PDA

View Full Version : Virtumonde and Virtumonde.dll



xaranda98
2008-06-13, 07:25
I've been running spybot scans and these keep coming back. It's making my computer run slow and I keep getting popups. The following is the Hijack This Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:55 PM, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\devldr32.exe
C:\Cyberpwr\PanPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {2A156EDA-930C-43AC-919B-BC5CCEE9C9C7} - C:\WINDOWS\system32\mlJDsRhi.dll (file missing)
O2 - BHO: (no name) - {32341E7E-C319-46DE-91D0-E30BB1A3CABA} - C:\WINDOWS\system32\fccYollj.dll
O2 - BHO: (no name) - {4BB68C4F-0933-4A9A-A902-35816FA0279D} - C:\WINDOWS\system32\ljJBsRHB.dll (file missing)
O2 - BHO: (no name) - {4E67BD91-5C53-4056-B9D1-26FBE540DF6F} - C:\WINDOWS\system32\yayxwVlI.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {614C80B1-98EB-45B9-A647-EB71EF687850} - C:\WINDOWS\system32\tuvwXnmJ.dll (file missing)
O2 - BHO: (no name) - {7347997E-30F2-4EAA-AF78-3E460ABAE4F1} - C:\WINDOWS\system32\tuvVOGxW.dll (file missing)
O2 - BHO: {9391889d-da39-09c9-6c44-99744fe39177} - {77193ef4-4799-44c6-9c90-93add9881939} - C:\WINDOWS\system32\tnowqkwm.dll
O2 - BHO: (no name) - {8FE0977F-DC5B-4408-8418-134BA1A3329B} - C:\WINDOWS\system32\byXQhEXo.dll (file missing)
O2 - BHO: (no name) - {EC3516DD-FE22-42A1-AC26-34B9C0B24060} - C:\WINDOWS\system32\urqPfcdc.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Power Panel plus] C:\Cyberpwr\PanPlus.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [20bb4c46] rundll32.exe "C:\WINDOWS\system32\pjwvisrl.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA1074] command /c del "C:\WINDOWS\system32\ljJBsRHB.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1883] cmd /c del "C:\WINDOWS\system32\ljJBsRHB.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7514] command /c del "C:\WINDOWS\system32\tuvwXnmJ.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1437] cmd /c del "C:\WINDOWS\system32\tuvwXnmJ.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7560] command /c del "C:\WINDOWS\system32\tuvwXnmJ.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2766] cmd /c del "C:\WINDOWS\system32\tuvwXnmJ.dll_old"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {86425144-8E97-41D5-8BCF-302812D44692} (RazorStreamControl.CaptureControl) - http://www.helloworld.com/root.controls/RSControl40.CAB
O20 - Winlogon Notify: fccYollj - C:\WINDOWS\SYSTEM32\fccYollj.dll
O20 - Winlogon Notify: __c00F2CED - C:\WINDOWS\system32\__c00F2CED.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe

--
End of file - 7216 bytes

pskelley
2008-06-14, 19:17
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

xaranda98
2008-06-15, 22:26
ComboFix 08-06-12.2 - Administrator 2008-06-15 12:10:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.151 [GMT -7:00]
Running from: C:\Users\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\__c0072F29.exe
C:\WINDOWS\system32\__c008BF37.exe
C:\WINDOWS\system32\__c00A1F51.exe
C:\WINDOWS\system32\__c00C204C.exe
C:\WINDOWS\system32\__c00F2CED.dat
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\anbysvqa.dll
C:\WINDOWS\system32\BHRsBJjl.ini
C:\WINDOWS\system32\BHRsBJjl.ini2
C:\WINDOWS\system32\cdcfPqru.ini
C:\WINDOWS\system32\cdcfPqru.ini2
C:\WINDOWS\system32\eashmbct.ini
C:\WINDOWS\system32\eqedkadj.dll
C:\WINDOWS\system32\ercmarrg.ini
C:\WINDOWS\system32\fccYollj.dll
C:\WINDOWS\system32\fnpbgyhv.ini
C:\WINDOWS\system32\gpknnmtt.ini
C:\WINDOWS\system32\ihRsDJlm.ini
C:\WINDOWS\system32\ihRsDJlm.ini2
C:\WINDOWS\system32\ilbpauys.dll
C:\WINDOWS\system32\IlVwxyay.ini
C:\WINDOWS\system32\IlVwxyay.ini2
C:\WINDOWS\system32\imnphgid.dll
C:\WINDOWS\system32\JmnXwvut.ini
C:\WINDOWS\system32\JmnXwvut.ini2
C:\WINDOWS\system32\khxqglwh.ini
C:\WINDOWS\system32\ljJARklM.dll
C:\WINDOWS\system32\lrsivwjp.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nkvvbdgc.dll
C:\WINDOWS\system32\ntmmkdcu.dll
C:\WINDOWS\system32\nxrmfkex.dll
C:\WINDOWS\system32\opnlIcAp.dll
C:\WINDOWS\system32\otrffhwv.dll
C:\WINDOWS\system32\ouvgeyau.dll
C:\WINDOWS\system32\oXEhQXyb.ini
C:\WINDOWS\system32\oXEhQXyb.ini2
C:\WINDOWS\system32\pjwvisrl.dll
C:\WINDOWS\system32\rblkwecw.ini
C:\WINDOWS\system32\rjbothbv.dll
C:\WINDOWS\system32\rlqddofs.dll
C:\WINDOWS\system32\ssvxfxbx.dll
C:\WINDOWS\system32\tjmqyiyy.dll
C:\WINDOWS\system32\tnowqkwm.dll
C:\WINDOWS\system32\ttmnnkpg.dll
C:\WINDOWS\system32\uayegvuo.ini
C:\WINDOWS\system32\uvitrwtj.ini
C:\WINDOWS\system32\uxmgkabi.dll
C:\WINDOWS\system32\wjrahunm.ini
C:\WINDOWS\system32\wvUmmKEx.dll
C:\WINDOWS\system32\WxGOVvut.ini
C:\WINDOWS\system32\WxGOVvut.ini2
C:\WINDOWS\system32\xekfmrxn.ini
C:\WINDOWS\system32\xekfmrxn.tmp
C:\WINDOWS\system32\xEKmmUvw.ini
C:\WINDOWS\system32\xEKmmUvw.ini2
C:\WINDOWS\system32\xxyvspOG.dll
C:\WINDOWS\system32\yqiljvaf.dll
C:\xcrashdump.dat
I:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-11 21:56 . 2008-06-11 21:56 <DIR> d----c--- C:\Program Files\Trend Micro
2008-06-11 19:56 . 2008-06-11 19:56 <DIR> d---sc--- C:\Users\Administrator\Temporary Internet Files
2008-06-11 19:56 . 2008-06-11 19:56 <DIR> d---sc--- C:\Users\Administrator\History
2008-06-11 19:56 . 2008-06-11 19:56 <DIR> d----c--- C:\Users\Administrator\Application Data\RE FormsNet
2008-06-11 19:56 . 2008-06-11 19:56 <DIR> d---sc--- C:\Users\Administrator\Temporary Internet Files
2008-06-11 19:56 . 2008-06-11 19:56 <DIR> d---sc--- C:\Users\Administrator\History
2008-06-11 17:53 . 2008-06-11 17:53 <DIR> d----c--- C:\Program Files\Spybot - Search & Destroy
2008-06-11 09:52 . 2008-06-11 16:59 <DIR> d----c--- C:\Civil 3D Projects
2008-06-09 11:31 . 2008-06-12 21:13 1,136 --a--c--- C:\WINDOWS\wininit.ini
2008-06-09 11:02 . 2008-06-11 18:17 <DIR> d----c--- C:\Users\All Users\Application Data\Spybot - Search & Destroy
2008-06-09 11:02 . 2008-06-09 11:01 691,545 --a--c--- C:\WINDOWS\unins000.exe
2008-06-09 11:02 . 2008-06-09 11:02 2,534 --a--c--- C:\WINDOWS\unins000.dat
2008-06-09 10:55 . 2008-06-11 17:19 <DIR> d----c--- C:\Users\Administrator\Application Data\Spybot - Search & Destroy
2008-06-09 08:30 . 2008-06-09 08:30 <DIR> d----c--- C:\Users\Administrator\Application Data\PC Tools
2008-06-09 08:29 . 2008-06-15 12:16 <DIR> d-a--c--- C:\Users\All Users\Application Data\TEMP
