Virtumonde [Archive] - Safer-Networking Forums

crimsonsnow

2008-09-02, 13:40

Had spybot detect virtumonde, browsed through forums, think i fixed problem but wanted to be sure

HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:10:50 AM, on 9/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\StkASv2K.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
D:\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\VMware\VMware Player\hqtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.onlineregister.com/viewsonic
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GameDrive] "D:\FarStone\GameDrive\GDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [VMware hqtray] "D:\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "D:\Fiddler\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "D:\Fiddler\Fiddler.exe" (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1215994547781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216062924281
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://aolsvc.aol.com/onlinegames/free-trial-burger-shop/GoBitGamesPlayer_v4.cab
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - D:\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Remote Procedure Call (HPM) (RPCH) - R.e.m.o.t.e A.B.C - C:\Program Files\NetMeeting\Intell.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Syntek STK1160 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 9463 bytes

Combofix
ComboFix 08-09-01.01 - Administrato 2008-09-02 5:22:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2601 [GMT -5:00]
Running from: F:\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-08-02 to 2008-09-02 )))))))))))))))))))))))))))))))
.

2063-09-19 00:50 . 2063-09-19 00:50 5,501 --------- C:\WINDOWS\system32\dptlcg32.dll
2008-09-02 05:07 . 2008-09-02 05:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-02 02:16 . 2008-09-02 03:32 <DIR> d-------- C:\VundoFix Backups
2008-09-01 18:45 . 2008-09-02 04:59 8,939 --a------ C:\WINDOWS\system32\oodbs.lor
2008-09-01 11:41 . 2008-09-02 03:14 <DIR> d-------- C:\WINDOWS\system32\oodag
2008-09-01 11:29 . 2008-09-01 11:29 0 --a------ C:\WINDOWS\OODCNT.INI
2008-09-01 10:54 . 2008-09-01 10:54 8 --a------ C:\WINDOWS\system32\nvModes.dat
2008-09-01 10:42 . 2008-09-01 10:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-08-27 08:28 . 2008-08-27 08:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\mIRC
2008-08-25 19:29 . 2008-06-24 13:45 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-08-25 19:29 . 2008-06-23 17:36 773,120 --a------ C:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-08-25 19:24 . 2008-08-25 19:24 0 --a------ C:\WINDOWS\Irremote.ini
2008-08-25 18:53 . 2008-08-26 10:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Any Video Converter
