PDA

View Full Version : Virtumonde



cryptus92
2008-05-16, 02:37
HJT Logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:48 PM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\EZSP_PX.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\TOSHIBA\sysstability\tsyssmon.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\TOSHIBA\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros\acu.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\EZSP_PX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Pinger] c:\TOSHIBA\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\TOSHIBA\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\eaaoonib.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Double Desktop Switcher] C:\Program Files\Double Desktop Switcher\DoubleDesktop.exe
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194923325657
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194923316905
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 12355 bytes

[B]KASPERSKY ONLINE SCANNER REPORT
Thursday, May 15, 2008 6:50:12 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/05/2008
Kaspersky Anti-Virus database records: 774093
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 151362
Number of viruses found 7
Number of infected objects 10
Number of suspicious objects 0
Duration of the scan process 04:24:05

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Joseph Jr\Application Data\Mozilla\Firefox\Profiles\x3zfxszo.default\cert8.db Object is locked skipped
C:\Documents and Settings\Joseph Jr\Application Data\Mozilla\Firefox\Profiles\x3zfxszo.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Joseph Jr\Application Data\Mozilla\Firefox\Profiles\x3zfxszo.default\history.dat Object is locked skipped
C:\Documents and Settings\Joseph Jr\Application Data\Mozilla\Firefox\Profiles\x3zfxszo.default\key3.db Object is locked skipped
C:\Documents and Settings\Joseph Jr\Application Data\Mozilla\Firefox\Profiles\x3zfxszo.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Joseph Jr\Application Data\Mozilla\Firefox\Profiles\x3zfxszo.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Joseph Jr\Application Data\Mozilla\Firefox\Profiles\x3zfxszo.default\webappsstore.sqlite Object is locked skipped
C:\Documents and Settings\Joseph Jr\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Joseph Jr\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Joseph Jr\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Joseph Jr\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Joseph Jr\Local Settings\History\History.IE5\MSHist012008051420080515\index.dat Object is locked skipped
C:\Documents and Settings\Joseph Jr\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Joseph Jr\Local Settings\Temp\~DF2CBD.tmp Object is locked skipped
C:\Documents and Settings\Joseph Jr\Local Settings\Temp\~DF2DF1.tmp Object is locked skipped
C:\Documents and Settings\Joseph Jr\Local Settings\Temp\~DFC01C.tmp Object is locked skipped
C:\Documents and Settings\Joseph Jr\Local Settings\Temp\~DFEAD7.tmp Object is locked skipped
C:\Documents and Settings\Joseph Jr\Local Settings\Temp\~DFEB49.tmp Object is locked skipped
C:\Documents and Settings\Joseph Jr\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Joseph Jr\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Joseph Jr\ntuser.dat Object is locked skipped
C:\Documents and Settings\Joseph Jr\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\MapleDream\MapleDreamT003.exe Infected: Trojan-PSW.Win32.LdPinch.rnd skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\29A67C13 Infected: Trojan.Java.ClassLoader.ap skipped
C:\Program Files\Norton AntiVirus\Quarantine\29A9260F Infected: Trojan.Java.ClassLoader.ap skipped
C:\Program Files\Norton AntiVirus\Quarantine\63997D7B Infected: Trojan.Java.ClassLoader.ap skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CA13F29F-513E-40A6-9305-1CFC0E4DD046}\RP263\A0041090.exe Infected: DoS.Win32.Bing.b skipped
C:\System Volume Information\_restore{CA13F29F-513E-40A6-9305-1CFC0E4DD046}\RP312\A0062719.exe Infected: DoS.Win32.Bing.b skipped
C:\System Volume Information\_restore{CA13F29F-513E-40A6-9305-1CFC0E4DD046}\RP320\A0069267.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rkm skipped
C:\System Volume Information\_restore{CA13F29F-513E-40A6-9305-1CFC0E4DD046}\RP322\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\eaaoonib.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rjo skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hqbgoqac.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rkn skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wehtydsa.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rjn skipped
C:\WINDOWS\Temp\2wswlog\2PortalMon_Debug.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
Scan process completed.

I've been infected with Virtumonde (confirmed by Spybot Scan and Kaspersky) and have had no luck with removal. Also, Tea Timer has asked me about important registry changes (I tried stopping eaaoonib.dll and another suspicious from starting with msconfig upon startup, but it just keeps prompting, through Tea Timer, for a registry change and after blacklisting the registry change, it overloads explorer.exe (buffer access?) somehow by flooding me with Tea Timer messages (does this make sense? T.T I'm challenged when it comes to computers) and somehow causes Spybot to crash, thus allowing the registry change when Spybot is no longer running. There are also messages about entries of an additional .dll, but I've denied it and it only pops up every now and then...

Thanks :lip:

Rorschach112
2008-05-16, 03:26
Hello

Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



[kill explorer]
C:\MapleDream\MapleDreamT003.exe
C:\WINDOWS\system32\eaaoonib.dll
C:\WINDOWS\system32\hqbgoqac.dll
C:\WINDOWS\system32\wehtydsa.dll
purity
[start explorer]


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.





Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

cryptus92
2008-05-17, 01:11
OTMoveIt2 Log

Explorer killed successfully
C:\MapleDream\MapleDreamT003.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\eaaoonib.dll
C:\WINDOWS\system32\eaaoonib.dll NOT unregistered.
C:\WINDOWS\system32\eaaoonib.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hqbgoqac.dll
C:\WINDOWS\system32\hqbgoqac.dll NOT unregistered.
C:\WINDOWS\system32\hqbgoqac.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\wehtydsa.dll
C:\WINDOWS\system32\wehtydsa.dll NOT unregistered.
C:\WINDOWS\system32\wehtydsa.dll moved successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05162008_160004


ComboFix Log

ComboFix 08-05-15.3 - Joseph Jr 2008-05-16 16:22:11.1 - NTFSx86
Running from: C:\Documents and Settings\Joseph Jr\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Joseph Jr\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\asdythew.ini
C:\WINDOWS\system32\CffMlnpo.ini
C:\WINDOWS\system32\CffMlnpo.ini2
C:\WINDOWS\system32\hivpucpl.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\olibrhbt.exe
C:\WINDOWS\system32\pvbxshim.exe
C:\WINDOWS\system32\vjwgojld.ini
C:\WINDOWS\system32\vupseonk.exe
C:\WINDOWS\system32\ycbmcdqx.ini
C:\WINDOWS\system32\YGjSYJjl.ini
C:\WINDOWS\system32\YGjSYJjl.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.

