Virtumundo [Archive] - Safer-Networking Forums

View Full Version : Virtumundo

moofleta

2008-04-30, 20:06

seeking for some help for removing the VMundo Trojan.

I was trying to get the ComboFix to run, however my TrendMicro antivirus is blocking it. can not even copy it onto my desktop.

below is the Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:18 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\FireOnecp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Default User\Local Settings\Temp\bh11ySa6d\IDMan.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\TechSmith\Jing\Jing.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Documents and Settings\moo\Local Settings\Application Data\Google\Update\1.1.27.0\GoogleUpdate.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Documents and Settings\moo\Local Settings\Application Data\Google\Google Talk, Labs Edition\GoogleTalkLabsEdition.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Documents and Settings\Default User\Local Settings\Temp\bh11ySa6d\IEMonitor.exe
C:\Program Files\Mozilla Firefox 3 Beta 3\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vmule.com/2008home.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Babylon - {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - C:\Program Files\Babylon\Babylon Toolbar\BabylonIEToolBar.dll
O3 - Toolbar: (no name) - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [VF0070 STISvc] RunDLL32.exe V0070Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartFireOneApplet] FireOnecp.exe H
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [34570709] rundll32.exe "C:\WINDOWS\system32\fqkdfakr.dll",b
O4 - HKLM\..\Run: [BM37643495] Rundll32.exe "C:\WINDOWS\system32\eoprkdyu.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CamTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IDMan] C:\Documents and Settings\Default User\Local Settings\Temp\bh11ySa6d\IDMan.exe /onboot
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\moo\Local Settings\Application Data\Google\Update\1.1.27.0\GoogleUpdate.exe" /lang en
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Google Talk, Labs Edition.lnk = C:\Documents and Settings\moo\Local Settings\Application Data\Google\Google Talk, Labs Edition\GoogleTalkLabsEdition.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: UltraMon.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bh11ySa6d\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bh11ySa6d\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Default User\Local Settings\Temp\bh11ySa6d\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171338678640
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} (Pure Networks Security Scan) - http://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://access.motorola.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E87A4CD6-BA5F-4552-BC4F-8EC240A2755C} (WebRecClient Control) - http://sip.moofleta.com:8000/webrec.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: VLC media player - Unknown owner - C:\Program Files\VideoLAN\VLC\vlc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 16728 bytes

Sincerely,

moofleta

2008-04-30, 20:35

I was able to run the ComboFix from a network drive, here is the log:

