w C:\Documents and Settings\Ricky\Application Data\WeatherBug
2008-04-10 05:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-31 22:15 --------- d-----w C:\Program Files\NovaLogic
2008-03-30 21:05 --------- d-----w C:\Program Files\IK Multimedia
2008-03-23 17:38 --------- d-----w C:\Program Files\The KMPlayer
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-11 12:59 --------- d-----w C:\Program Files\Java
2008-03-03 00:52 4,940 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Config\incstore.bin
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 02:46 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-07 19:04 796,672 ----a-w C:\WINDOWS\GPInstall.exe
.

<pre>
----a-w 179,971 2005-08-28 01:31:55 C:\Documents and Settings\Ricky\Desktop\MISC\AQUARIUM\Fish-crack .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-04-28_ 4.13.44.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 09:09:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-29 13:23:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-24 14:25:08 1,632 ----a-w C:\WINDOWS\system32\d3d8caps.dat
+ 2008-04-30 13:38:07 1,632 ----a-w C:\WINDOWS\system32\d3d8caps.dat
+ 2008-04-29 13:24:11 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_7b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SPAMfighter Agent"="C:\Program Files\SPAMfighter\SFAgent.exe" [2007-10-25 15:29 308880]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-04-07 10:35 2957824]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TurboNote.lnk - C:\Program Files\TurboNote\tbnote.exe [2006-02-09 22:02:54 199168]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"vidc.ffds"= C:\Program Files\Codec Pack Ultimate\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\CODECP~1\Filters\wmv9vcm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^20-20 Shortcut Bar.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\20-20 Shortcut Bar.lnk
backup=C:\WINDOWS\pss\20-20 Shortcut Bar.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk.disabled
backup=C:\WINDOWS\pss\Acrobat Assistant.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk.disabled
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 15:08 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"AIM"=C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
"Steam"="C:\Program Files\Steam\Steam.exe" -silent
"Weather"=C:\Program Files\AWS\WeatherBug\Weather.exe 1
"OM_Monitor"=C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroCheck"=C:\WINDOWS\system32\\NeroCheck.exe
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Ulead AutoDetector v2"=C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\TurboNote\\tbnote.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"D:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\SpywareBlaster\\spywareblaster.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-06-05 11:07]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-04-07 10:35]
R2 SPAMfighter Update Service;SPAMfighter Update Service;"C:\Program Files\SPAMfighter\sfus.exe" [2007-10-25 15:29]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 20:08]
R3 ELNK3;3Com EtherLink III;C:\WINDOWS\system32\DRIVERS\elnk3.sys [2001-08-17 07:10]
S1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys []
S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys []
S4 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2002-10-24 04:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\ONSPCLCK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad589b2e-eb5d-11db-a94e-00105acda11a}]
\Shell\AutoRun\command - H:\ONSPCLCK.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2006-10-26 23:27:58 C:\WINDOWS\Tasks\1 Copernic Intra-Daily ~RB Ricky.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2006-10-26 23:27:58 C:\WINDOWS\Tasks\2 Copernic Daily ~RB Ricky.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2006-10-26 23:27:58 C:\WINDOWS\Tasks\3 Copernic Weekly ~RB Ricky.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2006-10-26 23:27:58 C:\WINDOWS\Tasks\4 Copernic Monthly ~RB Ricky.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2008-04-30 12:25:07 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2008-04-29 22:00:01 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-30 12:25:39 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 15:59:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-30 16:01:26
ComboFix-quarantined-files.txt 2008-04-30 21:01:22
ComboFix2.txt 2008-04-28 09:14:36
ComboFix3.txt 2008-04-10 04:57:28

Pre-Run: 19,727,900,672 bytes free
Post-Run: 19,720,769,536 bytes free

366 --- E O F --- 2008-04-20 08:15:44

______________________________________________________________
HJT Log (final log)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:20 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TurboNote\tbnote.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - D:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - D:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy (file missing)
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145973662636
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O24 - Desktop Component 0: (no name) - http://www.paulharvey.com/graphics/images/bkgrnd.gif

--
End of file - 6743 bytes

As you can see...no more virtumonde and virtumonde.dll.....awesome.....I truly appreciate all your time and efforts in helping me remove this virus...again you ROCK....THANKS AGAIN......you are a good person...God Bless.

Blade81

2008-05-01, 19:28

Hi

It's good that things are looking better. However, I'm still waiting for that Kaspersky report :)

Blade81

2008-05-08, 16:59

Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.