View Full Version : Virtumonde (really good at what it does, unfortunately)
I've had virtumonde pop up, get removed and pop up in spybot for a while now and it's getting pretty annoying. Some websites don't work in firefox and i'm guessing virtumonde is why.
This is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:35 PM, on 8/10/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: {76de0b89-55b6-c1a8-a6b4-1fba68127322} - {22372186-abf1-4b6a-8a1c-6b5598b0ed67} - C:\Windows\system32\vfreru.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53D95944-875C-4E69-B3D2-81E4C437DDB7} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AFD9AC03-DB8A-4133-9A57-E832536DD23C} - (no file)
O2 - BHO: (no name) - {C6541446-A7AA-AD50-8B7F-83ADDBCD749C} - (no file)
O2 - BHO: (no name) - {C6541447-A7AB-DC20-8B0D-8AADDEBD7495} - (no file)
O2 - BHO: (no name) - {D7429005-4843-46F7-AA3F-11FC41BF493A} - C:\Users\Nick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FLL1DA32\3077ahntdksr[1].dll (file missing)
O2 - BHO: (no name) - {DDBEAB06-91A9-4182-A42C-3C8D71A0E9EE} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Firewall] C:\WINDOWS\System32\drivers\svchost.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Users\Nick\AppData\Local\Temp\IXP001.TMP\AnyDVD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM9ba55d3d] Rundll32.exe "C:\Windows\system32\vomyxpdb.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA32] command /c del "C:\Windows\System32\jproxstp.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5396] cmd /c del "C:\Windows\System32\jproxstp.dll_old"
O4 - HKCU\..\Run: [Windows Firewall] C:\WINDOWS\System32\drivers\svchost.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB5252] command /c del "C:\Windows\System32\jproxstp.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7480] cmd /c del "C:\Windows\System32\jproxstp.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~4.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~4.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\Windows\system32\__c00BEFBC.dat
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
--
End of file - 6926 bytes
Any help would be greatly appreciated.
Hi
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Thankyou very much for replying. Here is my Combofix log:
ComboFix 08-10-08.02 - Nick 2008-10-09 21:09:58.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.835 [GMT 11:00]
Running from: C:\Users\Nick\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\outlook
C:\Program Files\ppatch~1
C:\temp\17o7
C:\temp\17o7\tmpTF.log
C:\temp\tn3
C:\Users\Nick\AppData\Roaming\inst.exe
C:\Windows\crosof~1
C:\Windows\sstem~1
C:\Windows\system32\__c0018A64.dat
C:\Windows\system32\__c00242DC.dat
C:\Windows\system32\__c0045900.dat
C:\Windows\system32\__c0047324.dat
C:\Windows\system32\__c004955A.dat
C:\Windows\system32\__c004C821.dat
C:\Windows\system32\__c0050038.dat
C:\Windows\system32\__c0062E4.dat
C:\Windows\system32\__c0067BBD.dat
C:\Windows\system32\__c006D672.dat
C:\Windows\system32\__c007F4BD.dat
C:\Windows\system32\__c0090579.dat
C:\Windows\system32\__c0091B92.dat
C:\Windows\system32\__c009554C.dat
C:\Windows\system32\__c009707A.dat
C:\Windows\system32\__c00A2504.dat
C:\Windows\system32\__c00B1634.dat
C:\Windows\system32\__c00B2DA.dat
