PDA

View Full Version : Infected w/ Virtumonde pls. help



twitch1000
2008-12-15, 16:34
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:03 AM, on 12/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0DE3086C-D009-490F-91C6-DE37854FDFE2} - C:\WINDOWS\system32\jkkJaxUl.dll (file missing)
O2 - BHO: (no name) - {2C25046D-E7FA-4BC4-95E6-886B487D00D1} - (no file)
O2 - BHO: (no name) - {5CAAE205-8636-4A77-90DD-B3CB4B1027F4} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6120 bytes

shelf life
2008-12-20, 16:54
hi,

if you still need help we will start with MBAM. link and directions:

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the MBAM log in reply

twitch1000
2008-12-21, 23:50
Malwarebytes' Anti-Malware 1.31
Database version: 1528
Windows 5.1.2600 Service Pack 3

12/21/2008 3:45:08 PM
mbam-log-2008-12-21 (15-45-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 175762
Time elapsed: 1 hour(s), 17 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\hihtdgrv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vrgdthih.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\1QQ2LBYR\load[1].exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\6NLBC2U3\divx[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\6NLBC2U3\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\GAQHX3RW\xrun[1].tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\GAQHX3RW\zc113432[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Desktop\Programs\ConvertXtoDVD 3.0.0.7 Final And Patch (19th March 2008)45+-+\patch.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GR6P4V99\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GR6P4V99\kb600179[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GR6P4V99\apstpldr.dll[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\VSO\ConvertX\3\patch.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CACF0A7A-BDAE-4935-A01F-5462E97FA212}\RP34\A0007835.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CACF0A7A-BDAE-4935-A01F-5462E97FA212}\RP40\A0008884.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CACF0A7A-BDAE-4935-A01F-5462E97FA212}\RP46\A0008933.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CACF0A7A-BDAE-4935-A01F-5462E97FA212}\RP46\A0008934.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CACF0A7A-BDAE-4935-A01F-5462E97FA212}\RP46\A0008935.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\orpogigf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.

shelf life
2008-12-22, 03:37
hi,

ok good. can you post a new hjt log. Hows it looking on your end? Rescan with spybot and see it it comes up clean now.

twitch1000
2008-12-22, 06:43
Nope still not clean, here's the hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:08 PM, on 12/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0DE3086C-D009-490F-91C6-DE37854FDFE2} - C:\WINDOWS\system32\jkkJaxUl.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {2C25046D-E7FA-4BC4-95E6-886B487D00D1} - (no file)
O2 - BHO: (no name) - {5CAAE205-8636-4A77-90DD-B3CB4B1027F4} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5973 bytes

shelf life
2008-12-22, 18:21
so spybot still flagging something? cookies dont count. if so we will get one more download. its called combofix. there is a guide you need to read before using it. Looks like a lot but there are many pictures. read the guide, and post the combofix log in reply.

the guide:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

twitch1000
2008-12-23, 09:47
I never got the log the first time I ran combofix, my comp. froze. But here the second log that I did get.


ComboFix 08-12-21.04 - James 2008-12-23 1:38:15.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1685 [GMT -6:00]
Running from: c:\documents and settings\James\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\James\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Owner\Application Data\inst.exe
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\lUxaJkkj.ini
c:\windows\system32\lUxaJkkj.ini2
c:\windows\Tasks\hgozjtrr.job
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))
.