ComboFix 08-04-29.5 - moo 2008-04-30 13:04:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.972.1033.18.1041 [GMT -4:00]
Running from: \\dling\raid\temp\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cffiQtwa.ini
C:\WINDOWS\system32\cffiQtwa.ini2
C:\WINDOWS\system32\efcYqonM.dll
C:\WINDOWS\system32\eoprkdyu.dll
C:\WINDOWS\system32\fqkdfakr.dll
C:\WINDOWS\system32\player.dll
C:\WINDOWS\system32\qoMccAqQ.dll
C:\WINDOWS\system32\rkafdkqf.ini
C:\WINDOWS\system32\VwHNoUvw.ini
C:\WINDOWS\system32\VwHNoUvw.ini2
C:\WINDOWS\system32\wvUoNHwV.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-30 12:56 . 2008-04-30 12:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-30 12:03 . 2008-04-30 12:03 <DIR> d-------- C:\VundoFix Backups
2008-04-30 09:58 . 2008-04-30 11:57 325 --a------ C:\WINDOWS\wininit.ini
2008-04-30 09:26 . 2008-04-30 09:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-30 09:26 . 2008-04-30 09:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-29 20:23 . 2008-04-30 09:25 109,756 --a------ C:\WINDOWS\BM37643495.xml
2008-04-28 20:13 . 2008-04-28 20:13 38,912 --a------ C:\WINDOWS\system32\xxyATkjH.dll.vir
2008-04-25 19:30 . 2008-04-28 10:37 <DIR> d-------- C:\Program Files\DVDZip 3.1
2008-04-25 19:30 . 1999-09-10 12:06 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-04-25 19:30 . 1999-09-10 12:06 25,244 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-04-25 19:30 . 1999-09-10 12:06 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2008-04-25 19:30 . 1999-09-10 12:06 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2008-04-25 19:26 . 2008-04-25 19:26 <DIR> d-------- C:\temp\dvdzip
2008-04-25 13:06 . 2008-04-25 13:06 0 --a------ C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2008-04-25 13:04 . 2008-04-25 13:04 <DIR> d-------- C:\Program Files\MagicDisc
2008-04-25 13:04 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-04-24 23:46 . 2008-04-24 23:49 <DIR> d-------- C:\Documents and Settings\moo\Application Data\Ableton
2008-04-24 23:46 . 2008-03-14 13:22 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2008-04-24 23:46 . 2008-03-14 13:22 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2008-04-24 23:45 . 2008-04-24 23:46 <DIR> d-------- C:\Program Files\Ableton
2008-04-24 23:24 . 2004-08-03 23:10 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2008-04-24 23:24 . 2004-08-03 23:10 48,128 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys
2008-04-24 23:24 . 2004-08-03 23:10 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys
2008-04-24 23:24 . 2004-08-03 23:10 38,912 --a--c--- C:\WINDOWS\system32\dllcache\avc.sys
2008-04-24 23:23 . 2008-04-24 23:24 <DIR> d-------- C:\Program Files\FireOne
2008-04-24 23:23 . 2007-03-08 17:24 622,592 --a------ C:\WINDOWS\system32\FireOnecp.exe
2008-04-24 23:23 . 2007-02-21 19:45 270,336 --a------ C:\WINDOWS\system32\FireOne.cpl
2008-04-24 23:23 . 2007-03-08 17:24 102,272 --a------ C:\WINDOWS\system32\drivers\FireOne.sys
2008-04-24 23:23 . 2007-03-08 17:24 41,984 --a------ C:\WINDOWS\system32\FOneAsio.dll
2008-04-24 23:23 . 2007-03-08 17:24 21,504 --a------ C:\WINDOWS\system32\FOneApi.dll
2008-04-19 16:23 . 2008-04-19 16:24 <DIR> d-------- C:\Program Files\eMusic Download Manager
2008-04-19 16:20 . 2008-04-19 16:21 <DIR> d-------- C:\Program Files\Citi Virtual Account Numbers
2008-04-18 08:29 . 2008-04-30 13:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-18 08:29 . 2008-04-18 08:29 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-18 08:28 . 2008-04-18 08:29 <DIR> d-------- C:\Program Files\iTunes
2008-04-18 08:28 . 2008-04-18 08:28 <DIR> d-------- C:\Program Files\iPod
2008-04-18 08:25 . 2008-04-18 08:26 <DIR> d-------- C:\Program Files\QuickTime
2008-04-18 08:19 . 2008-04-18 08:19 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-15 20:26 . 2008-04-15 20:26 2,716 --a------ C:\lab5_9
2008-04-14 07:08 . 2008-04-14 07:08 84,048 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-10 14:06 . 2008-04-10 14:06 <DIR> d-------- C:\Documents and Settings\moo\Application Data\webex
2008-04-10 14:05 . 2008-04-10 14:05 202,827 --a------ C:\WINDOWS\system32\atasnt40.dll
2008-04-10 14:05 . 2008-04-10 14:05 51,304 --a------ C:\WINDOWS\system32\drivers\atnt40k.sys
2008-04-08 09:00 . 2008-04-08 09:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AT&T
2008-04-07 23:28 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-04-07 23:27 . 2008-04-07 23:27 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-07 23:24 . 2008-04-07 23:26 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-04-07 23:24 . 2008-04-07 23:24 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-04-07 22:54 . 2008-04-08 08:11 <DIR> d-------- C:\Program Files\Windows Live
2008-04-07 22:54 . 2008-04-07 23:04 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-07 22:53 . 2008-04-07 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-05 19:13 . 2008-04-25 13:07 <DIR> d-------- C:\Documents and Settings\moo\Application Data\Nikon
2008-04-05 19:12 . 2008-04-25 13:06 <DIR> d-------- C:\Program Files\Nikon
2008-04-05 19:12 . 2008-04-25 13:08 <DIR> d-------- C:\Program Files\Common Files\Nikon
2008-04-05 19:12 . 2008-04-05 19:12 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2008-04-05 19:12 . 2008-04-05 19:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nikon
2008-04-05 19:11 . 2008-04-25 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ultima_T15
2008-04-05 19:11 . 2008-04-25 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EnterNHelp
2008-04-05 19:11 . 2008-04-05 19:11 268 -r-h----- C:\Documents and Settings\All Users\Application Data\Command Line Utility
2008-04-05 19:11 . 2008-04-06 22:48 20 ---h----- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
