PDA

View Full Version : Virtumonde.dll - can't get rid of it



Zander
2008-05-16, 17:54
Hello,
First off - thanks a million for helping out.

Spybot has found Virtumonde.dll on my computer and it was unable to remove three of the library files. In the description field it said to go to this forum for help. Here I am!

When it tried to remove the entries it came up with an error that it "failed to load c:]program files\spybot - search_destroy\DelZip179.dll"

I use internet explorer but have completely stopped using it until this problem is resolved. Therefore I'm using a second computer to post this info and this is also why I can't post a Kaspersky log.

I have provided the Trend Micro Hijack log

Can you please help me figure this out as fast as possible - this machine is critical to my business. Thanks!


************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:21 AM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\adskflex.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Gateway\EzTune\DTHtml.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Documents and Settings\User\Desktop\KnockOut.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\1stWORKS\hotCommCL\BIN\hotComm.exe
C:\Program Files\TradeStation 8.3 (Build 1631)\Program\ORPlat.exe
C:\PROGRA~1\TRADES~2.3(B\Program\ordllhst.exe
C:\PROGRA~1\TRADES~2.3(B\Program\whserver.exe
C:\PROGRA~1\TRADES~2.3(B\Program\orcal.exe
C:\PROGRA~1\TRADES~2.3(B\Program\orclprxy.exe
C:\Program Files\TradeStation 8.3 (Build 1631)\Program\TickShel.EXE
C:\PROGRA~1\TRADES~2.3(B\Program\orchart.exe
C:\PROGRA~1\TRADES~2.3(B\Program\tsrpts.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 168.143.163.89 hcurltest1
O1 - Hosts: 82.165.161.232 hcurltest2
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [JMB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AsusServiceProvider] "C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DT GWY] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -GWY
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BM434f52a0] Rundll32.exe "C:\WINDOWS\system32\wqyomtnc.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA6314] command /c del "C:\WINDOWS\system32\abndetdj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4097] cmd /c del "C:\WINDOWS\system32\abndetdj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7126] command /c del "C:\WINDOWS\system32\buhjapty.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2417] cmd /c del "C:\WINDOWS\system32\buhjapty.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7134] command /c del "C:\WINDOWS\system32\mnllcohi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3490] cmd /c del "C:\WINDOWS\system32\mnllcohi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3429] command /c del "C:\WINDOWS\system32\ossvupux.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC64] cmd /c del "C:\WINDOWS\system32\ossvupux.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9078] command /c del "C:\WINDOWS\system32\sdjetxon.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9096] cmd /c del "C:\WINDOWS\system32\sdjetxon.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: network.bat
O4 - Startup: Shortcut to KnockOut.lnk = C:\Documents and Settings\User\Desktop\KnockOut.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\utorrent.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173376378546
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe (file missing)
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/User/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif

--
End of file - 16726 bytes

Shaba
2008-05-17, 10:56
Hi Zander

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

Zander
2008-05-17, 20:37
I downloaded combo fix, disabled all firewall, antivirus and spyware. Combofix would still not work. I found through trial and error that stopping the attrib.exe process allowed the combofix to start, however I accidently pressed the wrong key when it asked if I agreed to the terms.

It deleted itself and I put it back and tried starting it again, however it now just stops at a blue screen and doesn't go any further.

I found a file it creates called 'bug.txt' but deleting this didn't help either.

Please advise!

Shaba
2008-05-17, 21:02
Hi

Please try to run in next in safe mode :)

Zander
2008-05-17, 22:00
I ran it in safe mode, and this time it worked, however it said it needed to reboot the machine, which it did and when I logged back in a combofix window appeared which displayed a "Please Wait..." screen and wouldn't go any further.

any advice?

Zander
2008-05-17, 22:15
ok - sorry, I forgot about your instructions on what to do if it takes longer than 20 minutes.

I stopped the process called sed.cfexe and it continued for a bit, then stopped when the process called FindStr showed up. I stopped that process and it didn't go any further.

What should I do with the open window?

Shaba
2008-05-17, 22:28
Hi

Try to run combofix in safe mode and when it asks to reboot, reboot back to safe mode and when it's finished boot to normal mode.

Zander
2008-05-17, 23:06
thanks - that worked. I've posted the logfile from combofix and hijack this - created in safe mode.