2008-05-16 16:20 . 2008-05-16 16:20 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-16 16:00 . 2008-05-16 16:00 <DIR> d-------- C:\_OTMoveIt
2008-05-15 19:39 . 2008-05-15 19:39 133,120 --a------ C:\WINDOWS\system32\dnydxbwh.dll
2008-05-15 19:30 . 2008-05-15 19:30 116,736 --a------ C:\WINDOWS\system32\vlwlfdwh.dll
2008-05-15 19:30 . 2008-05-15 19:30 646 ---hs---- C:\WINDOWS\system32\hwdflwlv.ini
2008-05-15 19:27 . 2008-05-15 19:27 125,952 --a------ C:\WINDOWS\system32\ntakmtlx.dll
2008-05-15 18:24 . 2008-05-15 18:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-14 19:34 . 2008-05-14 19:34 133,120 --a------ C:\WINDOWS\system32\tkcuaser.dll
2008-05-14 19:26 . 2008-05-14 19:26 126,464 --a------ C:\WINDOWS\system32\avdanjtt.dll
2008-05-14 19:25 . 2008-05-14 19:25 369,664 --a------ C:\WINDOWS\system32\opnlMffC.dll
2008-05-14 19:13 . 2008-05-14 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 19:12 . 2008-05-14 19:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-14 18:38 . 2008-05-14 18:38 <DIR> d-------- C:\VundoFix Backups
2008-05-13 23:04 . 2008-05-14 15:51 153 --a------ C:\WINDOWS\wininit.ini
2008-05-13 21:13 . 2008-05-13 21:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-13 21:13 . 2008-05-13 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 04:24 . 2008-05-13 04:24 131,584 --a------ C:\WINDOWS\system32\ulmfoklt.dll
2008-05-12 19:24 . 2008-05-12 19:24 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-12 19:24 . 2008-05-12 19:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-12 19:11 . 2008-05-12 19:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-12 18:10 . 2008-05-12 18:11 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-12 18:10 . 2008-05-12 18:10 <DIR> d-------- C:\Documents and Settings\Joseph Jr\Application Data\PC Tools
2008-05-12 18:10 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-12 18:10 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-12 18:10 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-12 18:10 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-12 16:55 . 2008-05-12 16:55 <DIR> d-------- C:\Program Files\Microsoft
2008-05-12 04:28 . 2008-05-12 04:28 115,712 --a------ C:\WINDOWS\system32\dljogwjv.dll
2008-05-12 04:25 . 2008-05-12 04:25 132,096 --a------ C:\WINDOWS\system32\mqtvnbeg.dll
2008-05-12 04:22 . 2008-05-15 19:27 109,803 --a------ C:\WINDOWS\BMd326df7b.xml
2008-05-11 18:14 . 2008-05-11 18:14 <DIR> d-------- C:\Intel
2008-05-11 18:14 . 2008-01-31 21:45 53,248 --a------ C:\WINDOWS\system32\CSVer.dll
2008-05-11 18:07 . 2006-01-12 14:52 1,904 --a------ C:\WINDOWS\system32\SetupBD.din
2008-05-11 17:58 . 2008-05-11 17:58 <DIR> d-------- C:\WINDOWS\system32\drivers\umdf
2008-05-11 16:39 . 2004-06-14 14:56 427,864 --a------ C:\WINDOWS\system32\XceedZip.dll
2008-05-11 16:28 . 2008-04-30 17:32 107,596 --a------ C:\toolkit_widget.gif
2008-05-11 16:24 . 2008-05-11 16:24 57,344 --a------ C:\WINDOWS\system32\opnomjhg.dll
2008-05-11 16:16 . 2008-05-11 16:16 57,344 --a------ C:\WINDOWS\system32\geBsttUN.dll
2008-05-11 16:14 . 2008-05-11 16:14 57,344 --a------ C:\WINDOWS\system32\rqRJArSK.dll
2008-05-11 15:59 . 2007-12-04 16:44 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-05-10 08:59 . 2008-05-10 08:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-08 19:07 . 2008-05-13 20:51 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\~0
2008-05-08 18:57 . 2008-05-08 18:57 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2008-05-08 18:56 . 2004-12-07 10:11 258,352 --a------ C:\WINDOWS\system32\Unicows.dll
2008-05-08 18:16 . 2008-05-08 18:36 <DIR> d-------- C:\Program Files\CamStudio
2008-05-08 18:05 . 2008-05-12 20:54 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-08 18:04 . 2008-05-11 21:19 <DIR> d-------- C:\Fraps
2008-04-21 19:58 . 2008-05-15 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-21 19:57 . 2008-04-28 18:17 <DIR> d-------- C:\Program Files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 21:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-15 02:21 --------- d-----w C:\Program Files\StepMania
2008-05-14 08:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-12 23:25 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-05-11 23:08 --------- d-----w C:\Program Files\Intel
2008-05-11 21:38 --------- d-----w C:\Program Files\Azureus
2008-05-11 21:38 --------- d-----w C:\Documents and Settings\Joseph Jr\Application Data\Azureus
2008-04-18 02:45 --------- d-----w C:\Program Files\psx emulation cheater
2008-04-13 00:13 --------- d-----w C:\Documents and Settings\Joseph Jr\Application Data\Image Zone Express
2008-04-11 01:16 --------- d-----w C:\Program Files\PokeTronic
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 23:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\ALM
2008-03-26 12:06 --------- d-----w C:\Program Files\PowerISO
2008-03-22 02:27 --------- d-----w C:\Documents and Settings\Joseph Jr\Application Data\Xfire
2008-03-21 16:35 --------- d-----w C:\Program Files\Xfire
2008-03-20 23:18 --------- d-----w C:\Program Files\Java
2008-03-20 01:14 --------- d-----w C:\Documents and Settings\Cerina Ong\Application Data\Yahoo!
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 04:07 --------- d-----w C:\Program Files\GameSpy Arcade
2008-03-19 04:04 --------- d-----w C:\Program Files\Microsoft Games
2008-03-18 12:50 --------- d-----w C:\Documents and Settings\Cerina Ong\Application Data\Intuit
2008-03-16 02:15 --------- d-----w C:\Documents and Settings\Joseph Jr\Application Data\Intuit
2008-03-13 23:06 41,296 ----a-w C:\WINDOWS\system32\xfcodec.dll
2008-03-12 23:22 671,744 ----a-w C:\WINDOWS\isRS-000.tmp
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 04:26 48,456 ----a-w C:\WINDOWS\system32\UninstallElectricSheep.exe
2007-11-14 03:08 32 --sha-w C:\WINDOWS\{04B868A3-1928-4E92-B557-22C92DDF800A}.dat
2007-11-14 03:08 32 --sha-w C:\WINDOWS\system32\{C889D824-F67B-4614-B9D4-3F1D076D1881}.dat
.

------- Sigcheck -------

2003-03-31 14:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 02:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\winlogon.exe
2008-05-12 18:25 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AA0726C-95B7-4216-AA43-B5BDD524892F}]
2008-05-11 16:14 57344 --a------ C:\WINDOWS\system32\rqRJArSK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CF1507C-C082-425A-9D98-701379105602}]
2008-05-16 16:47 370688 --a------ C:\WINDOWS\system32\urqRKCvV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CF85951-DE35-42B1-BE60-7F48C7416471}]
C:\WINDOWS\system32\ljJYSjGY.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8c255888-65ce-440a-a135-0399ea78695d}]
2008-05-15 19:39 133120 --a------ C:\WINDOWS\system32\dnydxbwh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F34B6241-BE5E-4B8A-BB9F-ACA484B6BB8A}]
2008-05-14 19:25 369664 --a------ C:\WINDOWS\system32\opnlMffC.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Double Desktop Switcher"="C:\Program Files\Double Desktop Switcher\DoubleDesktop.exe" [2002-11-22 14:10 1266688]
"DriverUpdaterPro"="C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRISMSVR.EXE"="C:\WINDOWS\System32\PRISMSVR.exe" [ ]
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2004-05-25 06:24 393216]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-04-07 00:19 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-04-07 00:07 114688]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 23:32 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 23:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 23:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 23:32 455168]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-12-25 15:38 159744]
"ACU"="C:\Program Files\Atheros\acu.exe" [2003-01-17 18:40 1654784]
"ezShieldProtector for Px"="C:\WINDOWS\system32\EZSP_PX.EXE" [2002-08-20 12:29 40960]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-12-13 13:47 54512]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-12-13 13:47 58616]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2003-01-17 11:41 253952]
"000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"TFNF5"="TFNF5.exe" [2001-08-03 18:08 73728 C:\WINDOWS\system32\TFNF5.exe]
"Tpwrtray"="TPWRTRAY.EXE" [2002-12-10 11:49 237568 C:\WINDOWS\system32\TPWRTRAY.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 12:20 88363 C:\WINDOWS\agrsmmsg.exe]
"Pinger"="c:\TOSHIBA\ivp\ism\pinger.exe" [2002-10-17 14:21 159744]
"TSysSMon"="c:\TOSHIBA\sysstability\tsyssmon.exe" [2003-02-25 18:03 49152]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 19:00 126976]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41 49152]
"UDC Integration"="" []
"VX3000"="C:\WINDOWS\vVX3000.exe" [2006-10-13 18:04 707376]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 18:01 277296]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-14 18:50 233472]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3739648]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11 1388544]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:56 158208]
"@"="" []
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 08:27 860160]
"BMd326df7b"="C:\WINDOWS\system32\dtlnurld.dll" [2008-05-16 16:50 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-01-28 11:43 5146448]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