2008-12-21 13:59 . 2008-12-21 13:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-21 13:59 . 2008-12-21 13:59 <DIR> d-------- c:\documents and settings\James\Application Data\Malwarebytes
2008-12-21 13:59 . 2008-12-21 13:59 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-12-21 13:59 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-21 13:59 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-20 15:36 . 2008-04-13 18:12 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-17 14:41 . 2008-12-17 14:41 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-14 12:43 . 2008-12-14 12:43 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-14 12:43 . 2008-12-14 12:43 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-14 12:33 . 2008-12-14 12:33 <DIR> d-------- c:\program files\Trend Micro
2008-12-13 17:51 . 2008-12-13 17:51 <DIR> d-------- c:\program files\Common Files\iS3
2008-12-13 17:51 . 2008-12-14 12:37 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2008-12-13 17:51 . 2008-12-13 18:58 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2008-12-13 16:57 . 2008-12-17 14:24 <DIR> d-------- c:\documents and settings\James\Application Data\AdobeUM
2008-12-13 15:39 . 1998-06-26 00:00 1,062,704 --a------ c:\windows\system32\Mscomctl.ocx
2008-12-13 15:39 . 1998-06-24 10:56 203,576 --a------ c:\windows\system32\RICHTX32.OCX
2008-12-13 15:39 . 1997-01-21 18:06 191,248 --a------ c:\windows\system32\TABCTL32.OCX
2008-12-13 15:39 . 1998-06-18 00:00 153,600 --a------ c:\windows\system32\TLBINF32.DLL
2008-12-13 15:39 . 1998-06-24 00:00 140,096 --a------ c:\windows\system32\COMDLG32.OCX
2008-12-13 15:39 . 1998-10-27 01:34 77,824 --a------ c:\windows\system32\SpinX.ocx
2008-12-13 15:39 . 1998-04-21 19:01 57,856 --a------ c:\windows\system32\RulerBar.ocx
2008-12-13 15:39 . 1998-10-27 01:21 32,768 --a------ c:\windows\system32\Bevel.ocx
2008-12-13 15:18 . 1998-12-17 17:05 299,520 --a------ c:\windows\uninst.exe
2008-12-12 12:02 . 2008-12-12 12:02 <DIR> d-------- c:\documents and settings\James\Application Data\Hewlett-Packard
2008-12-11 19:30 . 2008-12-11 19:30 <DIR> d-------- c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\Xfire
2008-12-11 19:29 . 2008-12-11 19:44 <DIR> d-------- c:\documents and settings\James\Application Data\Xfire
2008-12-11 19:14 . 2008-12-11 22:37 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2008-12-11 03:51 . 1995-06-23 10:55 92,208 --a------ c:\windows\system\WING.DLL
2008-12-11 03:49 . 2008-12-11 03:49 <DIR> d-------- c:\program files\RandomGames
2008-12-11 03:49 . 1998-01-23 12:22 304,128 --a------ c:\windows\IsUninst.exe
2008-12-11 03:49 . 1998-07-29 18:00 127,488 --a------ c:\windows\system32\DSETUP.DLL
2008-12-11 03:49 . 2008-12-11 03:49 12,800 --a------ c:\windows\system\wing32.dll
2008-12-11 03:45 . 2008-12-11 03:45 <DIR> d-------- c:\program files\Real Alternative
2008-12-11 03:45 . 2008-12-11 03:45 <DIR> d-------- c:\documents and settings\James\Application Data\Media Player Classic
2008-12-11 03:43 . 2008-12-11 03:43 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\GRETECH
2008-12-11 03:42 . 2008-12-11 03:42 <DIR> d-------- c:\program files\GRETECH
2008-12-11 03:42 . 2008-12-11 03:42 <DIR> d-------- c:\documents and settings\James\Application Data\GRETECH
2008-12-11 03:31 . 2008-12-11 03:31 <DIR> d-------- c:\program files\eRightSoft
2008-12-11 03:31 . 2008-12-11 03:31 <DIR> d-------- c:\program files\AviSynth 2.5
2008-12-11 03:08 . 2008-12-11 03:08 <DIR> d-------- c:\documents and settings\James\WINDOWS
2008-12-11 02:59 . 2008-12-11 02:59 <DIR> d-------- c:\documents and settings\James\Application Data\vlc
2008-12-11 02:21 . 2008-12-11 02:21 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Winferno
2008-12-11 02:10 . 2008-07-09 02:05 421,888 --a------ c:\windows\system32\ac3filter.acm
2008-12-10 16:46 . 2008-04-13 18:12 218,624 --a------ c:\windows\system32\uxtheme.uxtender
2008-12-10 15:30 . 2008-12-10 15:30 <DIR> d-------- c:\documents and settings\James\Application Data\DAEMON Tools Pro
2008-12-10 15:30 . 2008-12-10 15:30 <DIR> d-------- c:\documents and settings\James\Application Data\DAEMON Tools
2008-12-10 15:29 . 2008-12-10 15:29 <DIR> d-------- c:\program files\DAEMON Tools Toolbar
