PDA

View Full Version : Virtumonde Problems



compbr11
2008-05-30, 11:33
Hi, I am new to this forum, I just have been very annoyed by what Spybot has picked up as "Virtumonde," and decided to do a little research. I have read many other peoples posts and such, an ran a log via Combo Fix.

Here is my ComboFix log:



ComboFix 08-05-29.1 - Kyle 2008-05-30 0:48:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.862 [GMT -7:00]
Running from: C:\Documents and Settings\Kyle\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMeb0b5c63.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\CLVGOqru.ini
C:\WINDOWS\system32\CLVGOqru.ini2
C:\WINDOWS\system32\efikmnnn.ini2
C:\WINDOWS\system32\enwdpmjo.dll
C:\WINDOWS\system32\iilRtBeg.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mnqdtvyf.dll
C:\WINDOWS\system32\pdxdttdu.ini
C:\WINDOWS\system32\udttdxdp.dll
C:\WINDOWS\system32\urqOGVLC.dll
C:\WINDOWS\system32\yJPAKRqr.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-30 00:36 . 2008-05-30 00:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-30 00:28 . 2008-05-30 00:28 <DIR> d-------- C:\_OTMoveIt
2008-05-29 00:42 . 2008-05-30 00:16 <DIR> d-------- C:\Documents and Settings\Kyle\Parts
2008-05-28 18:44 . 2008-05-28 18:44 58,368 --a------ C:\WINDOWS\system32\fccBqoLb.dll
2008-05-28 18:06 . 2008-05-28 18:06 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-05-28 09:31 . 2004-03-01 23:05 407,104 --a------ C:\WINDOWS\system32\MSHFLXGD.OCX
2008-05-28 09:31 . 2002-02-13 11:20 2,362 --a------ C:\WINDOWS\system32\mscomct2.dep
2008-05-28 09:30 . 2008-05-28 09:30 645,120 --a------ C:\WINDOWS\system32\config.gms
2008-05-28 09:00 . 2008-05-28 09:00 <DIR> d-------- C:\Program Files\MATLAB
2008-05-27 22:23 . 2008-05-27 22:23 <DIR> d-------- C:\Program Files\Sun
2008-05-27 22:23 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-27 22:22 . 2008-05-27 22:23 <DIR> d-------- C:\Program Files\Java
2008-05-27 22:21 . 2008-05-27 22:21 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-19 15:59 . 2008-05-27 22:30 <DIR> d-------- C:\Internship_Data
2008-05-19 15:50 . 2008-05-19 15:50 <DIR> d-------- C:\Program Files\MATLAB 5
2008-05-17 16:03 . 2008-05-17 16:05 <DIR> d-------- C:\Program Files\keyclone
2008-05-08 15:45 . 2008-05-08 15:45 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-08 15:45 . 2008-05-08 15:45 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-08 15:45 . 2008-05-08 15:45 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-08 15:45 . 2008-05-08 15:45 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-08 15:42 . 2008-05-08 15:42 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-08 15:18 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-04-13 17:12 . 2008-04-13 17:12 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-04-13 17:11 . 2008-04-13 17:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-04-13 17:09 . 2008-04-13 17:09 6,144 --a------ C:\WINDOWS\system32\kbdpash.dll
2008-04-13 17:09 . 2008-04-13 17:09 6,144 --a------ C:\WINDOWS\system32\kbdnepr.dll
2008-04-13 17:09 . 2008-04-13 17:09 6,144 --a------ C:\WINDOWS\system32\kbdiultn.dll
2008-04-13 17:09 . 2008-04-13 17:09 6,144 --a------ C:\WINDOWS\system32\kbdbhc.dll
2008-04-13 11:56 . 2008-04-13 11:56 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 11:56 . 2008-04-13 11:56 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 11:46 . 2008-04-13 11:46 121,984 --------- C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-13 11:46 . 2008-04-13 11:46 37,888 --------- C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 11:46 . 2008-04-13 11:46 36,480 --------- C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 11:46 . 2008-04-13 11:46 25,600 --------- C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-13 11:45 . 2008-04-13 11:45 46,592 --------- C:\WINDOWS\system32\drivers\irbus.sys
2008-04-13 11:45 . 2008-04-13 11:45 19,200 --------- C:\WINDOWS\system32\drivers\hidir.sys
2008-04-13 11:43 . 2008-04-13 11:43 14,208 --------- C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 11:43 . 2008-04-13 11:43 12,672 --------- C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 11:43 . 2008-04-13 11:43 9,728 --a------ C:\WINDOWS\system32\comsdupd.exe
2008-04-13 11:40 . 2008-04-13 11:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-04-13 11:36 . 2008-04-13 11:36 5,888 --------- C:\WINDOWS\system32\drivers\smbali.sys
2008-04-13 11:14 . 2008-04-13 11:14 76,800 --a------ C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 10:27 . 2008-04-13 10:27 79,872 --a------ C:\WINDOWS\system32\msxml6r.dll
2008-04-13 10:27 . 2008-04-13 10:27 79,872 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-04-11 17:57 . 2001-08-17 13:47 12,928 --a------ C:\WINDOWS\system32\drivers\Dot4Prt.sys
2008-04-11 17:57 . 2001-08-17 13:47 12,928 --a--c--- C:\WINDOWS\system32\dllcache\dot4prt.sys