C:\Documents and Settings\Joseph Jr\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2AA0726C-95B7-4216-AA43-B5BDD524892F}"= C:\WINDOWS\system32\rqRJArSK.dll [2008-05-11 16:14 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRJArSK]
rqRJArSK.dll 2008-05-11 16:14 57344 C:\WINDOWS\system32\rqRJArSK.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\urqRKCvV

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-03-01 00:06 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMd326df7b]
C:\WINDOWS\system32\eaaoonib.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d015ece7]
C:\WINDOWS\system32\wehtydsa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--------- 2003-01-02 18:16 172032 C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-12-03 14:21 3461120 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Nexon\\KartRider\\NMService.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Nexon\\MapleStory\\MapleStory.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Arcadia\\Arcadia.exe"=
"C:\\Program Files\\NATEON\\BIN\\NateOnMain.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\ElectricSheep.scr"=
"C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:TCP"= 50000:TCP:azu
"50000:UDP"= 50000:UDP:azu2

R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\system32\DRIVERS\TVALG.SYS [2001-09-13 20:53]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2006-10-13 18:01]
R3 wlags48b;Wireless LAN PCCard Driver;C:\WINDOWS\system32\DRIVERS\wlags48b.sys [2002-06-28 17:29]
S3 iCheat1;iCheat1;C:\Documents and Settings\Joseph Jr\Desktop\icheat_2.0\Engine\WWW.TSFOROS.COM\bin\iDriver.sys []
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\Joseph Jr\Desktop\Marche_Hack_Pack\Marche Hack Pack\IlvMoney1105.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 15:22]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 15:48:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-16 20:48:59 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-05-16 21:43:55 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 16:42:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Double Desktop Switcher = C:\Program Files\Double Desktop Switcher\DoubleDesktop.exe??p?K?\?????????E?????M?????K?\???$?E?G?E?$?K?O?E?M?????K?8?????????????????E?8?????F?????p?K?p?K?????t?????E?????????????????$?E?G?E?$?K?<???l?I?????X???<e??x???,???X?F??w????F???K?X?F??w??#?I??w??7??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\rqRJArSK.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\yhicqhed.dll
-> C:\WINDOWS\system32\dtlnurld.dll
-> C:\WINDOWS\system32\urqRKCvV.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\Navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\rundll32.exe
C:\TOSHIBA\ivp\ISM\Ivpsvmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-16 16:57:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-16 21:56:29

Pre-Run: 31,263,473,664 bytes free
Post-Run: 31,899,693,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

316 --- E O F --- 2008-05-14 08:04:13

[B]New HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:07 PM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\EZSP_PX.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\TOSHIBA\sysstability\tsyssmon.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\TOSHIBA\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros\acu.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\EZSP_PX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Pinger] c:\TOSHIBA\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\TOSHIBA\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [d015ece7] rundll32.exe "C:\WINDOWS\system32\yhicqhed.dll",b
O4 - HKLM\..\Run: [BMd326df7b] Rundll32.exe "C:\WINDOWS\system32\puqlhpnn.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Double Desktop Switcher] C:\Program Files\Double Desktop Switcher\DoubleDesktop.exe
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194923325657
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194923316905
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 12093 bytes


Also, a Teatimer warning popped up after the Restart from ComboFix requesting that a global system startup entry for eaaoonib.dll be changed to the .dll file from this part of the ComboFix entry (seen below, ntakmtlx.dll). I denied the change, although I don't know if that was the right thing to do. However, it kept prompting me to change it and I had to end Spybot from the task manager because the computer was starting to freeze up (my computer has low memory ._.?) with a large memory usage from Spybot appearing and I guess it managed to get changed anyways.