_________
ComboFix 08-05-15.3 - User 2008-05-17 12:48:00.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1740 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
.
---- Previous Run -------
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bacMnnmp.ini
C:\WINDOWS\system32\bacMnnmp.ini2
C:\WINDOWS\system32\bisykmrk.exe
C:\WINDOWS\system32\dddjfnsb.ini
C:\WINDOWS\system32\ediuvoof.ini
C:\WINDOWS\system32\fdmcqrhl.exe
C:\WINDOWS\system32\ghkihwbw.ini
C:\WINDOWS\system32\jowisugx.exe
C:\WINDOWS\system32\loruvyxx.ini
C:\WINDOWS\system32\loruvyxx.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nequyqgc.ini
C:\WINDOWS\system32\noxtejds.ini
C:\WINDOWS\system32\NWHilnnn.ini
C:\WINDOWS\system32\NWHilnnn.ini2
C:\WINDOWS\system32\oxfsewbo.exe
C:\WINDOWS\system32\prrXycdd.ini
C:\WINDOWS\system32\prrXycdd.ini2
C:\WINDOWS\system32\qkgbglgc.ini
C:\WINDOWS\system32\TwGjPqru.ini
C:\WINDOWS\system32\TwGjPqru.ini2
C:\WINDOWS\system32\vooyohat.exe
C:\WINDOWS\system32\XbKmTtwa.ini
C:\WINDOWS\system32\XbKmTtwa.ini2
C:\WINDOWS\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-17 12:42 . 2008-05-17 12:42 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-17 12:14 . 2008-05-17 12:14 125,952 --a------ C:\WINDOWS\system32\jycuauie.dll
2008-05-17 12:13 . 2008-05-17 12:13 371,712 --a------ C:\WINDOWS\system32\awtTmKbX.dll
2008-05-17 12:08 . 2008-05-17 12:38 354 ---hs---- C:\WINDOWS\system32\dddjfnsb.ini
2008-05-17 10:32 . 2008-05-17 10:32 134,144 --a------ C:\WINDOWS\system32\rnupvjbb.dll
2008-05-17 10:26 . 2008-05-17 10:26 116,224 --a------ C:\WINDOWS\system32\bsnfjddd.dll
2008-05-17 10:23 . 2008-05-17 10:23 371,712 --a------ C:\WINDOWS\system32\urqPjGwT.dll
2008-05-17 10:23 . 2008-05-17 10:23 125,952 --a------ C:\WINDOWS\system32\vidcaxcg.dll
2008-05-17 09:17 . 2008-05-17 09:17 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-17 09:17 . 2008-05-17 12:55 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-16 17:05 . 2008-05-16 17:05 135,680 --a------ C:\WINDOWS\system32\hdauvuyy.dll
2008-05-16 16:56 . 2008-05-16 16:56 116,736 --a------ C:\WINDOWS\system32\wbwhikhg.dll
2008-05-16 16:53 . 2008-05-16 16:53 125,952 --a------ C:\WINDOWS\system32\ncbestfw.dll
2008-05-16 16:32 . 2008-05-16 16:32 370,688 --a------ C:\WINDOWS\system32\xxyvurol.dll_old
2008-05-16 14:09 . 2008-05-16 14:09 116,736 --a------ C:\WINDOWS\system32\cgqyuqen.dll
2008-05-16 14:09 . 2008-05-16 14:09 164 --a------ C:\install.dat
2008-05-16 14:06 . 2008-05-16 14:06 135,680 --a------ C:\WINDOWS\system32\rpvvnudr.dll
2008-05-16 14:03 . 2008-05-16 14:03 125,952 --a------ C:\WINDOWS\system32\drrybqup.dll
2008-05-15 22:42 . 2008-05-15 22:42 116,736 --a------ C:\WINDOWS\system32\cglgbgkq.dll
2008-05-15 22:33 . 2008-05-15 22:33 133,120 --a------ C:\WINDOWS\system32\leppuric.dll
2008-05-15 22:30 . 2008-05-15 22:30 125,952 --a------ C:\WINDOWS\system32\wqyomtnc.dll
2008-05-15 19:55 . 2008-05-15 19:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-15 19:55 . 2008-05-15 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-15 02:16 . 2008-05-15 02:16 <DIR> d-------- C:\WINDOWS\system32\Quarantine
2008-05-14 21:09 . 2006-08-24 12:40 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-05-14 21:09 . 2006-07-10 17:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2008-05-14 21:08 . 2008-05-15 02:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-14 19:39 . 2008-05-14 21:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-14 09:05 . 2008-05-17 12:38 109,807 --a------ C:\WINDOWS\BM434f52a0.xml
2008-05-13 21:00 . 2008-05-13 21:00 57,856 --a------ C:\WINDOWS\system32\xxyxUoOh.dll
2008-05-13 20:56 . 2008-05-13 20:56 57,856 --a------ C:\WINDOWS\system32\yayXrsqq.dll
2008-05-07 20:45 . 2008-05-07 20:46 8 --a------ C:\WINDOWS\sess_54d502b19f6d90898b7b6a83ac0b83cc
2008-05-07 20:45 . 2008-05-07 20:45 8 --a------ C:\WINDOWS\sess_4aafb38039561bd8bbbb76faec7a2ed9
2008-05-07 20:42 . 2008-05-07 20:42 8 --a------ C:\WINDOWS\sess_83f7cad487d69ca260363d4fef25ecc3
2008-05-07 20:40 . 2008-05-07 20:40 <DIR> d-------- C:\Program Files\PsychicSalesLetter
2008-05-05 13:15 . 2006-02-06 08:54 24,064 -ra------ C:\WINDOWS\system32\PostProc.dll
2008-05-05 13:14 . 2001-09-11 15:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-05-05 13:14 . 2005-05-04 09:20 53,248 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-05-05 13:14 . 2005-09-26 16:20 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-05-05 13:14 . 2002-04-17 15:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-05-05 13:13 . 2008-05-05 13:13 19,744 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-05-04 21:30 . 2008-05-04 21:30 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-04 21:30 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-02 13:13 . 2008-05-02 13:13 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-05-01 11:28 . 2008-05-01 11:28 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-01 11:26 . 2008-05-01 11:26 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-01 11:26 . 2008-05-01 11:27 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\SWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\PWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\MWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\DWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\CWRKArea.wrk
2008-04-29 18:26 . 2008-05-01 18:37 <DIR> d-------- C:\Program Files\QuickTax Tracker
2008-04-26 11:17 . 2008-04-26 11:22 <DIR> d-------- C:\Program Files\TradeStation 8.3 (Build 1631)
2008-04-17 12:52 . 2008-04-17 12:52 <DIR> d-------- C:\Program Files\Free Desktop Clock

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-17 19:39 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-05-17 19:39 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-05-17 16:24 --------- d-----w C:\Program Files\Webroot
2008-05-17 16:24 --------- d-----w C:\Documents and Settings\User\Application Data\Webroot
2008-05-16 21:10 1,518 ----a-w C:\WINDOWS\win.tmp
2008-05-16 21:02 --------- d-----w C:\Program Files\TradeStation Archives
2008-05-16 14:47 --------- d-----w C:\Program Files\Trend Micro
2008-05-15 04:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-06 16:04 --------- d-----w C:\Program Files\eSignal Pro
2008-05-05 20:14 --------- d-----w C:\Program Files\Analog Devices
2008-05-05 05:40 --------- d-----w C:\Program Files\CASHFLOW
2008-05-02 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-05-02 20:13 --------- d-----w C:\Program Files\TechSmith
2008-05-02 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-04-07 13:09 --------- d-----w C:\Program Files\iTunes
2008-04-07 13:08 --------- d-----w C:\Program Files\iPod
2008-04-07 13:06 --------- d-----w C:\Program Files\QuickTime
2008-04-03 20:28 --------- d-----w C:\Documents and Settings\User\Application Data\dvdcss
2008-03-31 02:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 02:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-31 01:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-29 00:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 00:41 --------- d-----w C:\Program Files\EA Sports
2008-03-19 23:00 --------- d-----w C:\Documents and Settings\User\Application Data\1clickPro
2006-12-13 20:15 2,233 ----a-w C:\Documents and Settings\User\Application Data\SAS7_000.DAT
2006-11-17 01:01 162 ---h--w C:\Program Files\Common Files\client.lcs
2006-11-17 00:59 226 ---h--w C:\Program Files\Common Files\server.lcs
2006-10-19 03:28 461 ----a-w C:\Program Files\INSTALL.LOG
2004-10-01 22:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2006-11-13 21:03 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05A46B99-2DB8-4D39-8B46-7E37174EB02F}]
2008-05-17 10:23 371712 --a------ C:\WINDOWS\system32\urqPjGwT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{099038AC-1FC7-4619-849D-45DEE1D155CE}]
C:\WINDOWS\system32\xxyvurol.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2611CFD4-4DAE-48CB-A234-323AE57749F9}]
C:\WINDOWS\system32\nnnliHWN.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3DA4C41A-AE0E-45FD-9A29-DC76FA5C9C13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DAD26CA-7E56-4196-B903-D57C23A5C154}]
C:\WINDOWS\system32\pmnnMcab.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7620844-936C-4D0E-8AF9-BD661F8D2B78}]
C:\WINDOWS\system32\ddcyXrrp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A88B91F1-745B-425D-BFD5-79622FB871AD}]
2008-05-17 12:13 371712 --a------ C:\WINDOWS\system32\awtTmKbX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ce0f979b-e892-4170-83c8-c6304e89e7c7}]
2008-05-17 10:32 134144 --a------ C:\WINDOWS\system32\rnupvjbb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E243A8E7-6244-49E0-A361-22DBF30FD46C}]
2008-05-13 20:56 57856 --a------ C:\WINDOWS\system32\yayXrsqq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [2007-09-16 07:21 103760]