2008-04-05 18:58 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-04-05 18:58 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-04-05 18:58 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-04-05 18:58 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-04-04 17:17 . 2008-04-04 17:17 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-04 17:17 . 2008-04-04 17:17 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-04-04 07:50 . 2008-04-04 07:50 <DIR> d-------- C:\Documents and Settings\moo\Application Data\AT&T
2008-04-04 07:41 . 2008-04-04 07:41 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Bytemobile
2008-04-04 07:40 . 2008-04-04 07:40 <DIR> d-------- C:\Documents and Settings\moo\Application Data\Bytemobile
2008-04-04 07:40 . 2003-09-08 14:43 89,728 --a------ C:\WINDOWS\system32\drivers\usbvsp.sys
2008-04-04 07:39 . 2008-04-04 07:39 <DIR> d-------- C:\Documents and Settings\moo\Application Data\DBUpdater
2008-04-04 07:38 . 2008-04-04 07:38 <DIR> d-------- C:\Documents and Settings\moo\Application Data\Sierra Wireless
2008-04-04 07:38 . 2008-01-03 16:21 26,504 --a------ C:\WINDOWS\system32\drivers\swmsflt.sys
2008-04-04 07:34 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-04-04 07:32 . 2008-04-04 07:33 <DIR> d-------- C:\Program Files\Sierra Wireless Inc
2008-04-04 07:32 . 2008-04-04 07:32 <DIR> d-------- C:\Program Files\Common Files\Research in Motion
2008-04-04 07:29 . 2008-04-04 07:29 <DIR> d-------- C:\Program Files\Option
2008-04-04 07:29 . 2006-11-13 14:45 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-04-04 07:29 . 2007-05-04 16:54 22,528 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-04-04 07:28 . 2008-04-04 07:28 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-26 23:02 . 2008-03-26 23:02 <DIR> d-------- C:\Program Files\MSECache
2008-03-26 12:21 . 2008-04-29 23:04 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-26 10:07 . 2008-03-26 10:07 <DIR> d-------- C:\Program Files\TechSmith
2008-03-24 13:55 . 2008-03-24 13:55 <DIR> d-------- C:\Program Files\Citrix
2008-03-24 13:55 . 2008-03-24 13:55 61,224 --a------ C:\Documents and Settings\moo\GoToAssistDownloadHelper.exe
2008-03-24 11:39 . 2008-03-24 11:39 <DIR> d-------- C:\Program Files\MagicISO
2008-03-20 18:16 . 2008-04-18 08:20 <DIR> d-------- C:\Program Files\Safari
2008-03-20 16:38 . 2008-03-20 16:38 <DIR> d-------- C:\Program Files\KLC
2008-03-20 16:36 . 2004-08-08 12:58 749,568 --a------ C:\WINDOWS\system32\VBOLock.ocx
2008-03-19 18:52 . 2008-03-21 07:36 <DIR> d-------- C:\Program Files\fileflyer
2008-03-15 21:04 . 2008-03-15 21:46 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-03-14 22:27 . 2008-03-14 22:27 <DIR> d-------- C:\Program Files\DNA
2008-03-14 22:27 . 2008-04-30 13:16 <DIR> d-------- C:\Documents and Settings\moo\Application Data\DNA
2008-03-13 23:27 . 2008-03-13 23:27 <DIR> d-------- C:\WINDOWS\Puzzle Quest
2008-03-13 23:27 . 2008-03-13 23:27 <DIR> d-------- C:\Program Files\Puzzle Quest
2008-03-13 23:27 . 2008-03-13 23:27 <DIR> d-------- C:\Program Files\OpenAL
2008-03-13 23:27 . 2008-03-13 23:27 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-03-13 23:27 . 2008-03-13 23:27 114,688 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-03-13 23:26 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-03-13 23:26 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-03-12 20:33 . 2008-03-12 20:33 <DIR> d-------- C:\Program Files\Xming
2008-03-12 13:10 . 2008-03-12 13:10 633,344 --a------ C:\WINDOWS\system32\gpprefcl.dll
2008-03-10 21:32 . 2008-03-10 21:32 <DIR> d-------- C:\Program Files\Kiwi Log Viewer
2008-03-10 04:36 . 2008-03-10 04:36 <DIR> d-------- C:\user_2
2008-03-10 04:36 . 2008-03-10 04:36 <DIR> d-------- C:\user_1
2008-03-10 04:36 . 2008-03-10 04:36 <DIR> d-------- C:\public
2008-03-09 01:11 . 2008-03-09 01:11 <DIR> d-------- C:\Program Files\uTorrent
2008-03-09 01:11 . 2008-04-28 20:06 <DIR> d-------- C:\Documents and Settings\moo\Application Data\uTorrent
2008-03-01 22:21 . 2008-03-02 00:01 <DIR> d-------- C:\emule2008
2008-03-01 20:24 . 2008-03-01 20:24 <DIR> d-------- C:\Program Files\ElcomSoft
2008-03-01 20:24 . 2008-03-02 08:56 1,119 --a------ C:\WINDOWS\ARPR.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-30 17:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Babylon
2008-04-30 17:18 --------- d-----w C:\Documents and Settings\moo\Application Data\DMCache
2008-04-30 16:43 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 3
2008-04-30 13:33 --------- d-----w C:\Documents and Settings\moo\Application Data\Babylon
2008-04-28 21:50 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-04-25 23:29 --------- d-----w C:\Program Files\Xvid
2008-04-25 17:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 13:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-10 13:14 --------- d-----w C:\Program Files\Pando Networks
2008-04-08 21:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-06 02:19 --------- d-----w C:\Program Files\Picasa2
2008-04-02 01:19 --------- d-----w C:\Documents and Settings\moo\Application Data\Skype
2008-03-30 15:02 --------- d-----w C:\Documents and Settings\moo\Application Data\skypePM
2008-03-24 14:08 --------- d-----w C:\Documents and Settings\moo\Application Data\Apple Computer
2008-03-21 11:36 --------- d-----w C:\Program Files\Conduit
2008-03-15 02:27 --------- d-----w C:\Program Files\BitTorrent_DNA
2008-03-15 02:27 --------- d-----w C:\Documents and Settings\moo\Application Data\BitTorrent DNA
2008-03-03 02:43 --------- d-----w C:\Program Files\WeFi
2008-02-28 07:49 --------- d-----w C:\Documents and Settings\moo\Application Data\IDM
2008-02-01 15:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-01-30 18:25 81 ----a-w C:\CTX.DAT
2008-01-27 15:12 21,361 ----a-w C:\WINDOWS\AegisP.sys
2008-01-15 00:24 196,096 ----a-w C:\WINDOWS\UltraMon.scr
2008-01-11 03:10 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{19716784-3273-4282-8F0B-85FB9F2B3CB6}]
C:\WINDOWS\system32\awtQiffc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F749D647-743B-4C39-919F-6943912E59A3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{965B54B0-71E0-4611-8DE7-F73FA0B20E26}"= "C:\Program Files\Babylon\Babylon Toolbar\BabylonIEToolBar.dll" [2007-11-01 16:09 265952]