2008-05-15 19:27 . 2008-05-15 19:27 125,952 --a------ C:\WINDOWS\system32\ntakmtlx.dll

Rorschach112
2008-05-18, 21:03
Hello


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\dnydxbwh.dll
C:\WINDOWS\system32\vlwlfdwh.dll
C:\WINDOWS\system32\hwdflwlv.ini
C:\WINDOWS\system32\ntakmtlx.dll
C:\WINDOWS\system32\tkcuaser.dll
C:\WINDOWS\system32\avdanjtt.dll
C:\WINDOWS\system32\opnlMffC.dll
C:\WINDOWS\system32\ulmfoklt.dll
C:\WINDOWS\system32\dljogwjv.dll
C:\WINDOWS\system32\mqtvnbeg.dll
C:\WINDOWS\BMd326df7b.xml
C:\WINDOWS\system32\opnomjhg.dll
C:\WINDOWS\system32\geBsttUN.dll
C:\WINDOWS\system32\rqRJArSK.dll
C:\WINDOWS\system32\wehtydsa.dll
C:\WINDOWS\system32\eaaoonib.dll

Folder::

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2AA0726C-95B7-4216-AA43-B5BDD524892F}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMd326df7b]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d015ece7]

Driver::



Save this as CFScript.txt, in the same location as ComboFix.exe


http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\system32\winlogon.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.



Also post a new HijackThis log

cryptus92
2008-05-19, 03:50
Lots fixed, but a whole new set of things to worry about. Seems it made like another.. 13 DLL files. Also, the BMd326df7b thing still seems to exist because I still get Tea Timer warnings about it trying to change the registry to load the NEW malicious .dlls on startup.


