PDA

View Full Version : Can't get rid of fbk.sts after being infected with Virtumonde/Smitfraud



Oracle3001
2009-01-11, 19:30
Hi,

I woke up this morning to find that my machine has been infected with a whole hsot of things (even though I am running a BitDefender Security Suite). I have managed to clear pretty much everything using a combination of BitDefender, Spybot, MalwareBytes and ComboFix. Spybot detected the presence of Virtumonde and SmitFraud, hence my usage of Combofix.

However, I am finding it impossible to clear,

Local Settings\Temporary Internet Files\fbk.sts

after every restart ComboFix finds and deletes it. Any help would be much apprecaited telling me what this file does, why it is dangerous and how to get rid, here are my ComboFix and HJT logs.

ComboFix 09-01-10.03 - Adam 2009-01-11 17:14:07.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1508 [GMT 0:00]
Running from: d:\documents and settings\Adam\Desktop\Combo-Fix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
FW: BitDefender Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\Adam\Local Settings\Temporary Internet Files\fbk.sts

.
((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-11 16:02 . 2009-01-11 17:13 3,162,278 --a------ d:\windows\{00000005-00000000-00000008-00001102-00000004-00511102}.BAK
2009-01-11 01:41 . 2009-01-11 01:41 73,216 --a------ d:\windows\system32\ffkuz.dll
2009-01-11 01:40 . 2009-01-11 01:40 <DIR> d-------- d:\windows\system32\dp2
2009-01-11 01:40 . 2009-01-11 01:40 <DIR> d-------- d:\documents and settings\Adam\Application Data\cogad
2009-01-08 18:28 . 2009-01-08 18:30 <DIR> d-------- D:\gnuex
2009-01-08 18:17 . 2009-01-08 18:17 <DIR> d-------- D:\MinGW
2009-01-08 17:45 . 2009-01-08 17:45 <DIR> d-------- d:\documents and settings\Adam\Application Data\MathWorks
2009-01-08 17:44 . 2002-02-14 10:26 647,872 --a------ d:\windows\system32\mscomct2.ocx
2009-01-08 17:44 . 2009-01-08 17:44 645,120 --a------ d:\windows\system32\config.gms
2009-01-08 17:44 . 2004-03-01 22:05 407,104 --a------ d:\windows\system32\MSHFLXGD.OCX
2009-01-08 17:44 . 2004-02-11 14:37 203,976 --a------ d:\windows\system32\RICHTX32.OCX
2009-01-08 17:44 . 2002-02-13 10:20 2,362 --a------ d:\windows\system32\mscomct2.dep
2009-01-08 17:28 . 2009-01-11 17:07 <DIR> d-------- d:\documents and settings\Adam\Tracing
2009-01-08 17:26 . 2009-01-08 17:26 <DIR> d-------- d:\program files\Windows Live SkyDrive
2009-01-08 17:26 . 2009-01-08 17:26 <DIR> d-------- d:\program files\Microsoft
2009-01-08 17:21 . 2009-01-08 17:21 <DIR> d-------- d:\program files\Common Files\Windows Live
2009-01-08 17:08 . 2009-01-08 17:08 <DIR> d-------- d:\program files\MATLAB
2009-01-08 16:58 . 2009-01-08 16:58 <DIR> d-------- d:\program files\MagicISO
2009-01-04 00:27 . 2009-01-04 00:27 <DIR> d-------- d:\documents and settings\Adam\Application Data\KillProcess
2008-12-29 02:30 . 2008-12-29 02:30 84 --a------ d:\windows\wininit.ini
2008-12-28 16:19 . 2008-12-28 16:19 <DIR> d-------- d:\documents and settings\All Users\Application Data\Corel
2008-12-28 16:19 . 2008-12-28 16:19 88 -r-hs---- d:\windows\system32\C685C7EE4B.sys
2008-12-28 16:17 . 2008-12-28 16:18 <DIR> d-------- d:\program files\Common Files\Corel
2008-12-28 15:18 . 2008-12-28 15:18 <DIR> d-------- d:\documents and settings\LocalService\Application Data\iolo
2008-12-28 15:18 . 2008-12-28 15:18 406 --a------ d:\windows\system32\ioloBootDefrag.cfg
2008-12-28 15:17 . 2008-12-28 15:18 <DIR> d-------- d:\documents and settings\All Users\Application Data\iolo
2008-12-28 15:17 . 2008-12-28 15:23 <DIR> d-------- d:\documents and settings\Adam\Application Data\iolo
2008-12-18 20:58 . 2009-01-08 22:42 <DIR> d-------- d:\program files\HoldemLuck
2008-12-16 16:20 . 2008-10-23 12:36 286,720 -----c--- d:\windows\system32\dllcache\gdi32.dll
2008-12-16 16:19 . 2008-09-04 17:15 1,106,944 -----c--- d:\windows\system32\dllcache\msxml3.dll
2008-12-16 16:19 . 2008-10-24 11:21 455,296 -----c--- d:\windows\system32\dllcache\mrxsmb.sys
2008-12-16 16:19 . 2008-10-15 16:34 337,408 -----c--- d:\windows\system32\dllcache\netapi32.dll
2008-12-16 12:01 . 2008-12-16 12:01 <DIR> d-------- d:\program files\Bonjour
2008-12-15 10:01 . 2008-12-15 10:01 <DIR> d-------- d:\program files\TeamViewer
2008-12-14 23:37 . 2008-12-14 23:38 <DIR> d-------- d:\program files\Hotspot Shield
2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ d:\windows\system32\dns-sd.exe
2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ d:\windows\system32\dnssd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 17:08 --------- d-----w d:\program files\MediaMonkey
2009-01-11 16:42 --------- d-----w d:\program files\Veetle
2009-01-11 14:00 --------- d-----w d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-11 00:00 --------- d-----w d:\documents and settings\Adam\Application Data\uTorrent
2009-01-09 22:44 --------- d-----w d:\program files\Full Tilt Poker
2009-01-08 22:54 --------- d---a-w d:\documents and settings\All Users\Application Data\TEMP
2009-01-08 17:25 --------- d-----w d:\program files\Windows Live
2009-01-07 01:43 --------- d-----w d:\program files\PokerStars
2009-01-05 01:37 --------- d-----w d:\program files\Malwarebytes' Anti-Malware
2009-01-04 21:52 --------- d-----w d:\documents and settings\Adam\Application Data\skypePM
2009-01-04 21:52 --------- d-----w d:\documents and settings\Adam\Application Data\Skype
2009-01-04 18:38 38,496 ----a-w d:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 18:38 15,504 ----a-w d:\windows\system32\drivers\mbam.sys
2009-01-04 01:29 --------- d-----w d:\program files\PartyGaming
2008-12-28 16:22 4,546 --sha-w d:\windows\system32\KGyGaAvL.sys
2008-12-28 16:19 --------- d-----w d:\documents and settings\Adam\Application Data\Corel
2008-12-28 16:17 --------- d-----w d:\program files\Corel
2008-12-28 09:54 --------- d-----w d:\program files\MediaCoder MPx Player Edition
2008-12-16 23:56 --------- d-----w d:\program files\PostgreSQL
2008-12-15 10:02 --------- d-----w d:\documents and settings\Adam\Application Data\TeamViewer
2008-12-03 11:53 --------- d-----w d:\program files\PokerTracker 3
2008-12-02 22:37 49,480 ----a-w d:\windows\system32\sirenacm.dll
2008-11-30 16:43 --------- d-----w d:\program files\StoxEV
2008-11-30 10:49 0 ---ha-w d:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-11-30 10:49 0 ---ha-w d:\windows\system32\drivers\Msft_User_M4iPodWPDDriver_01_07_00.Wdf
2008-11-29 18:46 --------- d-----w d:\program files\ConvertHelper
2008-11-29 13:39 --------- d-----w d:\program files\Mediafour
2008-11-29 13:39 --------- d-----w d:\program files\Common Files\Mediafour
2008-11-29 13:39 --------- d-----w d:\documents and settings\All Users\Application Data\Mediafour
2008-11-28 13:12 1 ----a-w d:\documents and settings\Adam\Application Data\trp86.dat
2008-11-27 19:19 82,440 ----a-w d:\windows\system32\drivers\BDVEDISK.sys
2008-11-27 19:19 192,512 ----a-w d:\windows\system32\txmlutil.dll
2008-11-27 19:19 104,328 ----a-w d:\windows\system32\drivers\bdfndisf.sys
2008-11-27 19:17 230,920 ----a-w d:\windows\system32\drivers\bdfsfltr.sys
2008-11-27 19:17 111,112 ----a-w d:\windows\system32\drivers\bdfm.sys
2008-11-27 16:03 --------- d-----w d:\documents and settings\All Users\Application Data\BitDefender
2008-11-27 16:00 --------- d-----w d:\program files\Common Files\BitDefender
2008-11-27 16:00 --------- d-----w d:\program files\BitDefender
2008-11-27 16:00 --------- d-----w d:\documents and settings\Adam\Application Data\BitDefender