2008-06-09 08:28 . 2008-06-09 08:30 <DIR> d----c--- C:\Users\All Users\Application Data\PC Tools
2008-06-09 08:28 . 2008-06-15 12:16 <DIR> d----c--- C:\Program Files\PC Tools AntiVirus
2008-06-09 08:28 . 2008-06-09 08:28 <DIR> d----c--- C:\Program Files\Common Files\PC Tools
2008-06-09 08:28 . 2007-12-06 15:51 28,568 --a--c--- C:\WINDOWS\system32\drivers\AVHook.sys
2008-06-09 08:28 . 2007-12-06 15:51 21,912 --a--c--- C:\WINDOWS\system32\drivers\AVRec.sys
2008-06-09 08:28 . 2008-02-12 10:44 21,904 --a--c--- C:\WINDOWS\system32\drivers\AVFilter.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 15:25 --------- dc----w C:\Users\Administrator\Application Data\U3
2008-06-11 18:16 --------- dc----w C:\Program Files\Autodesk Civil 3D 2007
2008-06-06 08:20 --------- dc----w C:\Users\Administrator\Application Data\AdobeUM
2008-05-08 01:15 --------- dc----w C:\Users\Administrator\Application Data\Move Networks
2008-05-05 12:43 --------- dc----w C:\Program Files\Supplement Review Worksheet
2008-05-05 12:09 --------- dc----w C:\Program Files\QuickTime
2008-05-05 11:59 --------- dc----w C:\Program Files\Apple Software Update
2008-05-05 11:56 --------- dc----w C:\Program Files\iTunes
2008-05-05 11:56 --------- dc----w C:\Program Files\iPod
2008-05-05 11:52 --------- dc----w C:\Program Files\Common Files\Apple
2008-05-04 02:01 --------- dc----w C:\Program Files\Disney
2008-05-02 00:34 20 -c-h--w C:\Users\All Users\Application Data\PKP_DLec.DAT
2008-05-02 00:34 20 -c-h--w C:\Users\All Users\Application Data\PKP_DLds.DAT
2008-04-17 02:41 --------- dc----w C:\Users\Administrator\Application Data\Intuit
2008-04-17 02:39 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-04-17 02:39 --------- dc----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-17 02:37 --------- dc----w C:\Users\All Users\Application Data\Intuit
2008-04-17 02:37 --------- dc----w C:\Program Files\TurboTax
2008-04-17 02:37 --------- dc----w C:\Program Files\Common Files\Intuit
2008-04-15 04:57 --------- dc----w C:\Users\Administrator\Application Data\MSNInstaller
2008-04-15 04:55 --------- dc----w C:\Program Files\Common Files\Adobe
2008-04-15 04:47 0 -c-h--w C:\Users\All Users\Application Data\PKP_DLdv.DAT
2008-04-15 04:47 --------- dc----w C:\Program Files\Nikon
2008-04-15 04:46 --------- dc----w C:\Program Files\Common Files\Softwin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A156EDA-930C-43AC-919B-BC5CCEE9C9C7}]
C:\WINDOWS\system32\mlJDsRhi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BB68C4F-0933-4A9A-A902-35816FA0279D}]
C:\WINDOWS\system32\ljJBsRHB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E67BD91-5C53-4056-B9D1-26FBE540DF6F}]
C:\WINDOWS\system32\yayxwVlI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{614C80B1-98EB-45B9-A647-EB71EF687850}]
C:\WINDOWS\system32\tuvwXnmJ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7347997E-30F2-4EAA-AF78-3E460ABAE4F1}]
C:\WINDOWS\system32\tuvVOGxW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FE0977F-DC5B-4408-8418-134BA1A3329B}]
C:\WINDOWS\system32\byXQhEXo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC3516DD-FE22-42A1-AC26-34B9C0B24060}]
C:\WINDOWS\system32\urqPfcdc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 12:26 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 17:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-03 12:26 143360]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04 40960]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 17:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-11-11 22:00 864256]
"Power Panel plus"="C:\Cyberpwr\PanPlus.exe" [2002-01-07 15:02 1245184]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-03-05 09:37 1238928]