C:\Windows\system32\__c00BD62A.dat
C:\Windows\system32\__c00BEFBC.dat
C:\Windows\system32\__c00CBA6A.dat
C:\Windows\system32\__c00CFDC8.dat
C:\Windows\system32\__c00D5B8E.dat
C:\Windows\system32\__c00E2889.dat
C:\Windows\system32\__c00F08CC.dat
C:\Windows\system32\__c00F431A.dat
C:\Windows\system32\__c00FB25C.dat
C:\Windows\system32\__c00FE190.dat
C:\Windows\System32\AcLTtBeg.ini
C:\Windows\System32\AcLTtBeg.ini2
C:\Windows\system32\bIlVCJlm.ini
C:\Windows\System32\bIlVCJlm.ini2
C:\Windows\system32\bkxmcgcu.ini
C:\Windows\system32\bublgolb.ini
C:\Windows\system32\cbirmlrr.dll
C:\Windows\System32\cIOVFfhk.ini
C:\Windows\System32\cIOVFfhk.ini2
C:\Windows\system32\dcyynror.dll
C:\Windows\system32\dfhiytlp.dll
C:\Windows\system32\enkmvkkk.ini
C:\Windows\system32\eqgwgbfk.dll
C:\Windows\system32\fPYFefii.ini
C:\Windows\System32\fPYFefii.ini2
C:\Windows\system32\gurnwxlx.ini
C:\Windows\system32\hqoyjhwl.ini
C:\Windows\system32\hscvitfy.dll
C:\Windows\system32\hsxmimpa.ini
C:\Windows\system32\iwvjbtfx.ini
C:\Windows\system32\jqvhrwqs.dll
C:\Windows\system32\kghxtmvs.ini
C:\Windows\system32\kmoqYcdd.ini
C:\Windows\System32\kmoqYcdd.ini2
C:\Windows\system32\kogpiqxg.dll
C:\Windows\system32\konvjtjk.dll
C:\Windows\System32\kUFPWaKj.ini
C:\Windows\System32\kUFPWaKj.ini2
C:\Windows\system32\lpbfqxfn.dll
C:\Windows\system32\lUFfOUtv.ini
C:\Windows\System32\lUFfOUtv.ini2
C:\Windows\system32\lugnymfj.dll
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\mmldnlqq.ini
C:\Windows\System32\Mmpponpo.ini
C:\Windows\System32\Mmpponpo.ini2
C:\Windows\system32\mnimmaey.dll
C:\Windows\system32\MSINET.oca
C:\Windows\system32\mywrahtq.dll
C:\Windows\system32\nkkeublj.dll
C:\Windows\system32\ntrjhfvb.ini
C:\Windows\system32\phobwque.dll
C:\Windows\system32\pidhnjsa.ini
C:\Windows\system32\pylvqsco.dll
C:\Windows\System32\qcxyehos.ini
C:\Windows\system32\qmhlutvs.dll
C:\Windows\system32\qpevmxox.ini
C:\Windows\system32\rexrcplb.ini
C:\Windows\system32\smpi1
C:\Windows\system32\smpi1\lb13.exe
C:\Windows\system32\solqgidq.ini
C:\Windows\system32\sxursrqn.dll
C:\Windows\system32\tbkqndim.ini
C:\Windows\system32\tpexisuj.ini
C:\Windows\system32\trfgfjwu.dll
C:\Windows\System32\ttDMWaJl.ini
C:\Windows\System32\ttDMWaJl.ini2
C:\Windows\system32\uifcodrx.dll
C:\Windows\system32\unhgiipi.ini
C:\Windows\system32\uoryjkwr.dll
C:\Windows\system32\usmxlpfe.dll
C:\Windows\system32\uuyvcncw.dll
C:\Windows\system32\uxnnbotm.dll
C:\Windows\system32\viwhqdlq.ini
C:\Windows\system32\vkaqgmti.ini
C:\Windows\system32\vkclpvxy.dll
C:\Windows\system32\vkppsmnj.dll
C:\Windows\system32\vvpfoerj.dll
C:\Windows\system32\WHNXGMoq.ini
C:\Windows\System32\WHNXGMoq.ini2
C:\Windows\system32\winsvcup.exe
C:\Windows\system32\winupsvc.exe
C:\Windows\system32\wkbuinrw.dll
C:\Windows\system32\wnsapisv32.exe
C:\Windows\system32\wsqoobkt.dll
C:\Windows\System32\xbaGNqru.ini
C:\Windows\System32\xbaGNqru.ini2
C:\Windows\system32\xcwlacpg.ini
C:\Windows\system32\xhebbdhh.dll
C:\Windows\system32\xyFiPXbc.ini
C:\Windows\System32\xyFiPXbc.ini2
C:\Windows\system32\yhcgkkpv.ini
C:\Windows\System32\ywcjbfyb.ini
C:\Windows\wr.txt
C:\Windows\ystem3~1
C:\Windows\ystem3~1\?ystem32\
C:\Windows\ystem3~1\l3codecp.acm.reg
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CORE
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.