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2005-04-20 10:44 894464]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 03:45 23120680]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-12-16 20:50 492808]
"PowerBar"="" []
"SkinClock"="C:\Program Files\Free Desktop Clock\DesktopClock.exe" [2006-10-01 16:50 334848]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-13 00:46 3375104]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Index Washer"="C:\Program Files\Webroot\Washer\WashIdx.exe" [2005-04-07 13:45 51200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 14:02 988701]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2005-12-27 18:01 1544099]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 10:33 243248]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 01:45 385024]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:30 249856]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 12:38 163840]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-09-22 00:55 57344]
"AsusServiceProvider"="C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe" [2006-08-03 02:25 591360]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2006-08-22 12:46 1422848]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 14:02 118784]
"DT GWY"="C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-09 18:45 81920]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 16:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 19:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 15:58 61440]
"CmPCIaudio"="CMICNFG3.CPL" []
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 03:07 843776]
"407c613c"="C:\WINDOWS\system32\bsnfjddd.dll" [2008-05-17 10:26 116224]
"BM434f52a0"="C:\WINDOWS\system32\jycuauie.dll" [2008-05-17 12:14 125952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-13 00:46 3375104]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-04 21:30:00 546816]
network.bat [2008-03-28 17:34:28 62]
Shortcut to KnockOut.lnk - C:\Documents and Settings\User\Desktop\KnockOut.exe [2002-12-16 20:22:42 83968]
æTorrent.lnk - C:\Program Files\uTorrent\utorrent.exe [2006-07-02 09:29:46 219952]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-07-09 12:05:16 25214]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-09-22 00:55:04 57344]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-04 21:43:54 11000]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34 471040]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-10-22 16:31:03 651264]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2006-10-22 16:03:40 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E243A8E7-6244-49E0-A361-22DBF30FD46C}"= C:\WINDOWS\system32\yayXrsqq.dll [2008-05-13 20:56 57856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayXrsqq]
yayXrsqq.dll 2008-05-13 20:56 57856 C:\WINDOWS\system32\yayXrsqq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo1"= CSvidcap.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\3dsviz.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\IBP 9\\IBP.exe"=
"C:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"=
"C:\\Program Files\\eSignal Pro\\winros.exe"=
"C:\\Program Files\\TradeStation 8.3 (Build 1419)\\Program\\ORPlat.exe"=
"C:\\Program Files\\TradeStation 8.3 (Build 1419)\\Program\\TickShel.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:*:Disabled:bittorrent 6881
"6882:TCP"= 6882:TCP:*:Disabled:bittorrent 6882
"6883:TCP"= 6883:TCP:*:Disabled:bittorrent 6883
"6884:TCP"= 6884:TCP:*:Disabled:bittorrent 6884
"6888:TCP"= 6888:TCP:*:Disabled:6888 Utorrent

S2 Flexlm Service 1;Flexlm Service 1;C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe [2006-05-29 18:22]
S2 RaySat_3dsmax8Server;RaySat_3dsmax8 Server;C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe [2006-03-24 15:55]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2006-07-27 21:28]
S3 axskbus;axskbus;C:\WINDOWS\system32\DRIVERS\axskbus.sys []
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 13:50]
S3 IndieVolume;IndieVolume Service;C:\Program Files\IndieVolume\IndieVolume.sys []
S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []
S3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 04:54:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-16 21:03:16 C:\WINDOWS\Tasks\TradeStation Backup - Monthly.job"
- C:\Program Files\TradeStation 8.3 (Build 1631)\Program\TSBackupRestore.exeT/Backup C:\Program Files\TradeStation 8.3 (Build 1631)\Templates\Backup\Monthly.tsb7C:\Program Files\TradeStation 8.3 (Build 1631)\Program
"2007-04-28 01:22:17 C:\WINDOWS\Tasks\Update iTunes music library.job"
- C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\itunes library updater\iTLU.bat
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 12:55:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\yayXrsqq.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-05-17 13:02:02 - machine was rebooted [User]
ComboFix-quarantined-files.txt 2008-05-17 20:01:31

Pre-Run: 42,053,185,536 bytes free
Post-Run: 42,034,343,936 bytes free

294 --- E O F --- 2008-05-17 19:44:31


********************
HIJACK THIS LOG
********************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:32 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {05A46B99-2DB8-4D39-8B46-7E37174EB02F} - C:\WINDOWS\system32\urqPjGwT.dll
O2 - BHO: (no name) - {099038AC-1FC7-4619-849D-45DEE1D155CE} - C:\WINDOWS\system32\xxyvurol.dll (file missing)
O2 - BHO: (no name) - {2611CFD4-4DAE-48CB-A234-323AE57749F9} - C:\WINDOWS\system32\nnnliHWN.dll (file missing)
O2 - BHO: (no name) - {3DA4C41A-AE0E-45FD-9A29-DC76FA5C9C13} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {6DAD26CA-7E56-4196-B903-D57C23A5C154} - C:\WINDOWS\system32\pmnnMcab.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A7620844-936C-4D0E-8AF9-BD661F8D2B78} - C:\WINDOWS\system32\ddcyXrrp.dll (file missing)
O2 - BHO: (no name) - {A88B91F1-745B-425D-BFD5-79622FB871AD} - C:\WINDOWS\system32\awtTmKbX.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: {7c7e98e4-036c-8c38-0714-298eb979f0ec} - {ce0f979b-e892-4170-83c8-c6304e89e7c7} - C:\WINDOWS\system32\rnupvjbb.dll
O2 - BHO: (no name) - {E243A8E7-6244-49E0-A361-22DBF30FD46C} - C:\WINDOWS\system32\yayXrsqq.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [JMB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AsusServiceProvider] "C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DT GWY] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -GWY
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [407c613c] rundll32.exe "C:\WINDOWS\system32\bsnfjddd.dll",b
O4 - HKLM\..\Run: [BM434f52a0] Rundll32.exe "C:\WINDOWS\system32\jycuauie.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "User"
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: network.bat
O4 - Startup: Shortcut to KnockOut.lnk = C:\Documents and Settings\User\Desktop\KnockOut.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\utorrent.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173376378546
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: yayXrsqq - C:\WINDOWS\SYSTEM32\yayXrsqq.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe (file missing)
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/User/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif

--
End of file - 13402 bytes

Shaba
2008-05-17, 23:26
Hi

That's great :)

If instructions fail in normal, please try them in safe mode.

Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\jycuauie.dll
C:\WINDOWS\system32\awtTmKbX.dll
C:\WINDOWS\system32\dddjfnsb.ini
C:\WINDOWS\system32\rnupvjbb.dll
C:\WINDOWS\system32\bsnfjddd.dll
C:\WINDOWS\system32\urqPjGwT.dll
C:\WINDOWS\system32\vidcaxcg.dll
C:\WINDOWS\system32\hdauvuyy.dll
C:\WINDOWS\system32\wbwhikhg.dll
C:\WINDOWS\system32\ncbestfw.dll
C:\WINDOWS\system32\xxyvurol.dll_old
C:\WINDOWS\system32\cgqyuqen.dll
C:\WINDOWS\system32\rpvvnudr.dll
C:\WINDOWS\system32\drrybqup.dll
C:\WINDOWS\system32\cglgbgkq.dll
C:\WINDOWS\system32\leppuric.dll
C:\WINDOWS\system32\wqyomtnc.dll
C:\WINDOWS\BM434f52a0.xml
C:\WINDOWS\system32\xxyxUoOh.dll
C:\WINDOWS\system32\yayXrsqq.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05A46B99-2DB8-4D39-8B46-7E37174EB02F}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{099038AC-1FC7-4619-849D-45DEE1D155CE}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2611CFD4-4DAE-48CB-A234-323AE57749F9}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3DA4C41A-AE0E-45FD-9A29-DC76FA5C9C13}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DAD26CA-7E56-4196-B903-D57C23A5C154}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7620844-936C-4D0E-8AF9-BD661F8D2B78}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A88B91F1-745B-425D-BFD5-79622FB871AD}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ce0f979b-e892-4170-83c8-c6304e89e7c7}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E243A8E7-6244-49E0-A361-22DBF30FD46C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"407c613c"=-
"BM434f52a0"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E243A8E7-6244-49E0-A361-22DBF30FD46C}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayXrsqq]



Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Zander
2008-05-17, 23:52
Thanks... I had to run it in Safe Mode, but it worked :laugh:

I've posted results of the ComboFix.txt and HijackThis below:

***************************

ComboFix 08-05-15.3 - User 2008-05-17 13:35:58.5 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1733 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM434f52a0.xml
C:\WINDOWS\system32\awtTmKbX.dll
C:\WINDOWS\system32\bsnfjddd.dll
C:\WINDOWS\system32\cglgbgkq.dll
C:\WINDOWS\system32\cgqyuqen.dll
C:\WINDOWS\system32\dddjfnsb.ini
C:\WINDOWS\system32\drrybqup.dll
C:\WINDOWS\system32\hdauvuyy.dll
C:\WINDOWS\system32\jycuauie.dll
C:\WINDOWS\system32\leppuric.dll
C:\WINDOWS\system32\ncbestfw.dll
C:\WINDOWS\system32\rnupvjbb.dll
C:\WINDOWS\system32\rpvvnudr.dll
C:\WINDOWS\system32\urqPjGwT.dll
C:\WINDOWS\system32\vidcaxcg.dll
C:\WINDOWS\system32\wbwhikhg.dll
C:\WINDOWS\system32\wqyomtnc.dll
C:\WINDOWS\system32\xxyvurol.dll_old
C:\WINDOWS\system32\xxyxUoOh.dll
C:\WINDOWS\system32\yayXrsqq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Guest\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\BM434f52a0.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awtTmKbX.dll
C:\WINDOWS\system32\bsnfjddd.dll
C:\WINDOWS\system32\cglgbgkq.dll
C:\WINDOWS\system32\cgqyuqen.dll
C:\WINDOWS\system32\dddjfnsb.ini
C:\WINDOWS\system32\drrybqup.dll
C:\WINDOWS\system32\hdauvuyy.dll
C:\WINDOWS\system32\IjlVDcfe.ini
C:\WINDOWS\system32\IjlVDcfe.ini2
C:\WINDOWS\system32\jycuauie.dll
C:\WINDOWS\system32\leppuric.dll
C:\WINDOWS\system32\ncbestfw.dll
C:\WINDOWS\system32\rnupvjbb.dll
C:\WINDOWS\system32\rpvvnudr.dll
C:\WINDOWS\system32\urqPjGwT.dll
C:\WINDOWS\system32\vidcaxcg.dll
C:\WINDOWS\system32\wbwhikhg.dll
C:\WINDOWS\system32\wqyomtnc.dll
C:\WINDOWS\system32\xxyvurol.dll_old
C:\WINDOWS\system32\xxyxUoOh.dll
C:\WINDOWS\system32\yayXrsqq.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-17 13:19 . 2008-05-17 13:19 371,712 --a------ C:\WINDOWS\system32\efcDVljI.dll
2008-05-17 09:17 . 2008-05-17 09:17 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-17 09:17 . 2008-05-17 13:44 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-16 14:09 . 2008-05-16 14:09 164 --a------ C:\install.dat
2008-05-15 19:55 . 2008-05-15 19:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-15 19:55 . 2008-05-15 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-15 02:16 . 2008-05-15 02:16 <DIR> d-------- C:\WINDOWS\system32\Quarantine
2008-05-14 21:09 . 2006-08-24 12:40 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-05-14 21:09 . 2006-07-10 17:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2008-05-14 21:08 . 2008-05-15 02:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-14 19:39 . 2008-05-14 21:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-07 20:45 . 2008-05-07 20:46 8 --a------ C:\WINDOWS\sess_54d502b19f6d90898b7b6a83ac0b83cc
2008-05-07 20:45 . 2008-05-07 20:45 8 --a------ C:\WINDOWS\sess_4aafb38039561bd8bbbb76faec7a2ed9
2008-05-07 20:42 . 2008-05-07 20:42 8 --a------ C:\WINDOWS\sess_83f7cad487d69ca260363d4fef25ecc3
2008-05-07 20:40 . 2008-05-07 20:40 <DIR> d-------- C:\Program Files\PsychicSalesLetter
2008-05-05 13:15 . 2006-02-06 08:54 24,064 -ra------ C:\WINDOWS\system32\PostProc.dll
2008-05-05 13:14 . 2001-09-11 15:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-05-05 13:14 . 2005-05-04 09:20 53,248 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-05-05 13:14 . 2005-09-26 16:20 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-05-05 13:14 . 2002-04-17 15:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-05-05 13:13 . 2008-05-05 13:13 19,744 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-05-04 21:30 . 2008-05-04 21:30 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-04 21:30 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-02 13:13 . 2008-05-02 13:13 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-05-01 11:28 . 2008-05-01 11:28 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-01 11:26 . 2008-05-01 11:26 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-01 11:26 . 2008-05-01 11:27 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\SWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\PWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\MWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\DWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\CWRKArea.wrk
2008-04-29 18:26 . 2008-05-01 18:37 <DIR> d-------- C:\Program Files\QuickTax Tracker
2008-04-26 11:17 . 2008-04-26 11:22 <DIR> d-------- C:\Program Files\TradeStation 8.3 (Build 1631)
2008-04-17 12:52 . 2008-04-17 12:52 <DIR> d-------- C:\Program Files\Free Desktop Clock

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 20:31 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-05-17 20:17 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-05-17 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-17 16:24 --------- d-----w C:\Program Files\Webroot
2008-05-17 16:24 --------- d-----w C:\Documents and Settings\User\Application Data\Webroot
2008-05-16 21:10 1,518 ----a-w C:\WINDOWS\win.tmp
2008-05-16 21:02 --------- d-----w C:\Program Files\TradeStation Archives
2008-05-16 14:47 --------- d-----w C:\Program Files\Trend Micro
2008-05-15 04:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-06 16:04 --------- d-----w C:\Program Files\eSignal Pro
2008-05-05 20:14 --------- d-----w C:\Program Files\Analog Devices
2008-05-05 05:40 --------- d-----w C:\Program Files\CASHFLOW
2008-05-02 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-05-02 20:13 --------- d-----w C:\Program Files\TechSmith
2008-05-02 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-04-07 13:09 --------- d-----w C:\Program Files\iTunes
2008-04-07 13:08 --------- d-----w C:\Program Files\iPod
2008-04-07 13:06 --------- d-----w C:\Program Files\QuickTime
2008-04-03 20:28 --------- d-----w C:\Documents and Settings\User\Application Data\dvdcss
2008-03-31 02:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 02:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-31 01:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-29 00:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 00:41 --------- d-----w C:\Program Files\EA Sports
2008-03-19 23:00 --------- d-----w C:\Documents and Settings\User\Application Data\1clickPro
2006-12-13 20:15 2,233 ----a-w C:\Documents and Settings\User\Application Data\SAS7_000.DAT
2006-11-17 01:01 162 ---h--w C:\Program Files\Common Files\client.lcs
2006-11-17 00:59 226 ---h--w C:\Program Files\Common Files\server.lcs
2006-10-19 03:28 461 ----a-w C:\Program Files\INSTALL.LOG
2004-10-01 22:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2006-11-13 21:03 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-17_13.00.41.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 19:54:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-17 20:44:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21815876-69E6-402A-9C03-032CD06F1AFC}]
2008-05-17 13:19 371712 --a------ C:\WINDOWS\system32\efcDVljI.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [2007-09-16 07:21 103760]

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2005-04-20 10:44 894464]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 03:45 23120680]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-12-16 20:50 492808]
"PowerBar"="" []
"SkinClock"="C:\Program Files\Free Desktop Clock\DesktopClock.exe" [2006-10-01 16:50 334848]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-13 00:46 3375104]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Index Washer"="C:\Program Files\Webroot\Washer\WashIdx.exe" [2005-04-07 13:45 51200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 14:02 988701]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2005-12-27 18:01 1544099]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 10:33 243248]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 01:45 385024]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:30 249856]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 12:38 163840]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-09-22 00:55 57344]
"AsusServiceProvider"="C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe" [2006-08-03 02:25 591360]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2006-08-22 12:46 1422848]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 14:02 118784]
"DT GWY"="C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-09 18:45 81920]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 16:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 19:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 15:58 61440]
"CmPCIaudio"="CMICNFG3.CPL" []
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 03:07 843776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-13 00:46 3375104]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-04 21:30:00 546816]
network.bat [2008-03-28 17:34:28 62]
Shortcut to KnockOut.lnk - C:\Documents and Settings\User\Desktop\KnockOut.exe [2002-12-16 20:22:42 83968]
æTorrent.lnk - C:\Program Files\uTorrent\utorrent.exe [2006-07-02 09:29:46 219952]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-07-09 12:05:16 25214]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-09-22 00:55:04 57344]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-04 21:43:54 11000]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34 471040]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-10-22 16:31:03 651264]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2006-10-22 16:03:40 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo1"= CSvidcap.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\3dsviz.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\IBP 9\\IBP.exe"=
"C:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"=
"C:\\Program Files\\eSignal Pro\\winros.exe"=
"C:\\Program Files\\TradeStation 8.3 (Build 1419)\\Program\\ORPlat.exe"=
"C:\\Program Files\\TradeStation 8.3 (Build 1419)\\Program\\TickShel.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:*:Disabled:bittorrent 6881
"6882:TCP"= 6882:TCP:*:Disabled:bittorrent 6882
"6883:TCP"= 6883:TCP:*:Disabled:bittorrent 6883
"6884:TCP"= 6884:TCP:*:Disabled:bittorrent 6884
"6888:TCP"= 6888:TCP:*:Disabled:6888 Utorrent

S2 Flexlm Service 1;Flexlm Service 1;C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe [2006-05-29 18:22]
S2 RaySat_3dsmax8Server;RaySat_3dsmax8 Server;C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe [2006-03-24 15:55]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2006-07-27 21:28]
S3 axskbus;axskbus;C:\WINDOWS\system32\DRIVERS\axskbus.sys []
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 13:50]
S3 IndieVolume;IndieVolume Service;C:\Program Files\IndieVolume\IndieVolume.sys []
S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []
S3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 04:54:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-16 21:03:16 C:\WINDOWS\Tasks\TradeStation Backup - Monthly.job"
- C:\Program Files\TradeStation 8.3 (Build 1631)\Program\TSBackupRestore.exeT/Backup C:\Program Files\TradeStation 8.3 (Build 1631)\Templates\Backup\Monthly.tsb7C:\Program Files\TradeStation 8.3 (Build 1631)\Program
"2007-04-28 01:22:17 C:\WINDOWS\Tasks\Update iTunes music library.job"
- C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\itunes library updater\iTLU.bat
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 13:44:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-17 13:50:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-17 20:50:00
ComboFix2.txt 2008-05-17 20:02:02

Pre-Run: 42,086,260,736 bytes free
Post-Run: 42,066,751,488 bytes free

263 --- E O F --- 2008-05-17 19:44:31


**************************************
HIJACK THIS
**************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:05 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {21815876-69E6-402A-9C03-032CD06F1AFC} - C:\WINDOWS\system32\efcDVljI.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [JMB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AsusServiceProvider] "C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DT GWY] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -GWY
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "User"
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: network.bat
O4 - Startup: Shortcut to KnockOut.lnk = C:\Documents and Settings\User\Desktop\KnockOut.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\utorrent.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173376378546
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe (file missing)
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/User/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif

--
End of file - 12297 bytes

Shaba
2008-05-18, 11:26
Hi

Something still left:

Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\efcDVljI.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21815876-69E6-402A-9C03-032CD06F1AFC}]


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Zander
2008-05-18, 18:24
I've posted the results below - hopefully this will do it? I had to run it in Safe Mode again, does this matter, and will I have to eventually get combofix to run in Normal mode?

Thanks Shaba

*******************
COMBOFIX LOG
*******************
ComboFix 08-05-15.3 - User 2008-05-18 8:06:25.6 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1730 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\efcDVljI.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\efcDVljI.dll
C:\WINDOWS\system32\hdfyobjk.ini
C:\WINDOWS\system32\IjlVDcfe.ini
C:\WINDOWS\system32\IjlVDcfe.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-17 18:06 . 2008-05-17 18:06 134,144 --a------ C:\WINDOWS\system32\hwnpyval.dll
2008-05-17 18:06 . 2008-05-17 18:06 116,224 --a------ C:\WINDOWS\system32\kjboyfdh.dll
2008-05-17 18:06 . 2008-05-17 18:06 6,694 --a------ C:\WINDOWS\system32\mrgwwqfh.dll
2008-05-17 18:06 . 2008-05-17 18:06 6,692 --a------ C:\WINDOWS\system32\qtyyhqkt.exe
2008-05-17 09:17 . 2008-05-17 09:17 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-17 09:17 . 2008-05-18 08:12 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-16 14:09 . 2008-05-16 14:09 164 --a------ C:\install.dat
2008-05-15 19:55 . 2008-05-15 19:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-15 19:55 . 2008-05-15 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-15 02:16 . 2008-05-15 02:16 <DIR> d-------- C:\WINDOWS\system32\Quarantine
2008-05-14 21:09 . 2006-08-24 12:40 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-05-14 21:09 . 2006-07-10 17:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2008-05-14 21:08 . 2008-05-15 02:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-14 19:39 . 2008-05-14 21:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-07 20:45 . 2008-05-07 20:46 8 --a------ C:\WINDOWS\sess_54d502b19f6d90898b7b6a83ac0b83cc
2008-05-07 20:45 . 2008-05-07 20:45 8 --a------ C:\WINDOWS\sess_4aafb38039561bd8bbbb76faec7a2ed9
2008-05-07 20:42 . 2008-05-07 20:42 8 --a------ C:\WINDOWS\sess_83f7cad487d69ca260363d4fef25ecc3
2008-05-07 20:40 . 2008-05-07 20:40 <DIR> d-------- C:\Program Files\PsychicSalesLetter
2008-05-05 13:15 . 2006-02-06 08:54 24,064 -ra------ C:\WINDOWS\system32\PostProc.dll
2008-05-05 13:14 . 2001-09-11 15:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-05-05 13:14 . 2005-05-04 09:20 53,248 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-05-05 13:14 . 2005-09-26 16:20 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-05-05 13:14 . 2002-04-17 15:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-05-05 13:13 . 2008-05-05 13:13 19,744 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-05-04 21:30 . 2008-05-04 21:30 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-04 21:30 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-02 13:13 . 2008-05-02 13:13 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-05-01 11:28 . 2008-05-01 11:28 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-01 11:26 . 2008-05-01 11:26 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-01 11:26 . 2008-05-01 11:27 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\SWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\PWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\MWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\DWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\CWRKArea.wrk
2008-04-29 18:26 . 2008-05-01 18:37 <DIR> d-------- C:\Program Files\QuickTax Tracker
2008-04-26 11:17 . 2008-04-26 11:22 <DIR> d-------- C:\Program Files\TradeStation 8.3 (Build 1631)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 14:57 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-05-18 14:56 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-05-17 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-17 16:24 --------- d-----w C:\Program Files\Webroot
2008-05-17 16:24 --------- d-----w C:\Documents and Settings\User\Application Data\Webroot
2008-05-16 21:10 1,518 ----a-w C:\WINDOWS\win.tmp
2008-05-16 21:02 --------- d-----w C:\Program Files\TradeStation Archives
2008-05-16 14:47 --------- d-----w C:\Program Files\Trend Micro
2008-05-15 04:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-06 16:04 --------- d-----w C:\Program Files\eSignal Pro
2008-05-05 20:14 --------- d-----w C:\Program Files\Analog Devices
2008-05-05 05:40 --------- d-----w C:\Program Files\CASHFLOW
2008-05-02 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-05-02 20:13 --------- d-----w C:\Program Files\TechSmith
2008-05-02 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-04-17 19:52 --------- d-----w C:\Program Files\Free Desktop Clock
2008-04-07 13:09 --------- d-----w C:\Program Files\iTunes
2008-04-07 13:08 --------- d-----w C:\Program Files\iPod
2008-04-07 13:06 --------- d-----w C:\Program Files\QuickTime
2008-04-03 20:28 --------- d-----w C:\Documents and Settings\User\Application Data\dvdcss
2008-03-31 02:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 02:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-31 01:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-29 00:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 00:41 --------- d-----w C:\Program Files\EA Sports
2008-03-19 23:00 --------- d-----w C:\Documents and Settings\User\Application Data\1clickPro
2006-12-13 20:15 2,233 ----a-w C:\Documents and Settings\User\Application Data\SAS7_000.DAT
2006-11-17 01:01 162 ---h--w C:\Program Files\Common Files\client.lcs
2006-11-17 00:59 226 ---h--w C:\Program Files\Common Files\server.lcs
2006-10-19 03:28 461 ----a-w C:\Program Files\INSTALL.LOG
2004-10-01 22:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2006-11-13 21:03 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-17_13.00.41.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 19:54:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-18 15:12:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-30 04:45:47 77,824 ----a-w C:\WINDOWS\system32\kdfapi.dll
+ 2008-05-18 01:06:29 77,824 ----a-w C:\WINDOWS\system32\kdfapi.dll
- 2008-04-30 04:45:47 53,248 ----a-w C:\WINDOWS\system32\Kdfhok.dll
+ 2008-05-18 01:06:29 53,248 ----a-w C:\WINDOWS\system32\Kdfhok.dll
- 2008-04-30 04:45:47 726,568 ----a-w C:\WINDOWS\system32\kdfmgr.exe
+ 2008-05-18 01:06:29 726,568 ----a-w C:\WINDOWS\system32\kdfmgr.exe
- 2008-04-30 04:45:47 192,512 ----a-w C:\WINDOWS\system32\kdfvmgr.exe
+ 2008-05-18 01:06:29 192,512 ----a-w C:\WINDOWS\system32\kdfvmgr.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [2007-09-16 07:21 103760]