C:\Users\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-05-11 14:52:51 25214]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 05:43:54 11000]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 05:33:46 282624]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2008-02-01 07:07:51 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F2CED]
C:\WINDOWS\system32\__c00F2CED.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 11:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 11:39]
R3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-09-29 03:24]
R3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 04:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 04:07:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 12:17:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
.
**************************************************************************
.
Completion time: 2008-06-15 12:22:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 19:22:06

Pre-Run: 14,292,168,704 bytes free
Post-Run: 14,789,849,088 bytes free

206 --- E O F --- 2008-05-16 10:02:01





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24, on 2008-06-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Cyberpwr\PanPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {2A156EDA-930C-43AC-919B-BC5CCEE9C9C7} - C:\WINDOWS\system32\mlJDsRhi.dll (file missing)
O2 - BHO: (no name) - {4BB68C4F-0933-4A9A-A902-35816FA0279D} - C:\WINDOWS\system32\ljJBsRHB.dll (file missing)
O2 - BHO: (no name) - {4E67BD91-5C53-4056-B9D1-26FBE540DF6F} - C:\WINDOWS\system32\yayxwVlI.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {614C80B1-98EB-45B9-A647-EB71EF687850} - C:\WINDOWS\system32\tuvwXnmJ.dll (file missing)
O2 - BHO: (no name) - {7347997E-30F2-4EAA-AF78-3E460ABAE4F1} - C:\WINDOWS\system32\tuvVOGxW.dll (file missing)
O2 - BHO: (no name) - {8FE0977F-DC5B-4408-8418-134BA1A3329B} - C:\WINDOWS\system32\byXQhEXo.dll (file missing)
O2 - BHO: (no name) - {EC3516DD-FE22-42A1-AC26-34B9C0B24060} - C:\WINDOWS\system32\urqPfcdc.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Power Panel plus] C:\Cyberpwr\PanPlus.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {86425144-8E97-41D5-8BCF-302812D44692} (RazorStreamControl.CaptureControl) - http://www.helloworld.com/root.controls/RSControl40.CAB
O20 - Winlogon Notify: __c00F2CED - C:\WINDOWS\system32\__c00F2CED.dat (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe

--
End of file - 6033 bytes

pskelley
2008-06-15, 22:53
Thanks for returning your information, read and follow the directions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\__c00F2CED.dat

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A156EDA-930C-43AC-919B-BC5CCEE9C9C7}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BB68C4F-0933-4A9A-A902-35816FA0279D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E67BD91-5C53-4056-B9D1-26FBE540DF6F}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{614C80B1-98EB-45B9-A647-EB71EF687850}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7347997E-30F2-4EAA-AF78-3E460ABAE4F1}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FE0977F-DC5B-4408-8418-134BA1A3329B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC3516DD-FE22-42A1-AC26-34B9C0B24060}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F2CED]

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(items may be gone, removed by the CFScript, don't be concerned)