2008-08-25 08:06 . 2008-08-25 08:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nero
2008-08-25 07:56 . 2008-08-25 19:30 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-08-25 07:56 . 2008-08-25 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-08-24 20:18 . 2008-08-24 20:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-08-24 19:34 . 2008-08-24 19:34 <DIR> d-------- C:\Program Files\GoBit Games
2008-08-24 18:24 . 2008-08-24 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GoBit Games
2008-08-24 06:33 . 2008-08-24 06:33 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-18 13:58 . 2008-08-18 13:58 <DIR> d--h----- C:\WINDOWS\PIF
2008-08-17 15:54 . 2008-08-17 15:54 <DIR> d-------- C:\MPS
2008-08-16 23:34 . 2008-08-16 23:34 <DIR> d-------- C:\Program Files\Disney
2008-08-14 14:29 . 2008-05-01 09:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 14:28 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 21:11 . 2008-08-12 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-12 20:54 . 2008-08-12 20:54 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-08-12 20:28 . 2008-08-12 20:31 <DIR> d-------- C:\Program Files\MagicISO
2008-08-12 20:13 . 2008-07-29 16:20 32,768 --a------ C:\Program Files\bcd_installed.exe
2008-08-10 13:30 . 2008-08-10 13:30 29 --a------ C:\WINDOWS\CDMKR32.INI
2008-08-09 17:19 . 2008-08-10 13:58 70,656 --a------ C:\WINDOWS\ScUnin.exe
2008-08-09 17:19 . 2008-08-10 13:58 25,931 --a------ C:\WINDOWS\scunin.dat
2008-08-09 17:19 . 2008-08-10 13:58 967 --a------ C:\WINDOWS\ScUnin.pif
2008-08-09 01:08 . 2008-08-09 01:08 38 --a------ C:\WINDOWS\AviSplitter.INI
2008-08-09 00:30 . 2008-08-09 00:30 <DIR> d-------- C:\Documents and Settings\Guest
2008-08-08 13:31 . 2008-08-09 14:02 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-08 13:30 . 2008-08-08 13:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Pogo Games
2008-08-07 00:31 . 2008-08-07 00:31 <DIR> d-------- C:\Program Files\QuickTime
2008-08-06 21:08 . 2008-08-28 19:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Move Networks
2008-08-06 01:22 . 2008-08-06 01:22 <DIR> d-------- C:\WINDOWS\RebirthRO FULL CLIENT
2008-08-05 12:13 . 2008-08-05 12:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\gtk-2.0
2008-08-05 03:10 . 2000-12-06 01:00 109,248 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-08-05 03:10 . 2005-07-20 08:26 86,016 --a------ C:\WINDOWS\system32\Scalebar.ocx
2008-08-04 01:45 . 2008-08-04 01:45 <DIR> d-------- C:\Program Files\Real
2008-08-04 01:45 . 2008-08-04 01:45 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-08-04 01:45 . 2008-08-04 01:45 <DIR> d-------- C:\Program Files\Common Files\Real
2008-08-03 22:46 . 2008-08-08 20:40 <DIR> d-------- C:\Documents and Settings\Administrator\.zenmap