2008-12-10 15:29 . 2008-12-10 15:29 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\DAEMON Tools Lite
2008-12-10 15:27 . 2008-12-10 15:31 <DIR> d-------- c:\documents and settings\James\Application Data\DAEMON Tools Lite
2008-12-10 15:27 . 2008-12-10 15:27 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2008-12-10 15:00 . 2008-12-10 15:00 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Media Center Programs
2008-12-10 14:52 . 2008-12-10 15:10 <DIR> d-------- c:\program files\THQ
2008-12-10 09:50 . 2008-12-10 09:50 <DIR> d-------- C:\ProgramData
2008-12-09 20:05 . 2008-12-09 20:06 <DIR> d-------- c:\documents and settings\James\Application Data\BSplayer Pro
2008-12-09 15:03 . 2008-12-09 15:03 0 --a------ c:\windows\nsreg.dat
2008-12-09 05:55 . 2008-12-09 05:55 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-09 05:39 . 2008-10-16 14:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-12-09 05:39 . 2007-04-17 03:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-09 05:39 . 2007-03-07 23:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-09 05:39 . 2008-10-16 14:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-12-09 05:39 . 2008-10-16 14:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-09 05:39 . 2008-10-16 14:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-12-09 05:39 . 2008-10-16 14:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-12-09 05:39 . 2008-10-16 14:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-09 05:39 . 2008-10-16 07:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-12-09 05:11 . 2008-04-13 12:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-09 05:10 . 2008-12-09 05:17 19,558 --a------ c:\windows\hpoins01.dat
2008-12-09 05:10 . 2003-04-22 10:24 16,606 --------- c:\windows\hpomdl01.dat
2008-12-09 05:03 . 2008-12-09 05:03 <DIR> d-------- c:\documents and settings\James\Application Data\MSNInstaller
2008-12-09 04:56 . 2008-12-09 04:56 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\nView_Profiles
2008-12-09 04:53 . 2008-12-09 04:53 <DIR> d-------- c:\windows\Downloaded Installations
2008-12-09 04:53 . 2008-12-09 04:53 <DIR> d-------- c:\program files\HP
2008-12-09 04:43 . 2008-12-09 04:44 127,254 --a------ c:\windows\system32\nvapps.xml
2008-12-09 04:42 . 2007-06-28 10:43 356,352 --a------ c:\windows\system32\nvudisp.exe
2008-12-09 04:42 . 2007-06-28 10:43 17,463 --a------ c:\windows\system32\nvdisp.nvu
2008-12-09 04:39 . 2008-06-13 05:05 272,128 --a------ c:\windows\system32\drivers\bthport.sys
2008-12-09 04:39 . 2008-06-13 05:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-09 04:38 . 2008-08-14 04:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-09 04:38 . 2008-08-14 04:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-09 04:38 . 2008-08-14 03:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-09 04:38 . 2008-08-14 03:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-09 04:38 . 2008-09-15 06:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-12-09 04:38 . 2008-09-08 04:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-12-09 04:37 . 2008-04-11 13:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-12-09 04:37 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-09 04:37 . 2008-05-08 08:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-12-09 04:36 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-09 04:25 . 2008-04-13 18:09 811,064 --a------ c:\windows\system32\imjp81k.dll
2008-12-09 04:24 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-12-09 04:24 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-12-09 04:24 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-12-09 04:24 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-12-09 04:24 . 2008-04-13 18:09 6,144 --a------ c:\windows\system32\kbd106.dll
2008-12-09 04:24 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-12-09 04:24 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-12-09 04:24 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-12-09 04:24 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-12-09 04:24 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-12-09 04:24 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll
2008-12-09 04:21 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe
2008-12-09 04:20 . 2008-12-09 04:20 <DIR> d--hs---- c:\documents and settings\James\UserData
2008-12-09 04:20 . 2008-12-09 04:20 13,646 --a------ c:\windows\system32\wpa.bak
2008-12-09 04:11 . 2008-12-09 04:11 <DIR> d-------- c:\program files\DIFX
2008-12-09 04:11 . 2006-07-01 22:39 36,864 --a------ c:\windows\system32\drivers\AmdK8.sys
2008-12-09 04:09 . 2008-12-09 04:09 1,024 --a------ C:\.rnd
2008-12-09 04:09 . 2008-12-09 04:09 22 --a------ c:\windows\FileName
2008-12-09 04:07 . 2006-04-24 18:52 289,792 -ra------ c:\windows\system32\idecoiins.dll
2008-12-09 04:07 . 2006-04-24 18:52 289,792 -ra------ c:\windows\system32\idecoi.dll
2008-12-09 04:07 . 2006-04-14 15:00 208,896 --a------ c:\windows\system32\nvuide.exe
2008-12-09 04:07 . 2006-04-24 18:52 100,736 -ra------ c:\windows\system32\drivers\nvata.sys
2008-12-09 04:07 . 2006-04-14 15:01 35,840 -ra------ c:\windows\system32\NVCOI.DLL
2008-12-09 04:07 . 2006-02-20 14:00 1,570 -ra------ c:\windows\system32\nvide.nvu
2008-12-09 04:06 . 2008-12-09 04:06 <DIR> d-------- c:\documents and settings\James\Application Data\InstallShield
2008-12-09 04:04 . 2008-12-09 04:06 12,377 --a------ c:\windows\Ascd_tmp.ini
2008-12-09 04:04 . 2006-10-10 21:33 10,288 --a------ c:\windows\system32\drivers\ASUSHWIO.SYS
2008-12-09 04:04 . 2004-08-12 02:00 5,810 -ra------ c:\windows\system32\drivers\ASACPI.sys
2008-12-09 04:03 . 2008-12-09 04:03 21,275 --a------ c:\windows\system32\drivers\AegisP.sys
2008-12-09 04:02 . 2006-05-04 21:02 380,928 --a------ c:\windows\system32\drivers\rt61.sys
2008-12-09 04:02 . 2005-12-15 12:38 315,392 --a------ c:\windows\system32\AegisI5.exe
2008-12-09 04:02 . 2006-05-15 18:25 295,028 --a------ c:\windows\system32\Install6x.dll
2008-12-09 04:02 . 2006-04-06 15:15 8,192 --a------ c:\windows\system32\drivers\RT2661.bin
2008-12-09 04:02 . 2006-04-06 15:15 8,192 --a------ c:\windows\system32\drivers\RT2561s.bin
2008-12-09 04:02 . 2006-04-06 15:15 8,192 --a------ c:\windows\system32\drivers\RT2561.bin
2008-12-09 04:02 . 2006-03-10 17:33 78 --a------ c:\windows\filespec6x
2008-12-09 02:06 . 2008-12-09 05:48 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 20:41 --------- d-----w c:\program files\Common Files\Adobe
2008-12-13 21:39 --------- d-----w c:\program files\DC30
2008-12-12 03:58 --------- d-----w c:\program files\Xfire
2008-12-11 08:10 --------- d-----w c:\program files\AC3Filter
2008-12-10 22:48 --------- d-----w c:\program files\DAEMON Tools Lite
2008-12-10 22:46 218,624 ----a-w c:\windows\system32\uxtheme.dll
2008-12-10 22:10 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-10 21:57 --------- d-----w c:\program files\MagicISO
2008-12-10 15:50 --------- d-----w c:\program files\Electronic Arts
2008-12-09 10:10 --------- d-----w c:\program files\C-Media 6501 Sound
2008-12-09 10:09 --------- d-----w c:\program files\NVIDIA Corporation
2008-12-09 08:00 155,995 ----a-w c:\windows\java\Packages\WOXRZ5NH.ZIP
2008-12-09 06:54 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-09 06:34 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2008-12-04 03:26 --------- d-----w c:\program files\Java
2008-11-30 23:23 --------- d-----w c:\documents and settings\Owner\Application Data\Vso
2008-11-30 09:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-30 05:25 --------- d-----w c:\program files\Common Files\AOL
2008-11-20 20:45 42,320 ----a-w c:\windows\system32\xfcodec.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-04-13 17:58 47,360 ----a-w c:\documents and settings\Owner\Application Data\pcouffin.sys
2008-04-09 20:06 142 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-10 216520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nTrayFw"="c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-12-21 270336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-09 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 28672]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2008-04-05 614400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.ac3filter"= ac3filter.acm
"msacm.divxa32"= msaud32_divx.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