ComboFix Log

ComboFix 08-05-15.3 - Joseph Jr 2008-05-18 18:19:05.2 - NTFSx86
Running from: C:\Documents and Settings\Joseph Jr\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Joseph Jr\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMd326df7b.xml
C:\WINDOWS\system32\avdanjtt.dll
C:\WINDOWS\system32\dljogwjv.dll
C:\WINDOWS\system32\dnydxbwh.dll
C:\WINDOWS\system32\eaaoonib.dll
C:\WINDOWS\system32\geBsttUN.dll
C:\WINDOWS\system32\hwdflwlv.ini
C:\WINDOWS\system32\mqtvnbeg.dll
C:\WINDOWS\system32\ntakmtlx.dll
C:\WINDOWS\system32\opnlMffC.dll
C:\WINDOWS\system32\opnomjhg.dll
C:\WINDOWS\system32\rqRJArSK.dll
C:\WINDOWS\system32\tkcuaser.dll
C:\WINDOWS\system32\ulmfoklt.dll
C:\WINDOWS\system32\vlwlfdwh.dll
C:\WINDOWS\system32\wehtydsa.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Joseph Jr\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\Documents and Settings\Joseph Jr\Local Settings\Temporary Internet Files\ijjistarter2.exe
C:\Documents and Settings\Joseph Jr\Local Settings\Temporary Internet Files\ijjistarter2FxB.exe
C:\WINDOWS\BMd326df7b.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\avdanjtt.dll
C:\WINDOWS\system32\CffMlnpo.ini
C:\WINDOWS\system32\CffMlnpo.ini2
C:\WINDOWS\system32\dehqcihy.ini
C:\WINDOWS\system32\dljogwjv.dll
C:\WINDOWS\system32\dnydxbwh.dll
C:\WINDOWS\system32\drcsotft.exe
C:\WINDOWS\system32\geBsttUN.dll
C:\WINDOWS\system32\guasbpeg.ini
C:\WINDOWS\system32\hwdflwlv.ini
C:\WINDOWS\system32\lqaviisy.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mqtvnbeg.dll
C:\WINDOWS\system32\ntakmtlx.dll
C:\WINDOWS\system32\opnomjhg.dll
C:\WINDOWS\system32\ovirqewm.ini
C:\WINDOWS\system32\prnegjnw.exe
C:\WINDOWS\system32\pthtbxsp.exe
C:\WINDOWS\system32\reeuewvp.ini
C:\WINDOWS\system32\rqRJArSK.dll
C:\WINDOWS\system32\tkcuaser.dll
C:\WINDOWS\system32\ulmfoklt.dll
C:\WINDOWS\system32\vlwlfdwh.dll
C:\WINDOWS\system32\vxGjmnmp.ini
C:\WINDOWS\system32\vxGjmnmp.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-18 10:37 . 2008-05-18 10:37 133,120 --a------ C:\WINDOWS\system32\xpmmejao.dll
2008-05-18 10:31 . 2008-05-18 10:31 117,248 --a------ C:\WINDOWS\system32\gepbsaug.dll
2008-05-18 10:25 . 2008-05-18 10:25 124,928 --a------ C:\WINDOWS\system32\fgqmplmf.dll
2008-05-18 10:22 . 2008-05-18 10:22 124,928 --a------ C:\WINDOWS\system32\glukdqrx.dll
2008-05-17 10:32 . 2008-05-17 10:32 116,224 --a------ C:\WINDOWS\system32\mweqrivo.dll
2008-05-17 10:26 . 2008-05-17 10:26 134,144 --a------ C:\WINDOWS\system32\dowixlbo.dll
2008-05-17 10:21 . 2008-05-17 10:21 125,952 --a------ C:\WINDOWS\system32\iulfhwgy.dll
2008-05-17 10:20 . 2008-05-17 10:20 371,712 --a------ C:\WINDOWS\system32\pmnmjGxv.dll
2008-05-16 17:13 . 2008-05-16 17:13 116,736 --a------ C:\WINDOWS\system32\pvweueer.dll
2008-05-16 17:07 . 2008-05-16 17:07 135,680 --a------ C:\WINDOWS\system32\iyygrjvc.dll
2008-05-16 17:06 . 2008-05-16 17:06 125,952 --a------ C:\WINDOWS\system32\puqlhpnn.dll
2008-05-16 16:57 . 2008-05-16 16:58 135,680 --a------ C:\WINDOWS\system32\uhvvrrlp.dll
2008-05-16 16:50 . 2008-05-16 16:50 125,952 --a------ C:\WINDOWS\system32\dtlnurld.dll
2008-05-16 16:20 . 2008-05-16 16:20 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-16 16:00 . 2008-05-16 16:00 <DIR> d-------- C:\_OTMoveIt
2008-05-15 18:24 . 2008-05-15 18:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-14 19:13 . 2008-05-14 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 19:12 . 2008-05-14 19:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-14 18:38 . 2008-05-14 18:38 <DIR> d-------- C:\VundoFix Backups
2008-05-13 23:04 . 2008-05-17 10:04 211 --a------ C:\WINDOWS\wininit.ini
2008-05-13 21:13 . 2008-05-13 21:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-13 21:13 . 2008-05-13 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 19:24 . 2008-05-12 19:24 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-12 19:24 . 2008-05-12 19:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-12 19:11 . 2008-05-12 19:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-12 18:10 . 2008-05-12 18:11 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-12 18:10 . 2008-05-12 18:10 <DIR> d-------- C:\Documents and Settings\Joseph Jr\Application Data\PC Tools
2008-05-12 18:10 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-12 18:10 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-12 18:10 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-12 18:10 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-12 16:55 . 2008-05-12 16:55 <DIR> d-------- C:\Program Files\Microsoft
2008-05-11 18:14 . 2008-05-11 18:14 <DIR> d-------- C:\Intel
2008-05-11 18:14 . 2008-01-31 21:45 53,248 --a------ C:\WINDOWS\system32\CSVer.dll
2008-05-11 18:07 . 2006-01-12 14:52 1,904 --a------ C:\WINDOWS\system32\SetupBD.din
2008-05-11 17:58 . 2008-05-11 17:58 <DIR> d-------- C:\WINDOWS\system32\drivers\umdf
2008-05-11 16:39 . 2004-06-14 14:56 427,864 --a------ C:\WINDOWS\system32\XceedZip.dll
2008-05-11 16:28 . 2008-04-30 17:32 107,596 --a------ C:\toolkit_widget.gif
2008-05-11 15:59 . 2007-12-04 16:44 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-05-10 08:59 . 2008-05-10 08:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-08 19:07 . 2008-05-13 20:51 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\~0
2008-05-08 18:57 . 2008-05-08 18:57 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2008-05-08 18:56 . 2004-12-07 10:11 258,352 --a------ C:\WINDOWS\system32\Unicows.dll
2008-05-08 18:16 . 2008-05-08 18:36 <DIR> d-------- C:\Program Files\CamStudio
2008-05-08 18:05 . 2008-05-12 20:54 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-08 18:04 . 2008-05-11 21:19 <DIR> d-------- C:\Fraps
2008-04-21 19:58 . 2008-05-18 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-21 19:57 . 2008-04-28 18:17 <DIR> d-------- C:\Program Files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 23:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-17 14:13 --------- d-----w C:\Program Files\StepMania
2008-05-16 22:47 --------- d--h--w C:\Documents and Settings\Joseph Jr\Application Data\ijjigame
2008-05-14 08:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-12 23:25 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-05-11 23:08 --------- d-----w C:\Program Files\Intel
2008-05-11 21:38 --------- d-----w C:\Program Files\Azureus
2008-05-11 21:38 --------- d-----w C:\Documents and Settings\Joseph Jr\Application Data\Azureus
2008-04-18 02:45 --------- d-----w C:\Program Files\psx emulation cheater
2008-04-13 00:13 --------- d-----w C:\Documents and Settings\Joseph Jr\Application Data\Image Zone Express
2008-04-11 01:16 --------- d-----w C:\Program Files\PokeTronic
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 23:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\ALM
2008-03-26 12:06 --------- d-----w C:\Program Files\PowerISO
2008-03-22 02:27 --------- d-----w C:\Documents and Settings\Joseph Jr\Application Data\Xfire
2008-03-21 16:35 --------- d-----w C:\Program Files\Xfire
2008-03-20 23:18 --------- d-----w C:\Program Files\Java
2008-03-20 01:14 --------- d-----w C:\Documents and Settings\Cerina Ong\Application Data\Yahoo!
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 04:07 --------- d-----w C:\Program Files\GameSpy Arcade
2008-03-19 04:04 --------- d-----w C:\Program Files\Microsoft Games
2008-03-18 12:50 --------- d-----w C:\Documents and Settings\Cerina Ong\Application Data\Intuit
2008-03-13 23:06 41,296 ----a-w C:\WINDOWS\system32\xfcodec.dll
2008-03-12 23:22 671,744 ----a-w C:\WINDOWS\isRS-000.tmp
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 04:26 48,456 ----a-w C:\WINDOWS\system32\UninstallElectricSheep.exe
2007-11-14 03:08 32 --sha-w C:\WINDOWS\{04B868A3-1928-4E92-B557-22C92DDF800A}.dat
2007-11-14 03:08 32 --sha-w C:\WINDOWS\system32\{C889D824-F67B-4614-B9D4-3F1D076D1881}.dat
.