2008-10-08 22:34 . 2008-10-08 22:34 <DIR> d-------- C:\Users\Nick\AppData\Roaming\Malwarebytes
2008-10-08 22:34 . 2008-10-08 22:34 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-10-08 22:34 . 2008-10-08 22:34 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-10-06 16:40 . 2008-10-06 16:41 <DIR> d-------- C:\Users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-06 16:40 . 2008-10-06 16:41 <DIR> d-------- C:\ProgramData\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-06 16:40 . 2008-10-06 16:40 <DIR> d-------- C:\Program Files\iPod
2008-10-06 16:37 . 2008-10-06 16:37 <DIR> d-------- C:\Program Files\Bonjour
2008-10-01 13:01 . 2008-10-01 13:01 32,000 --a------ C:\Windows\System32\drivers\usbaapl.sys
2008-09-16 22:22 . 2008-09-16 22:22 <DIR> d-------- C:\Users\All Users\vsosdk
2008-09-16 22:22 . 2008-09-16 22:22 <DIR> d-------- C:\ProgramData\vsosdk
2008-09-16 21:11 . 2004-05-04 13:53 1,645,320 --a------ C:\Windows\gdiplus.dll
2008-09-16 21:11 . 2006-05-20 18:16 1,184,984 --a------ C:\Windows\System32\wvc1dmod.dll
2008-09-16 21:11 . 2006-05-11 21:21 626,688 --a------ C:\Windows\System32\vp7vfw.dll
2008-09-16 21:11 . 2006-09-29 14:24 217,127 --a------ C:\Windows\System32\drv43260.dll
2008-09-16 21:11 . 2006-09-29 14:25 208,935 --a------ C:\Windows\System32\drv33260.dll
2008-09-16 21:11 . 2006-09-29 14:26 176,165 --a------ C:\Windows\System32\drv23260.dll
2008-09-16 21:11 . 2007-03-18 22:37 65,602 --a------ C:\Windows\System32\cook3260.dll
2008-09-15 17:06 . 2008-09-15 17:06 <DIR> d----c--- C:\Windows\System32\DRVSTORE
2008-09-15 17:06 . 2008-04-17 14:12 107,368 --a------ C:\Windows\System32\GEARAspi.dll
2008-09-15 17:06 . 2008-04-17 14:12 15,464 --a------ C:\Windows\System32\drivers\GEARAspiWDM.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-09 05:52 --------- d-----w C:\Users\Nick\AppData\Roaming\uTorrent
2008-10-06 05:41 --------- d-----w C:\Program Files\iTunes
2008-10-01 04:33 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-10-01 04:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-21 10:39 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-09-20 06:41 --------- d-----w C:\Users\Nick\AppData\Roaming\Vso
2008-09-16 10:11 47,360 ----a-w C:\Users\Nick\AppData\Roaming\pcouffin.sys
2008-09-16 10:11 --------- d-----w C:\Program Files\vso
2008-09-15 06:03 --------- d-----w C:\Program Files\Common Files\Apple
2008-08-09 15:19 --------- d-----w C:\Program Files\Apple Software Update
2008-06-27 07:28 81,920 ----a-w C:\Users\Nick\AppData\Roaming\ezpinst.exe
2007-12-08 13:32 94,208 ----a-w C:\Users\Nick\AppData\Roaming\ezplay.sys
2007-08-30 05:16 174 --sha-w C:\Program Files\desktop.ini
2007-04-14 07:31 92,064 ----a-w C:\Users\Nick\mqdmmdm.sys
2007-04-14 07:31 9,232 ----a-w C:\Users\Nick\mqdmmdfl.sys
2007-04-14 07:31 79,328 ----a-w C:\Users\Nick\mqdmserd.sys
2007-04-14 07:31 66,656 ----a-w C:\Users\Nick\mqdmbus.sys
2007-04-14 07:31 6,208 ----a-w C:\Users\Nick\mqdmcmnt.sys
2007-04-14 07:31 5,936 ----a-w C:\Users\Nick\mqdmwhnt.sys
2007-04-14 07:31 4,048 ----a-w C:\Users\Nick\mqdmcr.sys
2007-04-14 07:31 25,600 ----a-w C:\Users\Nick\usbsermptxp.sys
2007-04-14 07:31 22,768 ----a-w C:\Users\Nick\usbsermpt.sys
2005-07-14 18:31 27,648 --sha-w C:\Windows\System32\AVSredirect.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22372186-abf1-4b6a-8a1c-6b5598b0ed67}]