2008-11-26 22:44 --------- d-----w d:\program files\iTunes
2008-11-26 22:44 --------- d-----w d:\program files\iPod
2008-11-26 22:44 --------- d-----w d:\program files\Common Files\Apple
2008-11-26 22:44 --------- d-----w d:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-26 22:42 --------- d-----w d:\program files\QuickTime
2008-11-21 17:58 --------- d-----w d:\documents and settings\Adam\Application Data\vlc
2008-11-21 17:49 --------- d-----w d:\documents and settings\Adam\Application Data\DivX
2008-11-21 11:19 157,741 ----a-w d:\windows\Internet Logs\vsmon_2nd_2008_11_21_11_19_42_small.dmp.zip
2008-11-21 08:11 158,821 ----a-w d:\windows\Internet Logs\vsmon_2nd_2008_11_21_08_11_10_small.dmp.zip
2008-11-21 06:02 167,781 ----a-w d:\windows\Internet Logs\vsmon_2nd_2008_11_21_06_02_17_small.dmp.zip
2008-11-19 22:33 --------- d-----w d:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-19 22:33 --------- d-----w d:\documents and settings\Adam\Application Data\Malwarebytes
2008-11-19 11:54 --------- d-----w d:\program files\Spybot - Search & Destroy
2008-11-18 15:41 --------- d-----w d:\program files\Common Files\Wise Installation Wizard
2008-11-18 15:41 --------- d-----w d:\documents and settings\All Users\Application Data\Lavasoft
2008-11-18 12:15 --------- d-----w d:\program files\Lavasoft
2008-11-16 01:54 --------- d-----w d:\program files\DivX
2008-11-15 00:43 --------- d-----w d:\program files\TVUPlayer
2008-11-15 00:43 --------- d-----w d:\documents and settings\All Users\Application Data\TVU Networks
2008-11-14 22:10 --------- d-----w d:\program files\Microsoft Silverlight
2008-11-10 00:48 79,403 ----a-w d:\windows\Internet Logs\zlclient_2nd_2008_11_10_00_40_44_small.dmp.zip
2008-11-10 00:48 53,262 ----a-w d:\windows\Internet Logs\zlclient_2nd_2008_11_10_00_40_39_small.dmp.zip
2008-11-09 19:13 14,846,469 ----a-w d:\windows\Internet Logs\tvDebug.zip
2008-10-28 22:36 823,296 ----a-w d:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w d:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w d:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w d:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w d:\windows\system32\DivX.dll
2008-10-23 12:36 286,720 ----a-w d:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w d:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w d:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w d:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w d:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w d:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w d:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w d:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w d:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w d:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w d:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w d:\windows\system32\muweb.dll
2008-10-12 14:04 0 ----a-w d:\program files\pspbrwse.jbf
2007-12-17 16:17 32 ----a-w d:\documents and settings\All Users\Application Data\ezsid.dat
2008-12-03 11:47 61,440 ----a-w d:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-11_16.57.20.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-11 17:05:21 16,384 ----atw d:\windows\Temp\Perflib_Perfdata_690.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2008-12-14 23:37 204248 --------- d:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="d:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2008-12-02 3882312]
"ctfmon.exe"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="d:\documents and settings\Adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-28 133104]
"cogad"="d:\documents and settings\Adam\Application Data\cogad\cogad.exe" [2009-01-11 56832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"zBrowser Launcher"="d:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"DAEMON Tools"="d:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"Acrobat Assistant 7.0"="d:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"SSBkgdUpdate"="d:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="d:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"AppleSyncNotifier"="d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"{914C5BF8-EEDD-4F3A-A8BE-34EE71CF1B29}"="d:\program files\Mediafour\XPlay 3\XPlay.exe" [2008-10-06 293376]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"BDAgent"="d:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2008-11-27 741376]
"BitDefender Antiphishing Helper"="d:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2008-11-27 69632]
"nwiz"="nwiz.exe" [2008-05-16 d:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2006-08-11 d:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 d:\windows\system32\CTXFIHLP.EXE]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - d:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-03-18 25214]
UltraMon.lnk - d:\windows\Installer\{CC15A5FC-B6D3-4A2D-8A26-D8F2702A3C00}\IcoUltraMon.ico [2008-10-12 29310]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=dejlkg.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 MDFSYSNT;MacDrive file system driver;d:\windows\system32\drivers\MDFSYSNT.SYS [2008-02-12 279808]
R1 CbFs;CbFs;d:\windows\system32\drivers\cbfs.sys [2008-11-29 136744]
R3 bdfm;BDFM;d:\windows\system32\drivers\bdfm.sys [2008-08-12 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;d:\windows\system32\drivers\bdfndisf.sys [2008-08-14 104328]
R3 LCcfltr;Logitech USB Filter Driver;d:\windows\system32\drivers\LCcfltr.sys [2007-11-13 14095]
R4 BDVEDISK;BDVEDISK;d:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-07-02 82440]
R4 M4iPodWPDService;M4iPodWPDService;d:\program files\Common Files\Mediafour\iPod\M4iPodWPDService.exe [2008-10-06 211456]
R4 postgresql-8.3;PostgreSQL Server 8.3;D:/Program Files/PostgreSQL/8.3/bin/pg_ctl.exe runservice -N "postgresql-8.3" -D "D:/Program Files/PostgreSQL/8.3/data" -w --> D:/Program Files/PostgreSQL/8.3/bin/pg_ctl.exe runservice -N postgresql-8.3 [?]
R4 UltraMonUtility;UltraMon Utility Driver;d:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2008-09-14 10496]
S3 Arrakis3;BitDefender Arrakis Server;d:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
S3 UltraMonMirror;UltraMonMirror;d:\windows\system32\DRIVERS\UltraMonMirror.sys --> d:\windows\system32\DRIVERS\UltraMonMirror.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-11 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-1993962763-725345543-1003.job
- d:\documents and settings\Adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-28 16:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - d:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - d:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - d:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - d:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Trusted Zone: *.amaena.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.imagesrvr.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.spyguardpro.com
Trusted Zone: *.storageguardsoft.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusremover2008.com
Trusted Zone: *.virusschlacht.com
Trusted Zone: *.amaena.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.imagesrvr.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.spyguardpro.com
Trusted Zone: *.storageguardsoft.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusremover2008.com
Trusted Zone: *.virusschlacht.com