O2 - BHO: (no name) - {2A156EDA-930C-43AC-919B-BC5CCEE9C9C7} - C:\WINDOWS\system32\mlJDsRhi.dll (file missing)
O2 - BHO: (no name) - {4BB68C4F-0933-4A9A-A902-35816FA0279D} - C:\WINDOWS\system32\ljJBsRHB.dll (file missing)
O2 - BHO: (no name) - {4E67BD91-5C53-4056-B9D1-26FBE540DF6F} - C:\WINDOWS\system32\yayxwVlI.dll (file missing)
O2 - BHO: (no name) - {614C80B1-98EB-45B9-A647-EB71EF687850} - C:\WINDOWS\system32\tuvwXnmJ.dll (file missing)
O2 - BHO: (no name) - {7347997E-30F2-4EAA-AF78-3E460ABAE4F1} - C:\WINDOWS\system32\tuvVOGxW.dll (file missing)
O2 - BHO: (no name) - {8FE0977F-DC5B-4408-8418-134BA1A3329B} - C:\WINDOWS\system32\byXQhEXo.dll (file missing)
O2 - BHO: (no name) - {EC3516DD-FE22-42A1-AC26-34B9C0B24060} - C:\WINDOWS\system32\urqPfcdc.dll (file missing)
O20 - Winlogon Notify: __c00F2CED - C:\WINDOWS\system32\__c00F2CED.dat (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the combofix report from CFScript, a new HJT log and some feedback from you. How is the computer running?

Thanks

xaranda98
2008-06-18, 20:40
Computer seems to be working fine. I also ran S&D again and it said it was free of malware. Thanks for your help! :)

ComboFix 08-06-12.2 - Administrator 2008-06-15 20:15:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.171 [GMT -7:00]
Running from: C:\Users\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Users\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\__c00F2CED.dat
.