------- Sigcheck -------

2003-03-31 14:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 02:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\winlogon.exe
2008-05-12 18:25 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-05-16_16.52.07.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-16 21:32:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-18 23:48:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AA0726C-95B7-4216-AA43-B5BDD524892F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43AD2A96-A74C-4ECB-9AB8-4EE1B59D69D6}]
2008-05-17 10:20 371712 --a------ C:\WINDOWS\system32\pmnmjGxv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8c255888-65ce-440a-a135-0399ea78695d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F34B6241-BE5E-4B8A-BB9F-ACA484B6BB8A}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Double Desktop Switcher"="C:\Program Files\Double Desktop Switcher\DoubleDesktop.exe" [2002-11-22 14:10 1266688]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRISMSVR.EXE"="C:\WINDOWS\System32\PRISMSVR.exe" [ ]
"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2004-05-25 06:24 393216]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-04-07 00:19 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-04-07 00:07 114688]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 23:32 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 23:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 23:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 23:32 455168]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-12-25 15:38 159744]
"ezShieldProtector for Px"="C:\WINDOWS\system32\EZSP_PX.EXE" [2002-08-20 12:29 40960]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-12-13 13:47 54512]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-12-13 13:47 58616]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2003-01-17 11:41 253952]
"000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"TFNF5"="TFNF5.exe" [2001-08-03 18:08 73728 C:\WINDOWS\system32\TFNF5.exe]
"Tpwrtray"="TPWRTRAY.EXE" [2002-12-10 11:49 237568 C:\WINDOWS\system32\TPWRTRAY.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 12:20 88363 C:\WINDOWS\agrsmmsg.exe]
"Pinger"="c:\TOSHIBA\ivp\ism\pinger.exe" [2002-10-17 14:21 159744]
"TSysSMon"="c:\TOSHIBA\sysstability\tsyssmon.exe" [2003-02-25 18:03 49152]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 19:00 126976]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41 49152]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2006-10-13 18:04 707376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11 1388544]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-08-04 01:56 158208]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 08:27 860160]
"BMd326df7b"="C:\WINDOWS\system32\fgqmplmf.dll" [2008-05-18 10:25 124928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRJArSK]
rqRJArSK.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Joseph Jr^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Joseph Jr\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACU]
--a------ 2003-01-17 18:40 1654784 C:\Program Files\Atheros\acu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-03-01 00:06 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverUpdaterPro]
C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 16:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2006-10-13 18:01 277296 C:\Program Files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--------- 2003-01-02 18:16 172032 C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-03-14 18:50 233472 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UDC Integration]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-12-03 14:21 3461120 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Nexon\\KartRider\\NMService.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Nexon\\MapleStory\\MapleStory.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Arcadia\\Arcadia.exe"=
"C:\\Program Files\\NATEON\\BIN\\NateOnMain.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\ElectricSheep.scr"=
"C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50000:TCP"= 50000:TCP:azu
"50000:UDP"= 50000:UDP:azu2

R0 TVALG;Toshiba Value Added Logical and General Purpose Device Driver;C:\WINDOWS\system32\DRIVERS\TVALG.SYS [2001-09-13 20:53]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2006-10-13 18:01]
R3 wlags48b;Wireless LAN PCCard Driver;C:\WINDOWS\system32\DRIVERS\wlags48b.sys [2002-06-28 17:29]
S3 iCheat1;iCheat1;C:\Documents and Settings\Joseph Jr\Desktop\icheat_2.0\Engine\WWW.TSFOROS.COM\bin\iDriver.sys []
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\Joseph Jr\Desktop\Marche_Hack_Pack\Marche Hack Pack\IlvMoney1105.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 15:22]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 15:48:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-16 20:48:59 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-05-18 23:51:30 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 18:49:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\gepbsaug.dll
-> C:\WINDOWS\system32\fgqmplmf.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\Navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\TOSHIBA\ivp\ISM\Ivpsvmgr.exe
.
**************************************************************************
.
Completion time: 2008-05-18 19:00:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-19 00:00:31
ComboFix2.txt 2008-05-16 21:57:33