O16 -: Microsoft XML Parser for Java - file:///D:/WINDOWS/Java/classes/xmldso.cab
d:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - d:\documents and settings\Adam\Application Data\Mozilla\Firefox\Profiles\w7feqm4u.default\
FF - component: d:\documents and settings\Adam\Application Data\Mozilla\Firefox\Profiles\w7feqm4u.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: d:\program files\Mozilla Firefox\components\FFComm.dll
FF - component: d:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: d:\documents and settings\Adam\Application Data\Mozilla\Firefox\Profiles\w7feqm4u.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: d:\documents and settings\Adam\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 17:17:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.3]
"ImagePath"="D:/Program Files/PostgreSQL/8.3/bin/pg_ctl.exe runservice -N \"postgresql-8.3\" -D \"D:/Program Files/PostgreSQL/8.3/data\" -w"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.3]
"ImagePath"="D:/Program Files/PostgreSQL/8.3/bin/pg_ctl.exe runservice -N \"postgresql-8.3\" -D \"D:/Program Files/PostgreSQL/8.3/data\" -w"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
Completion time: 2009-01-11 17:19:03
ComboFix-quarantined-files.txt 2009-01-11 17:19:00
ComboFix2.txt 2009-01-11 17:02:12
ComboFix3.txt 2009-01-11 16:58:16
ComboFix4.txt 2009-01-11 13:11:36