((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-11 21:56 . 2008-06-11 21:56 <DIR> d----c--- C:\Program Files\Trend Micro
2008-06-11 19:56 . 2008-06-11 19:56 <DIR> d---sc--- C:\Users\Administrator\Temporary Internet Files
2008-06-11 19:56 . 2008-06-11 19:56 <DIR> d---sc--- C:\Users\Administrator\History
2008-06-11 19:56 . 2008-06-11 19:56 <DIR> d----c--- C:\Users\Administrator\Application Data\RE FormsNet
2008-06-11 19:56 . 2008-06-11 19:56 <DIR> d---sc--- C:\Users\Administrator\Temporary Internet Files
2008-06-11 19:56 . 2008-06-11 19:56 <DIR> d---sc--- C:\Users\Administrator\History
2008-06-11 17:53 . 2008-06-11 17:53 <DIR> d----c--- C:\Program Files\Spybot - Search & Destroy
2008-06-11 09:52 . 2008-06-11 16:59 <DIR> d----c--- C:\Civil 3D Projects
2008-06-09 11:31 . 2008-06-12 21:13 1,136 --a--c--- C:\WINDOWS\wininit.ini
2008-06-09 11:02 . 2008-06-11 18:17 <DIR> d----c--- C:\Users\All Users\Application Data\Spybot - Search & Destroy
2008-06-09 11:02 . 2008-06-09 11:01 691,545 --a--c--- C:\WINDOWS\unins000.exe
2008-06-09 11:02 . 2008-06-09 11:02 2,534 --a--c--- C:\WINDOWS\unins000.dat
2008-06-09 10:55 . 2008-06-11 17:19 <DIR> d----c--- C:\Users\Administrator\Application Data\Spybot - Search & Destroy
2008-06-09 08:30 . 2008-06-09 08:30 <DIR> d----c--- C:\Users\Administrator\Application Data\PC Tools
2008-06-09 08:29 . 2008-06-15 12:19 <DIR> d-a--c--- C:\Users\All Users\Application Data\TEMP
2008-06-09 08:28 . 2008-06-09 08:30 <DIR> d----c--- C:\Users\All Users\Application Data\PC Tools
2008-06-09 08:28 . 2008-06-15 12:16 <DIR> d----c--- C:\Program Files\PC Tools AntiVirus
2008-06-09 08:28 . 2008-06-09 08:28 <DIR> d----c--- C:\Program Files\Common Files\PC Tools
2008-06-09 08:28 . 2007-12-06 15:51 28,568 --a--c--- C:\WINDOWS\system32\drivers\AVHook.sys
2008-06-09 08:28 . 2007-12-06 15:51 21,912 --a--c--- C:\WINDOWS\system32\drivers\AVRec.sys
2008-06-09 08:28 . 2008-02-12 10:44 21,904 --a--c--- C:\WINDOWS\system32\drivers\AVFilter.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 15:25 --------- dc----w C:\Users\Administrator\Application Data\U3
2008-06-11 18:16 --------- dc----w C:\Program Files\Autodesk Civil 3D 2007
2008-06-06 08:20 --------- dc----w C:\Users\Administrator\Application Data\AdobeUM
2008-05-08 01:15 --------- dc----w C:\Users\Administrator\Application Data\Move Networks
2008-05-05 12:43 --------- dc----w C:\Program Files\Supplement Review Worksheet
2008-05-05 12:09 --------- dc----w C:\Program Files\QuickTime
2008-05-05 11:59 --------- dc----w C:\Program Files\Apple Software Update
2008-05-05 11:56 --------- dc----w C:\Program Files\iTunes
2008-05-05 11:56 --------- dc----w C:\Program Files\iPod
2008-05-05 11:52 --------- dc----w C:\Program Files\Common Files\Apple
2008-05-04 02:01 --------- dc----w C:\Program Files\Disney
2008-05-02 00:34 20 -c-h--w C:\Users\All Users\Application Data\PKP_DLec.DAT
2008-05-02 00:34 20 -c-h--w C:\Users\All Users\Application Data\PKP_DLds.DAT
2008-04-17 02:41 --------- dc----w C:\Users\Administrator\Application Data\Intuit
2008-04-17 02:39 --------- dc-h--w C:\Program Files\InstallShield Installation Information
2008-04-17 02:39 --------- dc----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-17 02:37 --------- dc----w C:\Users\All Users\Application Data\Intuit
2008-04-17 02:37 --------- dc----w C:\Program Files\TurboTax
2008-04-17 02:37 --------- dc----w C:\Program Files\Common Files\Intuit
2008-04-15 04:47 0 -c-h--w C:\Users\All Users\Application Data\PKP_DLdv.DAT
2008-04-15 04:46 81,984 -c--a-w C:\WINDOWS\system32\bdod.bin
2008-03-26 08:09 151,583 -c--a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 17:20 219,936 -c--a-w C:\WINDOWS\system32\msltus40.dll
2008-03-19 09:40 1,845,888 -c--a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-15_12.21.48.39 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 12:26 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 17:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-03 12:26 143360]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04 40960]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 17:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2004-11-11 22:00 864256]
"Power Panel plus"="C:\Cyberpwr\PanPlus.exe" [2002-01-07 15:02 1245184]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-03-05 09:37 1238928]

C:\Users\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-05-11 14:52:51 25214]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 05:43:54 11000]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 05:33:46 282624]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2008-02-01 07:07:51 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 11:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 11:39]
R3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-09-29 03:24]
R3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 04:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 04:07:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 20:16:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-15 20:17:40
ComboFix-quarantined-files.txt 2008-06-16 03:17:17
ComboFix2.txt 2008-06-15 19:22:16

Pre-Run: 14,726,209,536 bytes free
Post-Run: 14,717,722,624 bytes free

123 --- E O F --- 2008-05-16 10:02:01


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:38, on 2008-06-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Power Panel plus] C:\Cyberpwr\PanPlus.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {86425144-8E97-41D5-8BCF-302812D44692} (RazorStreamControl.CaptureControl) - http://www.helloworld.com/root.controls/RSControl40.CAB
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe

--
End of file - 5050 bytes

pskelley
2008-06-18, 21:43
Thanks for returning your information and the feedback, that sounds good, just a little more to do then, this is the next bridge we need to cross.

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Thanks

pskelley
2008-06-27, 01:01
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.