Pre-Run: 31,508,889,600 bytes free
Post-Run: 31,487,471,616 bytes free

332 --- E O F --- 2008-05-14 08:04:13


VirusTotal Log

I don't know if this makes a difference, but I sent it via SLL (check box) because the virus seems to be blocking me from accessing a wide variety of websites like Google or Yahoo or Facebook, and the connection always resets when I try to send it via the normal way.

File winlogon.exe received on 02.10.2008 03:08:53 (CET)
Current status: finished
Result: 0/32 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.2.6.10 2008.02.05 -
AntiVir 7.6.0.62 2008.02.08 -
Authentium 4.93.8 2008.02.08 -
Avast 4.7.1098.0 2008.02.09 -
AVG 7.5.0.516 2008.02.09 -
BitDefender 7.2 2008.02.10 -
CAT-QuickHeal None 2008.02.08 -
ClamAV 0.92 2008.02.09 -
DrWeb 4.44.0.09170 2008.02.09 -
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5522 2008.02.08 -
Ewido 4.0 2008.02.09 -
F-Prot 4.4.2.54 2008.02.10 -
F-Secure 6.70.13260.0 2008.02.09 -
FileAdvisor 1 2008.02.10 -
Fortinet 3.14.0.0 2008.02.09 -
Ikarus T3.1.1.20 2008.02.10 -
Kaspersky 7.0.0.125 2008.02.10 -
McAfee 5226 2008.02.08 -
Microsoft 1.3204 2008.02.10 -
NOD32v2 2861 2008.02.09 -
Norman 5.80.02 2008.02.08 -
Panda 9.0.0.4 2008.02.09 -
Prevx1 V2 2008.02.10 -
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.09 -
Sunbelt 2.2.907.0 2008.02.09 -
Symantec 10 2008.02.09 -
TheHacker 6.2.9.215 2008.02.09 -
VBA32 3.12.6.0 2008.02.09 -
VirusBuster 4.3.26:9 2008.02.09 -
Webwasher-Gateway 6.6.2 2008.02.09 -
Additional information
File size: 502272 bytes
MD5: 6225f14b8ce08ccba8b25ad27843c674
SHA1: ec2dbfe0c28b004bee344daa53fdc2e2ced0695f
PEiD: -

New HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:43 PM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\EZSP_PX.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\TOSHIBA\sysstability\tsyssmon.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\TOSHIBA\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Double Desktop Switcher\DDE.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {43AD2A96-A74C-4ECB-9AB8-4EE1B59D69D6} - C:\WINDOWS\system32\pmnmjGxv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\EZSP_PX.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Pinger] c:\TOSHIBA\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\TOSHIBA\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\fgqmplmf.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Double Desktop Switcher] C:\Program Files\Double Desktop Switcher\DoubleDesktop.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194923325657
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194923316905
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: rqRJArSK - rqRJArSK.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 12593 bytes

[B]I suppose I'll have to do the combofix script thing again, but put the new .dll files in its place. But I won't try anything until you tell me to!

Thanks for the help so far!

Rorschach112
2008-05-19, 15:31
Hello

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.




1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R3 - URLSearchHook: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
O2 - BHO: (no name) - {43AD2A96-A74C-4ECB-9AB8-4EE1B59D69D6} - C:\WINDOWS\system32\pmnmjGxv.dll
O3 - Toolbar: (no name) - {ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
O4 - HKLM\..\Run: [BMd326df7b] Rundll32.exe "C:\WINDOWS\system32\fgqmplmf.dll",s
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O20 - Winlogon Notify: rqRJArSK - rqRJArSK.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\xpmmejao.dll
C:\WINDOWS\system32\gepbsaug.dll
C:\WINDOWS\system32\fgqmplmf.dll
C:\WINDOWS\system32\glukdqrx.dll
C:\WINDOWS\system32\mweqrivo.dll
C:\WINDOWS\system32\dowixlbo.dll
C:\WINDOWS\system32\iulfhwgy.dll
C:\WINDOWS\system32\pmnmjGxv.dll
C:\WINDOWS\system32\pvweueer.dll
C:\WINDOWS\system32\iyygrjvc.dll
C:\WINDOWS\system32\puqlhpnn.dll
C:\WINDOWS\system32\uhvvrrlp.dll
C:\WINDOWS\system32\dtlnurld.dll

DirLook::
C:\Documents and Settings\All Users\Application Data\~0

Registry::

Driver::



Save this as CFScript.txt, in the same location as ComboFix.exe


http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also post a new HijackThis log

Rorschach112
2008-05-24, 02:31
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.