R3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [2008-12-09 1310720]
.
Contents of the 'Scheduled Tasks' folder

2008-12-12 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1229104890.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 19:56]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0DE3086C-D009-490F-91C6-DE37854FDFE2} - c:\windows\system32\jkkJaxUl.dll
BHO-{2C25046D-E7FA-4BC4-95E6-886B487D00D1} - (no file)
BHO-{5CAAE205-8636-4A77-90DD-B3CB4B1027F4} - (no file)
HKLM-Run-C6501Sound - c6501.cpl


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyOverride = 127.0.0.1
LSP: %SYSTEMROOT%\system32\nvappfilter.dll

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\bd1x8wq6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\Mozilla Firefox\components\iamfamous.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-23 01:40:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\nvappfilter.dll
.
Completion time: 2008-12-23 1:43:39
ComboFix-quarantined-files.txt 2008-12-23 07:43:38

Pre-Run: 94,959,419,392 bytes free
Post-Run: 94,948,614,144 bytes free

261 --- E O F --- 2008-12-18 21:00:26

shelf life
2008-12-24, 02:15
hi,

ok thanks for the info. hows it looking now? update and run MBAM again.

twitch1000
2008-12-24, 11:42
No more virtumonde but MBAM found another trojan which I chose to fix.

Malwarebytes' Anti-Malware 1.31
Database version: 1539
Windows 5.1.2600 Service Pack 3

12/24/2008 3:41:28 AM
mbam-log-2008-12-24 (03-41-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 174460
Time elapsed: 1 hour(s), 20 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{CACF0A7A-BDAE-4935-A01F-5462E97FA212}\RP46\A0008932.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

shelf life
2008-12-24, 18:35
hi,

ok good. the last trojan was in your restore points, which we can flush out;

to remove combofix:
start>run and type in:
combofix /u
click ok or enter
Note: there is a space after the x and before the /

keep malwarebytes and its good practice to keep it updated even if you dont scan with it much or it never finds anything.

to make a new restore point, the how and why:

One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

if all is good, some info for you:

Reducing Your Risk:
The Short Version

1) Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other Software (http://secunia.com/vulnerability_scanning/online/) up to date to "patch" vulnerabilities.
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons.
3) Install and keep them all updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless.
4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.
5) Don't click on ads/pop ups or offers from websites requesting that you install software to your computer.
6) Don't click on offers to "scan" your computer.
7) Set up and use limited accounts for everyday use, rather than administrator accounts.
8) Install a third party software firewall.
9) Consider using an alternate browser and E-mail client.
10) If your habits include: warez, cracks etc or p2p (http://www.virusvault.us/p2p.html) file sharing then you are much more likely to encounter malicious code. Do you trust the source?


longer version in link below.

happy safe surfing out there

twitch1000
2008-12-24, 20:24
Thank you so very much shelf life. My comp is clean, and I will definitely follow the advice for staying away from these kinda problems. Happy Holidays!

shelf life
2008-12-25, 01:05
ok your welcome. Happy Holidays and safe surfing.