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2005-04-20 10:44 894464]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 03:45 23120680]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-12-16 20:50 492808]
"PowerBar"="" []
"SkinClock"="C:\Program Files\Free Desktop Clock\DesktopClock.exe" [2006-10-01 16:50 334848]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-13 00:46 3375104]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Index Washer"="C:\Program Files\Webroot\Washer\WashIdx.exe" [2005-04-07 13:45 51200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 14:02 988701]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2005-12-27 18:01 1544099]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 10:33 243248]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 01:45 385024]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:30 249856]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 12:38 163840]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-09-22 00:55 57344]
"AsusServiceProvider"="C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe" [2006-08-03 02:25 591360]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2006-08-22 12:46 1422848]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 14:02 118784]
"DT GWY"="C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-09 18:45 81920]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 16:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 19:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 15:58 61440]
"CmPCIaudio"="CMICNFG3.CPL" []
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 03:07 843776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-13 00:46 3375104]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-04 21:30:00 546816]
network.bat [2008-03-28 17:34:28 62]
Shortcut to KnockOut.lnk - C:\Documents and Settings\User\Desktop\KnockOut.exe [2002-12-16 20:22:42 83968]
æTorrent.lnk - C:\Program Files\uTorrent\utorrent.exe [2006-07-02 09:29:46 219952]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-07-09 12:05:16 25214]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-09-22 00:55:04 57344]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-04 21:43:54 11000]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34 471040]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-10-22 16:31:03 651264]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2006-10-22 16:03:40 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo1"= CSvidcap.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\3dsviz.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\IBP 9\\IBP.exe"=
"C:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"=
"C:\\Program Files\\eSignal Pro\\winros.exe"=
"C:\\Program Files\\TradeStation 8.3 (Build 1419)\\Program\\ORPlat.exe"=
"C:\\Program Files\\TradeStation 8.3 (Build 1419)\\Program\\TickShel.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:*:Disabled:bittorrent 6881
"6882:TCP"= 6882:TCP:*:Disabled:bittorrent 6882
"6883:TCP"= 6883:TCP:*:Disabled:bittorrent 6883
"6884:TCP"= 6884:TCP:*:Disabled:bittorrent 6884
"6888:TCP"= 6888:TCP:*:Disabled:6888 Utorrent

S2 Flexlm Service 1;Flexlm Service 1;C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe [2006-05-29 18:22]
S2 RaySat_3dsmax8Server;RaySat_3dsmax8 Server;C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe [2006-03-24 15:55]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2006-07-27 21:28]
S3 axskbus;axskbus;C:\WINDOWS\system32\DRIVERS\axskbus.sys []
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 13:50]
S3 IndieVolume;IndieVolume Service;C:\Program Files\IndieVolume\IndieVolume.sys []
S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []
S3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 04:54:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-16 21:03:16 C:\WINDOWS\Tasks\TradeStation Backup - Monthly.job"
- C:\Program Files\TradeStation 8.3 (Build 1631)\Program\TSBackupRestore.exeT/Backup C:\Program Files\TradeStation 8.3 (Build 1631)\Templates\Backup\Monthly.tsb7C:\Program Files\TradeStation 8.3 (Build 1631)\Program
"2007-04-28 01:22:17 C:\WINDOWS\Tasks\Update iTunes music library.job"
- C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\itunes library updater\iTLU.bat
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 08:13:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-18 8:19:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-18 15:18:59
ComboFix2.txt 2008-05-17 20:50:28
ComboFix3.txt 2008-05-17 20:02:02

Pre-Run: 42,981,507,072 bytes free
Post-Run: 42,964,619,264 bytes free

234 --- E O F --- 2008-05-17 19:44:31


*******************
HIJACKTHIS LOG
*******************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:51 AM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [JMB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AsusServiceProvider] "C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DT GWY] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -GWY
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "User"
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: network.bat
O4 - Startup: Shortcut to KnockOut.lnk = C:\Documents and Settings\User\Desktop\KnockOut.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\utorrent.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173376378546
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe (file missing)
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/User/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif

--
End of file - 12200 bytes

Shaba
2008-05-18, 19:45
Hi

Delete these:

C:\WINDOWS\system32\hwnpyval.dll
C:\WINDOWS\system32\kjboyfdh.dll
C:\WINDOWS\system32\mrgwwqfh.dll
C:\WINDOWS\system32\qtyyhqkt.exe

Empty Recycle Bin.

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
Click the Save Report As... button (see red arrow below)
http://img.photobucket.com/albums/v666/sUBs/Kas-SaveReport-1.gif
In the Save as... prompt, select Desktop
In the File name box, name the file KasScan-ddmmyy (or similar)
In the Save as type prompt, select Text file (see below)
http://img.photobucket.com/albums/v666/sUBs/Kas-Savetxt.gif
Now click on the Save as Text button
Savethe file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only! Keep ALL other programs closed during the scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

Zander
2008-05-18, 20:04
Hi Shaba,

Should I do this in Safe mode with networking on, or in Normal mode? Does it matter?

Shaba
2008-05-18, 20:17
Hi

In normal mode if possible, please :)

Zander
2008-05-19, 04:03
Ok, that took a while :-)

I've attached the reports, completed in Normal mode.

**************
KASPERSKY REPORT
**************
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 18, 2008 5:59:19 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/05/2008
Kaspersky Anti-Virus database records: 783219
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
M:\

Scan Statistics:
Total number of scanned objects: 246103
Number of viruses found: 11
Number of infected objects: 36
Number of suspicious objects: 4
Duration of the scan process: 02:46:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Trend Micro\TrendSecure\Log\TS-CF-20080514-060130-343.log Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012008051820080519\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\IMGBD8.tmp Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\Perflib_Perfdata_10a8.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\Perflib_Perfdata_15fc.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\Perflib_Perfdata_a10.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\Perflib_Perfdata_ebc.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\My Documents\outlook backup\backup1.pst/Alexander's Mail & Contacts/Inbox/Daily/PalmPilot/03 Mar 2000 15:08 from InSync Online:Beam Me The Money.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\User\My Documents\outlook backup\backup1.pst MailMSMaill: suspicious - 1 skipped
C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\DShutdown\DShutdown.exe Infected: not-a-virus:RiskTool.Win32.Shutdown.g skipped
C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\vnc\UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\vnc\UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\vnc\UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\vnc\UltraVNC-102-Setup.exe Inno: infected - 3 skipped
C:\Documents and Settings\User\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2008-05-18.10-18-28.log Object is locked skipped
C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\aad.log Object is locked skipped
C:\Program Files\UltraVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cgqyuqen.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.rtf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hdauvuyy.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rnupvjbb.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rpvvnudr.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wbwhikhg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.rtf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wqyomtnc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.rsp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xxyxUoOh.dll.vir Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\QooBox\Quarantine\catchme2008-05-17_134054.25.zip/yayXrsqq.dll Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\QooBox\Quarantine\catchme2008-05-17_134054.25.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP619\A0147819.exe/data0000.cab/is152564.exe Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP619\A0147819.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP619\A0147819.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP619\A0147820.exe/data0000.cab/is152564.exe Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP619\A0147820.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP619\A0147820.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP619\A0147821.exe/data0000.cab/is153740.exe Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP619\A0147821.exe/data0000.cab Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP619\A0147821.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP621\A0154054.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rqy skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP621\A0154078.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rqz skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP621\A0154079.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rsp skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP626\A0162965.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rtf skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP626\A0162968.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP626\A0162972.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP626\A0162973.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP626\A0162976.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rtf skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP626\A0162977.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rsp skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP626\A0162978.dll Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP626\A0164086.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP627\A0164117.exe Infected: not-a-virus:Monitor.Win32.Perflogger.ad skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP627\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{47C887F7-3ED1-4C45-AA43-1E16769B03C0}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd2749.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_210.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP627\change.log Object is locked skipped
E:\temp\outlook backup\backup1.pst/Alexander's Mail & Contacts/Inbox/Daily/PalmPilot/03 Mar 2000 15:08 from InSync Online:Beam Me The Money.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
E:\temp\outlook backup\backup1.pst MailMSMaill: suspicious - 1 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP627\change.log Object is locked skipped
M:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
M:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP627\change.log Object is locked skipped

Scan process completed.


**************
HJT REPORT
**************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:59 PM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\adskflex.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Documents and Settings\User\Desktop\KnockOut.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [JMB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AsusServiceProvider] "C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DT GWY] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -GWY
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: network.bat
O4 - Startup: Shortcut to KnockOut.lnk = C:\Documents and Settings\User\Desktop\KnockOut.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\utorrent.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173376378546
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe (file missing)
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/User/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif

--
End of file - 15436 bytes

Shaba
2008-05-19, 11:53
Hi

Empty this folder:

C:\QooBox\Quarantine

Delete this unless you need it:

E:\temp\outlook backup\backup1.pst

Empty Recycle Bin.

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?

Zander
2008-05-19, 22:03
Hi,
I deleted the files in that folder and emptied the recycle bin. I don't know how I can tell if there is anything else in my computer.

Do you recommend a particular Security Suite to people? I use TrendMicro, which didn't catch this outbreak...

I've installed Firefox on my machine because I'm afraid to use Internet Explorer - is this what you use?

...so how do we get rid of the restore stuff?


Thank you for all this help Shaba - I appreciate it !

Shaba
2008-05-20, 15:22
Hi

"Do you recommend a particular Security Suite to people? I use TrendMicro, which didn't catch this outbreak...

I've installed Firefox on my machine because I'm afraid to use Internet Explorer - is this what you use?

...so how do we get rid of the restore stuff?"

Well I don't recommend any particular one but I think that Kaspersky Internet Suite (KIS) is maybe one of the best suites available.

Yes, I use Firefox.

I give you final instructions in a bit unless any other questions?

Zander
2008-05-20, 21:48
Hi,
I had another computer in my network that was also infected. I took it off the network as soon as I realized what had happened, to make sure no cross-contamination would occur between the machines.

I ended up taking the hard drive from a third clean machine and installing it in the infected computer, re-configured windows xp so that it worked on the new hardware, and attached the infected hard drive as a secondary drive so I could get the required files off it.

Prior to taking any of the files off the infected drive I ran Kaspersky and it did find Virtumonde among other spyware and viruses, which it attempted to delete, disinfect etc.

What I want to do is grab the My Documents folder, email (.pst) backup file and Desktop/Favorites off it (and they are clean) and then wipe the infected drive with 'KillDisk' or equivalent - is it dangerous for me to take these files and transfer them to the clean drive?

And can Virtumonde jump from the infected hard drive to the clean one in this scenario?

Thanks so much!

Shaba
2008-05-21, 12:21
Hi

Yes, it possible.

I recommend that you start a new thread for that computer before any those actions.

Any other issues?

Zander
2008-05-21, 17:24
Hello - ok, I will start another thread for the other machine.

No other issues that I can see.

Thanks a lot.

:)

Shaba
2008-05-21, 17:26
Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 6 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it saysThe Java SE Runtime Environment (JRE) allows end-users to run Java applications..
Click the Download button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)


Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://bfccomputers.com/index.php?showtopic=1644)

Malwarebytes' Anti-Malware Scanning Guide (http://bfccomputers.com/index.php?showtopic=1645)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean! :bigthumb:

Shaba
2008-05-23, 12:49
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.