2008-08-02 22:14 100864 --a------ C:\Windows\system32\vfreru.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 125440]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WG311v3 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe [2007-03-05 1679360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"msacm.avis"= ff_acm.acm
"msacm.l3codec"= l3codecp.acm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\98966ea1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ElbyCheckAnyDVD]
--a------ 2003-09-21 06:23 45056 C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-04-14 17:58 1006264 C:\Program Files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2007-03-09 16:28 598016 C:\Windows\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\VistaCodecPack\QT\QTTask.exe" -atboottime
"BM9ba55d3d"=Rundll32.exe "C:\Windows\system32\vomyxpdb.dll",s
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1052434851-299915347-3349539854-1000]
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{4C0F27BB-50CE-4F52-AD92-21D58A4AE0CD}D:\\documents and settings\\nick\\my documents\\emule 0.47c\\emule\\emule.exe"= UDP:D:\documents and settings\nick\my documents\emule 0.47c\emule\emule.exe:emule.exe
"UDP Query User{48215559-E15E-4557-8072-67ACBAF1FF5A}D:\\documents and settings\\nick\\my documents\\emule 0.47c\\emule\\emule.exe"= TCP:D:\documents and settings\nick\my documents\emule 0.47c\emule\emule.exe:emule.exe
"{AD3F5236-4297-4CD7-A2F3-6B94A89A433A}"= UDP:20000:Azureus
"{158B4864-6697-4BC2-8626-C5C1B30A53E8}"= UDP:49153:eMule
"TCP Query User{6987462A-53D1-4712-BB97-FFDAA6054315}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{9C9B8DDD-2170-4F16-AEF3-FAC43B54DCD7}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{91BD0115-FD85-48A9-A479-45C4257C5DC0}C:\\users\\nick\\downloads\\emule\\emule.exe"= UDP:C:\users\nick\downloads\emule\emule.exe:emule.exe
"UDP Query User{9F05F994-A4A4-4752-8CAC-A3B0213E569E}C:\\users\\nick\\downloads\\emule\\emule.exe"= TCP:C:\users\nick\downloads\emule\emule.exe:emule.exe
"{ED3C46DB-0912-4784-BF25-E85780C8C344}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{53D5F793-54CE-4162-B6FE-B114FB1D9746}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{4B6D07A5-9E22-4251-997D-C9BAB4260D07}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{341E109C-69E3-4A3C-86F0-EA6275933650}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0BE2F358-F8CF-4E63-9571-55E182E84436}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{91851A14-DEB5-4B76-81CB-4667FBBF8933}C:\\users\\nick\\downloads\\emule\\emule.exe"= UDP:C:\users\nick\downloads\emule\emule.exe:emule.exe
"UDP Query User{9449A783-9990-42BB-B1B2-570F8931159E}C:\\users\\nick\\downloads\\emule\\emule.exe"= TCP:C:\users\nick\downloads\emule\emule.exe:emule.exe
"TCP Query User{4CF11367-13E8-4F45-B38D-87EEF5682A0F}C:\\program files\\soulseek\\slsk.exe"= UDP:C:\program files\soulseek\slsk.exe:SoulSeek
"UDP Query User{55A9DF72-6C99-4E0F-A260-08CBD074C415}C:\\program files\\soulseek\\slsk.exe"= TCP:C:\program files\soulseek\slsk.exe:SoulSeek
"TCP Query User{C896ABEB-3EBB-4101-98A3-A6737CE94307}C:\\program files\\last.fm\\lastfm.exe"= UDP:C:\program files\last.fm\lastfm.exe:LastFM
"UDP Query User{EB08CD6B-C719-4658-9984-EED66D70A0EB}C:\\program files\\last.fm\\lastfm.exe"= TCP:C:\program files\last.fm\lastfm.exe:LastFM