2008-04-11 17:56 . 2001-08-17 22:36 324,608 --a------ C:\WINDOWS\system32\hpojwia.dll
2008-04-11 17:56 . 2001-08-17 22:36 324,608 --a--c--- C:\WINDOWS\system32\dllcache\hpojwia.dll
2008-04-11 17:56 . 2008-04-13 11:39 206,976 --a------ C:\WINDOWS\system32\drivers\dot4.sys
2008-04-11 17:56 . 2001-08-17 13:47 23,808 --a------ C:\WINDOWS\system32\drivers\Dot4usb.sys
2008-04-11 17:56 . 2001-08-17 13:47 23,808 --a--c--- C:\WINDOWS\system32\dllcache\dot4usb.sys
2008-04-11 17:56 . 2001-07-21 20:27 18,411 --a------ C:\WINDOWS\system32\hpo5500a.aio
2008-04-11 17:56 . 2001-07-21 20:27 18,411 --a------ C:\WINDOWS\system32\hpo5400a.aio
2008-04-11 17:56 . 2001-07-21 20:27 18,411 --a------ C:\WINDOWS\system32\hpo5300a.aio
2008-04-11 17:56 . 2001-08-17 13:47 8,704 --a------ C:\WINDOWS\system32\drivers\Dot4scan.sys
2008-04-11 17:56 . 2001-08-17 13:47 8,704 --a--c--- C:\WINDOWS\system32\dllcache\dot4scan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 07:16 --------- d-----w C:\Documents and Settings\Kyle\Application Data\uTorrent
2008-05-29 17:51 --------- d-----w C:\Program Files\Yahoo!
2008-05-29 01:00 --------- d-----w C:\Program Files\NetBattle
2008-05-29 00:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\MakeMusic
2008-05-28 05:51 --------- d-----w C:\Documents and Settings\Kyle\Application Data\Vso
2008-05-21 20:55 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2008-05-13 19:02 --------- d-----w C:\Program Files\World of Warcraft
2008-05-08 06:38 --------- d-----w C:\Program Files\DivX
2008-04-14 12:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 12:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 12:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 88,192 ----a-w C:\WINDOWS\system32\drivers\irda.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ----a-w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 18:46 59,136 ----a-w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 18:46 273,024 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 18:46 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 18:46 18,944 ----a-w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 18:46 17,024 ----a-w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 18:41 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 18:39 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
2008-04-13 18:39 7,552 ----a-w C:\WINDOWS\system32\drivers\mskssrv.sys
2008-04-13 18:39 5,376 ----a-w C:\WINDOWS\system32\drivers\mspclock.sys
2008-04-13 18:39 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-13 18:39 4,992 ----a-w C:\WINDOWS\system32\drivers\mspqm.sys
2008-04-13 18:39 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys
2008-04-13 18:39 384,768 ----a-w C:\WINDOWS\system32\drivers\update.sys
2008-04-13 18:39 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2006-05-06 16:42 7,260,160 ----a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{203EF231-7D93-4C7D-9197-05451D3A4FE3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4A2C076-8C74-4AF2-B75E-9BA86C633BB4}]
2008-05-30 01:10 370176 --a------ C:\WINDOWS\system32\xxyVoNHX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1BC0AAB-2C35-40DF-8F1D-4FD437DF432E}]
2008-05-28 18:44 58368 --a------ C:\WINDOWS\system32\fccBqoLb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"Aim6"="" []
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 11:01 392832]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 17:12 110592 C:\WINDOWS\system32\bthprops.cpl]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 20:29 49152]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-02-20 12:39 839680]
"ShowLOMControl"="1 (0x1)" []
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 17:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 17:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 17:45 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 15:35 397312 C:\WINDOWS\stsystra.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 09:08 1347584]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 03:48 157592]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"workflo"="D:\install\workflow.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"BMeb0b5c63"="C:\WINDOWS\system32\dsspison.dll" [2008-05-30 01:11 126976]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 02:35:22 10872]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 17:46:00 1724416]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E1BC0AAB-2C35-40DF-8F1D-4FD437DF432E}"= C:\WINDOWS\system32\fccBqoLb.dll [2008-05-28 18:44 58368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccBqoLb]
fccBqoLb.dll 2008-05-28 18:44 58368 C:\WINDOWS\system32\fccBqoLb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-01-08 14:01 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I263"= I263_32.drv
"vidc.avrn"= AvidAVICodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau C:\WINDOWS\system32\xxyVoNHX