Pre-Run: 133,938,487,296 bytes free
Post-Run: 133,925,044,224 bytes free

288 --- E O F --- 2008-12-18 10:56:02




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:20:15, on 01/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
D:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
D:\Program Files\Hotspot Shield\bin\openvpnas.exe
D:\Program Files\Common Files\Mediafour\iPod\M4iPodWPDService.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\PSIService.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Canon\CAL\CALMAIN.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\Adam\Application Data\cogad\cogad.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
D:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
D:\WINDOWS\explorer.exe
D:\Documents and Settings\Adam\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - D:\Program Files\Hotspot Shield\hssie\HssIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - D:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "D:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [{914C5BF8-EEDD-4F3A-A8BE-34EE71CF1B29}] "D:\Program Files\Mediafour\XPlay 3\XPlay.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BDAgent] "D:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "D:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [cogad] "D:\Documents and Settings\Adam\Application Data\cogad\cogad.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: UltraMon.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.spyguardpro.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194944531140
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194944521171
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15031/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: dejlkg.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - D:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - D:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: M4iPodWPDService - Mediafour Corporation - D:\Program Files\Common Files\Mediafour\iPod\M4iPodWPDService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Server 8.3 (postgresql-8.3) - PostgreSQL Global Development Group - D:/Program Files/PostgreSQL/8.3/bin/pg_ctl.exe
O23 - Service: ProtexisLicensing - Unknown owner - D:\WINDOWS\system32\PSIService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - D:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 13136 bytes