PDA

View Full Version : Virtumonde headache



CHILL_CO
2008-12-04, 20:59
I tried using Spybot to destroy Virtumonde but it keeps returning. Below is my HJT log and combofix log

HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58, on 2008-12-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ccs.exe
C:\Program Files\Remote Services\AM.utEventServer.exe
C:\Program Files\IP VPN Remote Services\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\slClient.exe
C:\WINDOWS\TIREMOTE\wuser32.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\Remote Services\AM.blScriptEngine.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\slagent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uap.cag
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINDOWS\TIREMOTE\TIServiceMonitor.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ADU] "C:\Program Files\Cisco Aironet\ADU.exe" -nogui
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Verizon IP VPN Remote Services.lnk = C:\Program Files\IP VPN Remote Services\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: http://*.teamwork
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://dcptrend01:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://dcptrend01:4343/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://dcptrend01:4343/officescan/console/ClientInstall/setup.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {2739E75C-A4A1-438D-8914-190654B4E4EA} (epcInstallerConnector Class) - http://dcdcogweb1/cognos8/contributor/controls/epcwebinstaller83.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://dcptrend01:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {8B20D871-F641-4891-8A5D-C813FFB017CB} (Contributor Web Client Connector) - http://dcdcogweb1/cognos8/contributor/controls/clientfull83.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cognos.webex.com/client/T25L/webex/ieatgpc.cab
O20 - AppInit_DLLs: cqowgb.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Access Manager Event Service (AM.EventService) - Verizon Business Global LLC - C:\Program Files\Remote Services\AM.utEventServer.exe
O23 - Service: Access Manager Install Service (AM.InstallService) - Verizon Business Global LLC - C:\Program Files\Remote Services\AM.InstallService.exe
O23 - Service: Access Manager Script Service (AM.ScriptService) - Verizon Business Global LLC - C:\Program Files\Remote Services\AM.blScriptEngine.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Configuration Service (CCS) - Unknown owner - C:\WINDOWS\system32\ccs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\IP VPN Remote Services\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: MCI Wireless Engine - Unknown owner - C:\Program Files\Remote Services\WENGINE2\BWEngine.exe
O23 - Service: MCI WMonitor - Boingo Wireless, Inc. - C:\Program Files\Remote Services\WENGINE2\WMonitor.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Corporation - C:\WINDOWS\system32\slClient.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINDOWS\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Numara Software, Inc. - C:\WINDOWS\TIREMOTE\TIRemoteService.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE

--
End of file - 11530 bytes


Combofix log:

ComboFix 08-12-03.04 - gccarole 2008-12-04 11:37:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.485 [GMT -7:00]
Running from: c:\documents and settings\gccarole\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\gccarole\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-03 19:22 . 2008-12-03 19:22 173,456 --a------ C:\FixVundo.exe
2008-12-03 11:52 . 2008-12-04 10:02 151 --a------ c:\windows\wininit.ini
2008-12-02 20:38 . 2008-12-02 20:38 32,256 --a------ c:\documents and settings\gccarole\~.exe
2008-12-02 20:15 . 2004-05-14 16:53 462,848 --a------ c:\windows\system32\ltkrn13n.dll
2008-12-02 20:15 . 2004-05-14 16:53 450,560 --a------ c:\windows\system32\ltimg13n.dll
2008-12-02 20:15 . 2004-05-14 16:53 401,408 --a------ c:\windows\system32\lfcmp13n.dll
2008-12-02 20:15 . 2004-05-14 16:53 299,008 --a------ c:\windows\system32\ltdis13n.dll
2008-12-02 20:15 . 2004-01-12 02:09 206,336 --a------ c:\windows\system32\ltefx13n.dll
2008-12-02 20:15 . 2004-05-14 16:53 163,840 --a------ c:\windows\system32\ltfil13n.dll
2008-12-02 20:15 . 2003-11-04 15:10 69,632 --a------ c:\windows\system32\lfgif13n.dll
2008-12-02 20:15 . 2004-05-14 16:53 57,344 --a------ c:\windows\system32\lfbmp13n.dll
2008-12-02 19:51 . 2008-12-02 19:51 5,424 --a------ C:\ftp_error_check
2008-12-02 19:51 . 2008-12-02 19:51 3,459 --a------ C:\ftp_simple
2008-12-02 19:51 . 2008-12-02 19:51 1,498 --a------ C:\uap_ftptab
2008-12-02 19:39 . 2008-12-02 19:39 867 --a------ C:\checkfilebudg.sh
2008-12-02 19:39 . 2008-12-02 19:39 839 --a------ C:\checkfile.sh
2008-12-02 08:43 . 2008-12-02 09:54 231,424 --a------ C:\OU_Parent.xls
2008-11-25 15:00 . 2008-11-25 15:01 13,824 --a------ C:\Asset_Depr.xls
2008-11-24 09:42 . 2008-11-24 09:42 186,880 --a------ C:\AGU_ACCOUNTS_TREE.xls
2008-11-20 12:29 . 2008-11-20 12:29 30,208 --a------ C:\2815.xls
2008-11-19 07:41 . 2008-11-19 07:41 3,705,812 --a------ C:\FileZilla_3.1.5.1_win32-setup.exe
2008-11-17 12:59 . 2008-11-17 16:05 23,552 --a------ C:\Samples_Carole.xls
2008-11-14 15:33 . 2008-11-25 12:17 24,576 --a------ C:\Tree_Updates.xls
2008-11-13 10:10 . 2008-11-13 10:10 179,200 --a------ C:\OU_State.xls
2008-11-13 09:10 . 2008-11-13 09:11 182,784 --a------ C:\OU_Tree_Missing.xls
2008-11-12 15:57 . 2008-11-12 15:57 26,624 --a------ C:\OU_Help_Darren.xls
2008-11-12 12:37 . 2008-11-12 12:37 26,112 --a------ C:\OU_Help.xls
2008-11-11 16:32 . 2008-11-11 16:32 391,680 --a------ C:\Tree_Checks.xls
2008-11-11 16:04 . 2008-11-12 16:35 65,024 --a------ C:\Missing_Ous.xls
2008-11-11 15:39 . 2008-11-11 15:40 39,936 --a------ C:\Scopes for review.xls
2008-11-11 14:02 . 2008-11-11 14:02 <DIR> d-------- c:\program files\MSECache
2008-11-07 10:42 . 2008-11-10 13:19 18,944 --a------ C:\Period_Counts.xls
2008-11-07 10:03 . 2008-11-17 10:13 228,864 --a------ C:\Scopes.xls
2008-11-06 14:39 . 2008-11-06 16:33 750,592 --a------ C:\Revenue adjustments.xls
2008-11-06 13:07 . 2008-11-06 13:07 235,008 --a------ C:\DIG_MACD.doc
2008-11-06 09:00 . 2008-11-06 10:17 65,536 --a------ C:\Detailed_Ledger.doc
2008-11-05 11:40 . 2008-11-06 10:18 25,600 --a------ C:\Ledger_Info.xls
2008-11-04 08:27 . 2008-11-04 08:28 3,696,811 --a------ C:\FileZilla_3.1.5_win32-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 16:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-03 23:52 --------- d-----w c:\program files\IP VPN Remote Services
2008-12-03 19:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 02:56 --------- d-----w c:\documents and settings\gccarole\Application Data\FileZilla
2008-11-19 14:43 --------- d-----w c:\program files\FileZilla FTP Client
2008-10-20 14:37 3,688,730 ----a-w C:\FileZilla_3.1.4.1_win32-setup.exe
2008-10-03 17:12 3,659,444 ----a-w C:\FileZilla_3.1.3.1_win32-setup.exe
2008-09-09 16:51 3,648,871 ----a-w C:\FileZilla_3.1.2_win32-setup.exe
2008-08-27 20:34 3,681,588 ----a-w c:\program files\WS_FTP Pro.zip
2008-05-15 01:43 990,592 ----a-w c:\windows\inf\UIU\A2\HSF_DPV.sys
2008-05-15 01:42 98,752 ----a-w c:\windows\inf\UIU\A29\aeaudio.sys
2008-05-15 01:41 88,363 ----a-w c:\windows\inf\UIU\A18\AGRSMMSG.exe
2008-05-15 01:41 64,512 -c--a-w c:\windows\inf\UIU\agrsmdel.exe
2008-05-15 01:41 64,512 ----a-w c:\windows\inf\UIU\A18\agrsmdel.exe
2008-05-15 01:41 64,512 ----a-w c:\windows\inf\UIU\A12\agrsmdel.exe