[HKEY_CLASSES_ROOT\clsid\{965b54b0-71e0-4611-8de7-f73fa0b20e26}]
[HKEY_CLASSES_ROOT\BabylonTBLib.BabylonTB.1]
[HKEY_CLASSES_ROOT\TypeLib\{162484B8-B114-453f-A344-C0B24B0F1D99}]
[HKEY_CLASSES_ROOT\BabylonTBLib.BabylonTB]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{965B54B0-71E0-4611-8DE7-F73FA0B20E26}"= C:\Program Files\Babylon\Babylon Toolbar\BabylonIEToolBar.dll [2007-11-01 16:09 265952]

[HKEY_CLASSES_ROOT\clsid\{965b54b0-71e0-4611-8de7-f73fa0b20e26}]
[HKEY_CLASSES_ROOT\BabylonTBLib.BabylonTB.1]
[HKEY_CLASSES_ROOT\TypeLib\{162484B8-B114-453f-A344-C0B24B0F1D99}]
[HKEY_CLASSES_ROOT\BabylonTBLib.BabylonTB]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-08 21:29 68856]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [2005-10-27 19:00 299008]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-10 22:49 288576]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"IDMan"="C:\Documents and Settings\Default User\Local Settings\Temp\bh11ySa6d\IDMan.exe" [2008-11-05 12:41 2561456]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2008-04-08 13:22 6116680]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"Jing"="C:\Program Files\TechSmith\Jing\Jing.exe" [2008-04-16 16:09 734464]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Google Update"="C:\Documents and Settings\moo\Local Settings\Application Data\Google\Update\1.1.27.0\GoogleUpdate.exe" [2008-04-12 10:04 51184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 08:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 08:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 08:00 455168]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 09:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-07 04:55 131072]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 10:48 147514]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 19:40 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 03:27 1015808]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-06-17 21:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-06-17 21:43 118784]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-12-11 20:36 366400]
"VF0070 STISvc"="V0070Pin.dll" [2004-11-16 02:00 36864 C:\WINDOWS\system32\V0070Pin.dll]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [2007-11-01 16:09 3032800]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 14:08 57344 C:\WINDOWS\system32\ico.exe]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 03:29 102400]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-11-01 14:51 995328]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-11-01 14:47 1101824]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"StartFireOneApplet"="FireOnecp.exe" [2007-03-08 17:24 622592 C:\WINDOWS\system32\FireOnecp.exe]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]