"{C3C28169-90EE-4E5F-8B96-1E17BA6DBCA7}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{1766DAA5-EE0B-474C-A981-2FEE637A2278}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{4D193383-B579-49D7-9F08-E6B5B71AC0AA}C:\\games\\dawn of war - dark crusade\\darkcrusade.exe"= UDP:C:\games\dawn of war - dark crusade\darkcrusade.exe:DarkCrusade
"UDP Query User{E069893E-254D-4970-8ACD-47A381A6488C}C:\\games\\dawn of war - dark crusade\\darkcrusade.exe"= TCP:C:\games\dawn of war - dark crusade\darkcrusade.exe:DarkCrusade
"TCP Query User{822E89EF-76D6-4C11-AC89-D476638F5CB4}C:\\games\\defcon\\defcon.exe"= UDP:C:\games\defcon\defcon.exe:Defcon
"UDP Query User{1CBBA71C-8D69-432E-8F25-0ED2454095B0}C:\\games\\defcon\\defcon.exe"= TCP:C:\games\defcon\defcon.exe:Defcon
"{BB76D20C-6B73-4361-9D6E-378E564E2B0B}"= UDP:20000:Azureus
"TCP Query User{52EB8EC5-327B-4527-9D1B-65303596C79D}C:\\program files\\last.fm\\lastfm.exe"= UDP:C:\program files\last.fm\lastfm.exe:LastFM
"UDP Query User{893C22E8-1D62-4A13-B60E-C77E78DA0274}C:\\program files\\last.fm\\lastfm.exe"= TCP:C:\program files\last.fm\lastfm.exe:LastFM
"TCP Query User{487F3FB3-C197-4554-ADF4-B5C02E4C854C}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{95F05314-3358-4FDD-95C5-071C4F499A29}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{AC60D730-00AF-4BB0-92B7-CA80643CD0E4}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{57BE91A1-5465-4E56-A5FD-A1A1A85E3601}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"TCP Query User{6CCF4F81-653A-4064-A35C-081963EED0FA}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{C8A93D87-3B25-4631-B66E-287B40B7831A}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"TCP Query User{A6F4ABAC-089C-41EF-BD24-C6C2E5A50AC5}C:\\games\\dawn of war - dark crusade\\darkcrusade.exe"= UDP:C:\games\dawn of war - dark crusade\darkcrusade.exe:DarkCrusade
"UDP Query User{E33F6CA8-00B6-4D8B-80AE-5FA0D400AC7E}C:\\games\\dawn of war - dark crusade\\darkcrusade.exe"= TCP:C:\games\dawn of war - dark crusade\darkcrusade.exe:DarkCrusade
"TCP Query User{F6C499C1-4E99-4416-BAEB-F1E84A6331F3}C:\\games\\aoe2\\age2_x1\\age2_x1.exe"= UDP:C:\games\aoe2\age2_x1\age2_x1.exe:Age of Empires II Expansion
"UDP Query User{EA4092B5-1AC9-4016-A49A-9B230202B826}C:\\games\\aoe2\\age2_x1\\age2_x1.exe"= TCP:C:\games\aoe2\age2_x1\age2_x1.exe:Age of Empires II Expansion
"TCP Query User{B3ABCB35-3912-4E7E-BE7E-769168B2D85F}C:\\game isos etc\\half-life (steam-free) (hd pack) - counter-strike 1.6 - opposing force - blue shift - team fortress classic\\half-life\\hl.exe"= UDP:C:\game isos etc\half-life (steam-free) (hd pack) - counter-strike 1.6 - opposing force - blue shift - team fortress classic\half-life\hl.exe:Half-Life Launcher
"UDP Query User{960A9120-214A-4D62-88BD-E294F1BDF15A}C:\\game isos etc\\half-life (steam-free) (hd pack) - counter-strike 1.6 - opposing force - blue shift - team fortress classic\\half-life\\hl.exe"= TCP:C:\game isos etc\half-life (steam-free) (hd pack) - counter-strike 1.6 - opposing force - blue shift - team fortress classic\half-life\hl.exe:Half-Life Launcher
"TCP Query User{8C41D67A-DCB4-4466-9A3F-39A65F18033D}C:\\games\\half-life\\hl.exe"= UDP:C:\games\half-life\hl.exe:Half-Life Launcher
"UDP Query User{13F0D3DB-3084-4794-9C6E-7ACFE52EE53D}C:\\games\\half-life\\hl.exe"= TCP:C:\games\half-life\hl.exe:Half-Life Launcher
"TCP Query User{7BFD0C23-6E14-431B-BB5B-1B76182D5F35}C:\\program files\\sierra on-line\\sigspat.exe"= UDP:C:\program files\sierra on-line\sigspat.exe:SIGSPat
"UDP Query User{D9FA24DA-93E0-4BE3-8BE0-9BA172FEFCBF}C:\\program files\\sierra on-line\\sigspat.exe"= TCP:C:\program files\sierra on-line\sigspat.exe:SIGSPat
"TCP Query User{D39D1BC5-BE51-4311-9892-AAD49BDD6069}C:\\games\\steam\\steamapps\\psnr24\\ricochet\\hl.exe"= UDP:C:\games\steam\steamapps\psnr24\ricochet\hl.exe:Half-Life Launcher
"UDP Query User{5CF43A1D-8655-44D8-9094-5B96F3F970A3}C:\\games\\steam\\steamapps\\psnr24\\ricochet\\hl.exe"= TCP:C:\games\steam\steamapps\psnr24\ricochet\hl.exe:Half-Life Launcher
"TCP Query User{14D437EB-E5B7-41AD-9734-4D428DA3A73A}C:\\games\\steam\\steamapps\\psnr24\\half-life 2 deathmatch\\hl2.exe"= UDP:C:\games\steam\steamapps\psnr24\half-life 2 deathmatch\hl2.exe:hl2
"UDP Query User{C5966FFA-98B8-4F4E-B434-6A7E002BCA1B}C:\\games\\steam\\steamapps\\psnr24\\half-life 2 deathmatch\\hl2.exe"= TCP:C:\games\steam\steamapps\psnr24\half-life 2 deathmatch\hl2.exe:hl2
"{9ADD01BF-567D-4070-8FF4-F0A032A0277E}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{9B48427E-7441-41D3-A9E7-1559CC7A09C5}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{1C89940E-146B-40D9-BDCC-B97A7C1EF8CC}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{C18BBA83-6BB7-40E5-BA3A-99344E12AAAC}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{D6DB1519-BAC9-4232-A69F-A63D87824DEB}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{2B3100E5-A30E-4CC8-99B1-3CF00176781D}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{58BD5D58-7503-490D-A81E-D4A4FBB3FFE6}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{4A848465-F2DA-4587-88A0-D5F78C040A0D}C:\\games\\dawn of war - soulstorm\\soulstorm.exe"= UDP:C:\games\dawn of war - soulstorm\soulstorm.exe:Soulstorm
"UDP Query User{4CDB1658-9AAB-43E1-A6B2-9C9DDCABE0AF}C:\\games\\dawn of war - soulstorm\\soulstorm.exe"= TCP:C:\games\dawn of war - soulstorm\soulstorm.exe:Soulstorm
"{A0E880D9-2627-4100-8E1F-361F6D8823DF}"= UDP:C:\Program Files\FrostWire\FrostWire.exe:LimeWire
"{3072C789-408F-41FE-A8B6-7FB6AC48FAF5}"= TCP:C:\Program Files\FrostWire\FrostWire.exe:LimeWire
"TCP Query User{C0B6385C-AEAC-40A6-A5C9-3B222F7BE7C0}C:\\users\\nick\\documents\\myspacemp3gopher\\myspacemp3gopher.exe"= UDP:C:\users\nick\documents\myspacemp3gopher\myspacemp3gopher.exe:myspacemp3gopher.exe
"UDP Query User{A613765A-2C0F-4A94-B52C-A4D39136537D}C:\\users\\nick\\documents\\myspacemp3gopher\\myspacemp3gopher.exe"= TCP:C:\users\nick\documents\myspacemp3gopher\myspacemp3gopher.exe:myspacemp3gopher.exe
"{4F77764A-023C-4434-A503-E3D77A1C2E53}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{3D146FF6-F7B1-4EDE-A6F3-09D59D036327}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{D6429DC5-2F23-44AB-A76F-0F5124C2284F}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{74CBA0C8-0BED-49C2-B698-40B9EEA3F0E5}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{04190028-2F84-4D5A-971A-93F4E8605F1E}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{FDE12C84-CAAB-46AF-97C2-D556A94D4BBD}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-08-14 809296]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-11-02 3170304]
R3 MRV6X32P;Vista 32-bits Native WiFi Driver;C:\Windows\system32\DRIVERS\MRVW13B.sys [2007-05-03 256000]
S0 OemBiosDevice;Royalty OEM Bios Extension;C:\Windows\system32\drivers\royal.sys [2007-04-14 240128]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2007-09-16 87288]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2006-11-02 7168]
.
- - - - ORPHANS REMOVED - - - -
BHO-{53D95944-875C-4E69-B3D2-81E4C437DDB7} - (no file)
BHO-{AFD9AC03-DB8A-4133-9A57-E832536DD23C} - (no file)
BHO-{C6541446-A7AA-AD50-8B7F-83ADDBCD749C} - (no file)
BHO-{C6541447-A7AB-DC20-8B0D-8AADDEBD7495} - (no file)
BHO-{D7429005-4843-46F7-AA3F-11FC41BF493A} - C:\Users\Nick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FLL1DA32\3077ahntdksr[1].dll
BHO-{DDBEAB06-91A9-4182-A42C-3C8D71A0E9EE} - (no file)
HKCU-Run-Windows Firewall - C:\WINDOWS\System32\drivers\svchost.exe
HKLM-Run-BM9ba55d3d - C:\Windows\system32\vomyxpdb.dll
MSConfigStartUp-BM9ba55d3d - C:\Windows\system32\vomyxpdb.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6hv2dbmh.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://news.bbc.co.uk/sport2/hi/football/default.stm
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\VistaCodecPack\QT\Plugins\npqtplugin.dll
FF -: plugin - C:\Program Files\VistaCodecPack\QT\Plugins\npqtplugin2.dll
FF -: plugin - C:\Program Files\VistaCodecPack\QT\Plugins\npqtplugin3.dll
FF -: plugin - C:\Program Files\VistaCodecPack\QT\Plugins\npqtplugin4.dll
FF -: plugin - C:\Program Files\VistaCodecPack\QT\Plugins\npqtplugin5.dll
FF -: plugin - C:\Program Files\VistaCodecPack\QT\Plugins\npqtplugin6.dll
FF -: plugin - C:\Program Files\VistaCodecPack\QT\Plugins\npqtplugin7.dll
FF -: plugin - C:\Program Files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF -: plugin - C:\Program Files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-09 21:17:37
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\System32\conime.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-10-09 21:25:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-09 10:25:01
Pre-Run: 45,733,044,224 bytes free
Post-Run: 45,460,533,248 bytes free
361 --- E O F --- 2008-05-21 03:19:39
Here is my new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:54 PM, on 9/10/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conime.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: {76de0b89-55b6-c1a8-a6b4-1fba68127322} - {22372186-abf1-4b6a-8a1c-6b5598b0ed67} - C:\Windows\system32\vfreru.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~4.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~4.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
--
End of file - 5337 bytes
Hi
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
µTorrent
Emule
Azureus
Soulseek
Limewire
FrostWire
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red). Remove MySpaceMp3Gopher too.
Delete these folders afterwards:
C:\Users\Nick\AppData\Roaming\uTorrent
C:\documents and settings\nick\my documents\emule 0.47c
C:\program files\azureus
C:\users\nick\downloads\emule
C:\program files\soulseek
C:\Program Files\LimeWire
C:\Program Files\uTorrent
C:\Program Files\FrostWire
C:\users\nick\documents\myspacemp3gopher
Empty Recycle Bin.