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\Maple 9.5\\jre\\bin\\java.exe"=
"C:\\Program Files\\Maple 9.5\\bin.win\\mserver.exe"=
"C:\\Program Files\\MATLAB_SV71\\bin\\win32\\MATLAB.exe"=
"C:\\Documents and Settings\\Kyle\\My Documents\\Downloads\\#apps\\old\\utorrent.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\World of Warcraft\\Repair.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\Launcher.exe"=
"C:\\WINDOWS\\system32\\igfxsrvc.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Documents and Settings\\Kyle\\My Documents\\Downloads\\#apps\\magicg\\Magic\\Manalink.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\keyclone\\keyclone.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:wow
"6881:TCP"= 6881:TCP:port6881
"6882:TCP"= 6882:TCP:port6882
"6112:TCP"= 6112:TCP:port6112
"3689:TCP"= 3689:TCP:ppooo

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
S2 DirectX multi version;DirectX multi version;C:\WINDOWS\system32\dxcombin.exe []
S3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2005-12-09 16:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\.\Nurseust.exe
\Shell\dxinst\command - E:\.\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24b6e5f3-6ac8-11db-b307-0015c54752e1}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 15:13:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 01:05:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\fccBqoLb.dll
-> C:\WINDOWS\system32\NavLogon.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\dsspison.dll
-> C:\WINDOWS\system32\xxyVoNHX.dll
-> C:\Program Files\Stardock\Object Desktop\WindowBlinds\tray.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-30 1:15:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-30 08:14:55

Pre-Run: 16,135,729,152 bytes free
Post-Run: 16,069,066,752 bytes free

332 --- E O F --- 2008-05-16 12:32:59



Thanks for any help!!

ken545
2008-05-31, 03:57
Hello compbr11

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Running programs on your own without supervision is not recommended, please do not run any other programs unless directed to do so .

Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe

Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.