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 10:09 --------- d-----w C:\Program Files\uTorrent
2008-09-02 10:01 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-09-02 10:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-09-02 08:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-01 15:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-26 00:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-25 22:44 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-24 03:10 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Hamachi
2008-08-19 18:44 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-13 01:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-13 01:46 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-08-13 01:46 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-08-13 01:46 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-08-13 01:46 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-08-13 01:46 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-08-13 01:46 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-08-10 23:06 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-08-01 13:57 --------- d-----w C:\Program Files\Toshiba
2008-07-31 19:44 --------- d-----w C:\Documents and Settings\Administrator\Application Data\VMware
2008-07-31 19:08 --------- d-----w C:\Program Files\Common Files\VMware
2008-07-31 09:49 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-30 12:33 --------- d-----w C:\Program Files\videoview
2008-07-30 12:27 --------- d-----w C:\Program Files\msxml4setup
2008-07-28 02:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Viewpoint
2008-07-28 01:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\FarStone
2008-07-28 01:50 81,920 ------w C:\WINDOWS\system32\Dversion.dll
2008-07-28 01:50 5,120 ------w C:\WINDOWS\system32\Fsinst16.DLL
2008-07-28 01:50 45,056 ------w C:\WINDOWS\system32\Fsinst32.dll
2008-07-28 01:50 114,688 ------w C:\WINDOWS\system32\DVC.dll
2008-07-27 20:23 --------- d-----w C:\Program Files\Sierra On-Line
2008-07-27 18:03 --------- d-----w C:\Program Files\directx
2008-07-26 13:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\acccore
2008-07-26 13:49 --------- d-----w C:\Program Files\AIM6
2008-07-26 13:43 --------- d-----w C:\Program Files\Viewpoint
2008-07-26 13:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-26 13:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\acccore
2008-07-26 13:42 --------- d-----w C:\Program Files\Common Files\AOL
2008-07-26 13:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-07-26 13:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-07-26 04:38 --------- d-----w C:\Program Files\XP Codec Pack
2008-07-24 18:21 --------- d-----w C:\Program Files\SMV
2008-07-24 06:20 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-23 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-23 22:52 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-07-23 22:00 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-23 21:58 --------- d-----w C:\Program Files\MSXML 6.0
2008-07-23 20:31 --------- d-----w C:\Program Files\Microsoft Synchronization Services
2008-07-23 20:31 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-07-23 20:23 --------- d-----w C:\Program Files\Microsoft SDKs
2008-07-23 04:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Runaware
2008-07-23 04:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ICAClient
2008-07-22 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-22 08:09 --------- d-----w C:\Program Files\DVD Shrink
2008-07-22 08:09 --------- d-----w C:\Program Files\DVD Decrypter
2008-07-22 07:45 --------- d-----w C:\Program Files\illiminable
2008-07-22 07:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2008-07-22 07:08 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-07-22 07:07 --------- d-----w C:\Program Files\AVSMedia
2008-07-22 04:50 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-07-22 04:34 --------- d-----w C:\Program Files\DVD Converter
2008-07-21 15:08 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-21 05:04 --------- d-----w C:\Program Files\Symantec Client Security
2008-07-21 05:04 --------- d-----w C:\Program Files\Symantec
2008-07-21 05:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-21 05:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-21 05:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-20 22:25 --------- d-----w C:\Program Files\iolo
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-18 21:34 25,280 ------w C:\WINDOWS\system32\drivers\hamachi.sys
2008-07-18 21:34 --------- d-----w C:\Program Files\Hamachi
2008-07-18 04:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2008-07-18 04:29 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Creative
2008-07-18 04:14 --------- d-----w C:\Program Files\DivX
2008-07-17 00:48 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-16 09:58 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-14 20:29 --------- d-----w C:\Program Files\MSBuild
2008-07-14 20:27 --------- d-----w C:\Program Files\Reference Assemblies
2008-07-14 19:19 --------- d-----w C:\Program Files\Java
2008-07-14 19:18 --------- d-----w C:\Program Files\Common Files\Java
2008-07-14 19:05 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-07-14 19:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-07-14 01:54 --------- d-----w C:\Documents and Settings\Snow\Application Data\Logitech
2008-07-14 00:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Logitech
2008-07-14 00:58 0 ---h--w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-07-14 00:58 0 ---h--w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-07-14 00:58 --------- d-----w C:\Program Files\Common Files\Logitech
2008-07-14 00:57 --------- d-----w C:\Program Files\Logitech
2008-07-14 00:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-07-14 00:55 --------- d-----w C:\Program Files\NewTech Infosystems
2008-07-14 00:55 --------- d-----w C:\Program Files\Common Files\NewTech Infosystems
2008-07-14 00:55 --------- d-----w C:\Program Files\Common Files\muvee Technologies
.