C:\Documents and Settings\moo\Start Menu\Programs\Startup\
Google Talk, Labs Edition.lnk - C:\Documents and Settings\moo\Local Settings\Application Data\Google\Google Talk, Labs Edition\GoogleTalkLabsEdition.exe [2008-04-02 11:44:28 94704]
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-04-25 13:04:18 546816]
Nikon Monitor.lnk - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 20:10:42 479232]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
UltraMon.lnk - C:\WINDOWS\Installer\{AF0FA6D7-96F3-468A-ABB7-28BE006EA8E9}\IcoUltraMon.ico [2008-01-29 22:53:04 29310]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
-ra------ 2007-12-04 03:07 61440 C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-09-07 19:01 43008 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CitiVAN]
--a------ 2004-08-12 14:51 192512 C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-02-13 19:09 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]
--a------ 2007-08-20 20:13 22872064 C:\Program Files\CounterPath\eyeBeam 1.5\eyeBeam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
--a------ 2007-12-25 17:25 937984 C:\Program Files\FileZilla Server\FileZilla Server Interface.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 17:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando]
--a------ 2008-04-08 13:22 6116680 C:\Program Files\Pando Networks\Pando\Pando.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-12-07 16:08 21686568 C:\Program Files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\vmule2007\\emule.exe"=
"C:\\Program Files\\FileZilla\\FileZilla.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=
"C:\\Program Files\\Gizmo Project\\mDNSResponder.exe"=
"C:\\Program Files\\Gizmo Project\\Gizmo.exe"=
"C:\\Program Files\\X-PRO\\X-PRO.exe"=
"C:\\Program Files\\Mace Security\\DS-IRECClient.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\CounterPath\\eyeBeam 1.5\\eyeBeam.exe"=
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\RayV\\RayV\\RayV.exe"=
"C:\\Program Files\\MATLAB\\R2007b\\bin\\win32\\MATLAB.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\Xming\\Xming.exe"=
"C:\\Program Files\\PuTTY\\putty.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Documents and Settings\\moo\\Local Settings\\Application Data\\Google\\Google Talk, Labs Edition\\GoogleTalkLabsEdition.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 RTWTKRNL;Real-Time Windows Target;C:\WINDOWS\system32\drivers\RTWTKRNL.sys [2007-07-26 23:29]
R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 21:22]
R2 VLC media player;VLC media player;"C:\Program Files\VideoLAN\VLC\vlc.exe" -I ntservice []
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 21:23]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 16:22]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-23 22:12]
S3 P1171VID;Creative WebCam Notebook #2;C:\WINDOWS\system32\DRIVERS\P1171Vid.sys [2004-03-19 02:00]
S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 13:55]
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 13:25]
S3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2008-01-03 16:21]
S3 TascamFireOneSrv;Tascam FireOne Audio Driver (WDM);C:\WINDOWS\system32\drivers\FireOne.sys [2007-03-08 17:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29137b72-3a42-11dc-b08a-00c09f9b110f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 00:38:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-30 17:24:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 13:19:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 23

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Documents and Settings\Default User\Local Settings\Temp\bh11ySa6d\IEMonitor.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-04-30 13:32:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-30 17:32:05

Pre-Run: 3,653,763,072 bytes free
Post-Run: 5,537,607,680 bytes free

353 --- E O F --- 2008-03-28 21:31:07

moofleta

2008-04-30, 20:44

sorry, i am running McAfee not TrendMicro

pskelley

2008-05-02, 17:04

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You missed some instructions at the top of this forum.
Do NOT run 'fixes' before helpers have analyzed HJT/KAV scans
http://forums.spybot.info/showthread.php?t=16806

ComboFix is not a general purpose cleaning tool. Please do not use this tool without supervision.

If you still need help, I see this:
ComboFix 08-04-29.5 - moo 2008-04-30 13:04:17.1
HijackThis v2.0.2Scan saved at 12:56:18 PM, on 4/30/2008

Looks like combofix was run after the HJT log? Post a new HJT log for starters.

fyi: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop. An image showing this is below.

Thanks

pskelley

2008-05-09, 21:33

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.