2008-05-15 01:41 64,512 ----a-w c:\windows\inf\UIU\A11\agrsmdel.exe
2008-05-15 01:41 6,912 -c--a-w c:\windows\inf\UIU\atibtxbr.sys
2008-05-15 01:41 58,240 -c--a-w c:\windows\inf\UIU\atibtcap.sys
2008-05-15 01:41 1,268,204 ----a-w c:\windows\inf\UIU\A18\AGRSM.sys
2007-06-04 22:28 995,328 -c--a-w c:\windows\inf\UIU\W20MLRES.dll
2007-06-04 22:27 68,710 -c--a-w c:\windows\inf\UIU\A0100\RKSAMPLE.SYS
2007-06-04 22:26 917,504 -c--a-w c:\windows\inf\UIU\A2000\CMIDS3D.DLL
2007-06-04 22:25 98,304 -c--a-w c:\windows\inf\UIU\A0900\34dialog.dll
2007-06-04 22:24 98,752 -c--a-w c:\windows\inf\UIU\A0401\AEAUDIO.sys
2007-06-04 22:23 94,208 -c--a-w c:\windows\inf\UIU\A0102\igfxtray.exe
2006-07-19 17:20 1,895,732 ----a-w c:\documents and settings\gccarole\TextPad 4.zip
2006-05-27 14:41 57,344 ----a-w c:\documents and settings\gccarole\_EZPivotDeleteMe.exe
2007-06-04 20:30 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2007-06-04 20:24 16,384 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-06-04 20:24 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"COMMUNICATOR"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-14 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-14 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-14 131072]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-01-08 356429]
"Track-It! Workstation Manager Service Monitor"="c:\windows\TIREMOTE\TIServiceMonitor.exe" [2008-04-23 165888]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"ADU"="c:\program files\Cisco Aironet\ADU.exe" [2005-05-11 299008]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-06-18 413696]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HDAShCut.exe]
"TpShocks"="TpShocks.exe" [2005-08-22 c:\windows\system32\TpShocks.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-02-27 561213]
Verizon IP VPN Remote Services.lnk - c:\program files\IP VPN Remote Services\vpngui.exe [2008-05-23 1528880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=cqowgb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\TIREMOTE\\wuser32.exe"=
"c:\\WINDOWS\\TIREMOTE\\TIRemoteService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 atiide;ATI SATA Controller IDE mode;c:\windows\system32\Drivers\atiide.sys [2008-05-14 3456]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\Shockprf.sys [2008-05-23 59904]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2008-05-23 4736]
R2 AM.EventService;Access Manager Event Service;"c:\program files\Remote Services\AM.utEventServer.exe" [2007-07-10 28672]
R2 AM.ScriptService;Access Manager Script Service;"c:\program files\Remote Services\AM.blScriptEngine.exe" [2007-07-10 28672]
R2 CcmExec;SMS Agent Host;c:\windows\system32\CCM\CcmExec.exe [2008-05-20 757792]
R2 SLClient;ScriptLogic Service;c:\windows\system32\slClient.exe [2006-10-19 532480]
R2 TIRmtCtl;Track-It! Remote Control;c:\windows\TIREMOTE\wuser32.exe [2008-05-23 311374]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [2008-05-23 212480]
R2 TmFilter;Trend Micro Filter;\??\c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2007-06-12 205328]
R2 TmPreFilter;Trend Micro PreFilter;\??\c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2007-06-12 36368]
R3 prepdrvr;SMS Process Event Driver;\??\c:\windows\system32\CCM\prepdrv.sys [2008-05-20 23584]
R3 smsmdd;smsmdd;c:\windows\system32\DRIVERS\smsmdm.sys [2008-04-08 12448]
S3 AM.InstallService;Access Manager Install Service;"c:\program files\Remote Services\AM.InstallService.exe" [2007-07-10 81920]
S3 CSCO21;Cisco Aironet 802.11a/b/g Wireless Adapter Service;c:\windows\system32\DRIVERS\csco21.sys [2007-06-04 461728]
S3 MCI Wireless Engine;MCI Wireless Engine;"c:\program files\Remote Services\WENGINE2\BWEngine.exe" [2007-02-01 823296]
S3 MCI WMonitor;MCI WMonitor;"c:\program files\Remote Services\WENGINE2\WMonitor.exe" [2007-02-01 73728]
S3 smstsmgr;SMS Task Sequence Agent;c:\windows\system32\CCM\TSManager.exe /service [2008-05-20 249888]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e3e7261-200b-11dc-a50d-fb48184993d1}]
\Shell\AutoRun\command - D:\UIU.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d6feb01-b53e-11db-883c-8695eaf970df}]
\Shell\AutoRun\command - D:\UIU.EXE
.
- - - - ORPHANS REMOVED - - - -