After that:
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Windows\system32\vfreru.dll
Folder::
C:\Users\Nick\AppData\Roaming\uTorrent
C:\documents and settings\nick\my documents\emule 0.47c
C:\program files\azureus
C:\users\nick\downloads\emule
C:\program files\soulseek
C:\Program Files\LimeWire
C:\Program Files\uTorrent
C:\Program Files\FrostWire
C:\users\nick\documents\myspacemp3gopher
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22372186-abf1-4b6a-8a1c-6b5598b0ed67}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BM9ba55d3d"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{4C0F27BB-50CE-4F52-AD92-21D58A4AE0CD}D:\\documents and settings\\nick\\my documents\\emule 0.47c\\emule\\emule.exe"=-
"UDP Query User{48215559-E15E-4557-8072-67ACBAF1FF5A}D:\\documents and settings\\nick\\my documents\\emule 0.47c\\emule\\emule.exe"=-
"{AD3F5236-4297-4CD7-A2F3-6B94A89A433A}"=- UDP:20000:Azureus
"{158B4864-6697-4BC2-8626-C5C1B30A53E8}"=-
"TCP Query User{6987462A-53D1-4712-BB97-FFDAA6054315}C:\\program files\\azureus\\azureus.exe"=-
"UDP Query User{9C9B8DDD-2170-4F16-AEF3-FAC43B54DCD7}C:\\program files\\azureus\\azureus.exe"=-
"TCP Query User{91BD0115-FD85-48A9-A479-45C4257C5DC0}C:\\users\\nick\\downloads\\emule\\emule.exe"=-
"UDP Query User{9F05F994-A4A4-4752-8CAC-A3B0213E569E}C:\\users\\nick\\downloads\\emule\\emule.exe"=-
"TCP Query User{91851A14-DEB5-4B76-81CB-4667FBBF8933}C:\\users\\nick\\downloads\\emule\\emule.exe"=-
"UDP Query User{9449A783-9990-42BB-B1B2-570F8931159E}C:\\users\\nick\\downloads\\emule\\emule.exe"=-
"TCP Query User{4CF11367-13E8-4F45-B38D-87EEF5682A0F}C:\\program files\\soulseek\\slsk.exe"=-
"UDP Query User{55A9DF72-6C99-4E0F-A260-08CBD074C415}C:\\program files\\soulseek\\slsk.exe"=-
"{C3C28169-90EE-4E5F-8B96-1E17BA6DBCA7}"=-
"{1766DAA5-EE0B-474C-A981-2FEE637A2278}"=-
"{BB76D20C-6B73-4361-9D6E-378E564E2B0B}"=-
"TCP Query User{487F3FB3-C197-4554-ADF4-B5C02E4C854C}C:\\program files\\azureus\\azureus.exe"=-
"UDP Query User{95F05314-3358-4FDD-95C5-071C4F499A29}C:\\program files\\azureus\\azureus.exe"=-
"TCP Query User{AC60D730-00AF-4BB0-92B7-CA80643CD0E4}C:\\program files\\emule\\emule.exe"=-
"UDP Query User{57BE91A1-5465-4E56-A5FD-A1A1A85E3601}C:\\program files\\emule\\emule.exe"=-
"TCP Query User{6CCF4F81-653A-4064-A35C-081963EED0FA}C:\\program files\\emule\\emule.exe"=-
"UDP Query User{C8A93D87-3B25-4631-B66E-287B40B7831A}C:\\program files\\emule\\emule.exe"=-
"{9ADD01BF-567D-4070-8FF4-F0A032A0277E}"=-
"{9B48427E-7441-41D3-A9E7-1559CC7A09C5}"=-
"{1C89940E-146B-40D9-BDCC-B97A7C1EF8CC}"=-
"{C18BBA83-6BB7-40E5-BA3A-99344E12AAAC}"=-
"{A0E880D9-2627-4100-8E1F-361F6D8823DF}"=-
"{3072C789-408F-41FE-A8B6-7FB6AC48FAF5}"=-
"TCP Query User{C0B6385C-AEAC-40A6-A5C9-3B222F7BE7C0}C:\\users\\nick\\documents\\myspacemp3gopher\\myspacemp3gopher.exe"=-
"UDP Query User{A613765A-2C0F-4A94-B52C-A4D39136537D}C:\\users\\nick\\documents\\myspacemp3gopher\\myspacemp3gopher.exe"=-
"{4F77764A-023C-4434-A503-E3D77A1C2E53}"=-
"{3D146FF6-F7B1-4EDE-A6F3-09D59D036327}"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.