((((((((((((((((((((((((((((( snapshot@2008-09-02_ 4.18.18.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-21 05:05:18 21,446 ------r C:\WINDOWS\Installer\{C20729A4-C8C2-4DE3-94BE-5E3A2E9EFB63}\ARPPRODUCTICON.exe
+ 2008-09-02 10:10:14 21,446 ----a-r C:\WINDOWS\Installer\{C20729A4-C8C2-4DE3-94BE-5E3A2E9EFB63}\ARPPRODUCTICON.exe
- 2008-07-21 05:05:18 40,960 ------r C:\WINDOWS\Installer\{C20729A4-C8C2-4DE3-94BE-5E3A2E9EFB63}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-02 10:10:14 40,960 ----a-r C:\WINDOWS\Installer\{C20729A4-C8C2-4DE3-94BE-5E3A2E9EFB63}\DTIcon.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2008-07-21 05:05:18 40,960 ------r C:\WINDOWS\Installer\{C20729A4-C8C2-4DE3-94BE-5E3A2E9EFB63}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
+ 2008-09-02 10:10:14 40,960 ----a-r C:\WINDOWS\Installer\{C20729A4-C8C2-4DE3-94BE-5E3A2E9EFB63}\NewShortcut1.ECFEE69D_DA66_4F00_ABE5_54E931059C01.exe
- 2008-07-21 05:05:18 22,798 ------r C:\WINDOWS\Installer\{C20729A4-C8C2-4DE3-94BE-5E3A2E9EFB63}\NMain_ShortCut.89FDBB04_BBE6_4132_8FF3_4BCCFB649A89.exe
+ 2008-09-02 10:10:13 22,798 ----a-r C:\WINDOWS\Installer\{C20729A4-C8C2-4DE3-94BE-5E3A2E9EFB63}\NMain_ShortCut.89FDBB04_BBE6_4132_8FF3_4BCCFB649A89.exe
- 2008-07-21 05:05:18 22,798 ------r C:\WINDOWS\Installer\{C20729A4-C8C2-4DE3-94BE-5E3A2E9EFB63}\SCFDesktopIcon.89FDBB04_BBE6_4132_8FF3_4BCCFB649A89.exe
+ 2008-09-02 10:10:14 22,798 ----a-r C:\WINDOWS\Installer\{C20729A4-C8C2-4DE3-94BE-5E3A2E9EFB63}\SCFDesktopIcon.89FDBB04_BBE6_4132_8FF3_4BCCFB649A89.exe
- 2008-08-13 02:09:34 91,080 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-09-02 10:05:14 91,080 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-13 02:09:34 493,022 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-09-02 10:05:14 493,022 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-09-02 10:01:19 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_810.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 01:36 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-05-25 01:07 1953792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 17:14 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2006-06-15 01:40 124656]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016]
"GameDrive"="D:\FarStone\GameDrive\GDTask.exe" [2003-09-25 19:34 98304]
"VMware hqtray"="D:\VMware\VMware Player\hqtray.exe" [2008-05-16 00:47 55856]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-08-04 01:45 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-08-07 00:31 413696]
"Adobe Photo Downloader"="D:\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 00:43 67488]
"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2007-05-11 02:08 2512392]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-20 02:38 16384512 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2006-12-12 10:46 19456 C:\WINDOWS\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 10:46 20480 C:\WINDOWS\system32\Ctxfihlp.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 19:12 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 11:11:42 49152]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-07-13 19:58:15 688128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--------- 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLWriter"=2 (0x2)
"Schedule"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasAuto"=3 (0x3)
"MSSQL$SQLEXPRESS"=2 (0x2)
"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"mW[íµˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>*Ý\†Ð=ŸàÛ±Þ"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\program files\\bcd_installed.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;D:\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 00:45]
R2 npf;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2008-06-01 02:13]
R2 StkASSrv;Syntek STK1160 Service;C:\WINDOWS\System32\StkASv2K.exe [2006-05-23 23:49]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 16:38]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-12-19 08:36]
S2 RPCH;Remote Procedure Call (HPM);C:\Program Files\NetMeeting\Intell.exe [2008-08-10 18:06]
S3 PORTMON;PORTMON;G:\Download\SysinternalsSuite\PORTMSYS.SYS []
S3 StkAMini;Syntek STK1160;C:\WINDOWS\system32\Drivers\StkAMini.sys [2006-06-27 18:28]
S3 StkAScan;Syntek STK1160 Filter Driver;C:\WINDOWS\system32\Drivers\StkAScan.sys [2006-06-27 18:27]
S3 V0080Dev;Creative Camera VF0080 Driver;C:\WINDOWS\system32\DRIVERS\V0080Dev.sys [2004-08-10 03:25]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fungctbh.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - C:\Program Files\GoBit Games\BrowserPlugin\npgobitgamesplugin.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
FF -: plugin - D:\Mozilla Firefox\plugins\npgobitgamesplugin.dll
FF -: plugin - D:\Mozilla Firefox\plugins\npnul32.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 05:25:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-02 5:27:01
ComboFix-quarantined-files.txt 2008-09-02 10:26:42
ComboFix2.txt 2008-09-02 09:18:59

Pre-Run: 178,394,390,528 bytes free
Post-Run: 178,376,568,832 bytes free

275 --- E O F --- 2008-08-27 20:21:42