BHO-{698e7de9-478c-46e3-82be-29654250e227} - c:\windows\system32\cqowgb.dll
BHO-{770E858C-7662-4988-9E49-F3B89587B786} - c:\windows\system32\opnlICRK.dll
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
Notify-mlJYpmJD - mlJYpmJD.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.uap.cag
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

c:\windows\Downloaded Program Files\epcwebinstaller.dll - O16 -: {2739E75C-A4A1-438D-8914-190654B4E4EA}
hxxp://dcdcogweb1/cognos8/contributor/controls/epcwebinstaller83.cab
c:\windows\Downloaded Program Files\epcWebInstaller.inf

O16 -: {8B20D871-F641-4891-8A5D-C813FFB017CB} - hxxp://dcdcogweb1/cognos8/contributor/controls/clientfull83.cab
c:\windows\Downloaded Program Files\clientfull83.inf
FireFox -: Profile - c:\documents and settings\gccarole\Application Data\Mozilla\Firefox\Profiles\smrwz563.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 11:38:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\cscogina.dll
c:\windows\system32\csccfg10.dll
c:\windows\system32\csccfg10Res.dll
c:\windows\system32\amgina.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2008-12-04 11:39:26
ComboFix-quarantined-files.txt 2008-12-04 18:39:16

Pre-Run: 75,223,871,488 bytes free
Post-Run: 75,211,108,352 bytes free

189 --- E O F --- 2008-08-14 20:01:44

CHILL_CO
2008-12-04, 21:38
Here's the Hijack uninstall log.


Access Manager
Access Manager GINA
Adobe Flash Player ActiveX
Adobe Reader 7.0
Apple Software Update
Cisco Aironet Installation Program
Citrix Web Client
Cognos 8 for Microsoft Office
Compatibility Pack for the 2007 Office system
Eclipse Terminal Emulator
FileZilla Client 3.1.5.1
High Definition Audio Driver Package - KB835221
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
IBM ThinkPad Power Management Driver
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless Software
InterVideo WinDVD
IP VPN RS Cisco
Ipswitch WS_FTP Pro
Ipswitch WS_FTP Pro (gccarole)
Java 2 Runtime Environment, SE v1.4.2_07
Java(TM) 6 Update 5
Java(TM) 6 Update 6
mCore
mDriver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft DirectX SDK (June 2007)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office 2003 Resource Kit
Microsoft Office Communicator 2005
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Visio Professional 2003
mMHouse
Mozilla Firefox (2.0)
mPfMgr
mProSafe
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
mWlsSafe
Numara Track-It! 8 Agent
Oracle JInitiator 1.3.1.9
QuickTime
RDC
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB958644)
Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002)
Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
SnagIt 8
Software Installer
Sonic RecordNow!
Sonic Update Manager
SoundMAX
Spybot - Search & Destroy
ThinkPad Bluetooth with Enhanced Data Rate Software
ThinkPad Modem
ThinkPad UltraNav Driver
ThinkVantage Active Protection System
Track-It! 7.0 Technician Client
Trend Micro OfficeScan Client
Universal Imaging Utility
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB916846)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB923845)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VPN Client
WebEx
WIMGAPI
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip