PDA

View Full Version : Virtumonde.sci Help!


DeadByComputer
2009-01-30, 16:05
Well first off, I don't know a whole lot about computers yet, but I'm on my way to learning. If you can make advice or help simple it would be appreciated, but here's my problem. I was playing a game I've played for years and I know is completely safe, and I've not done anything differently but there are other people in my house that use this computer. While I was playing I received a notice "Internet explorer has found a virus and will begin scanning" Which seems horribly wrong to me, first because I never use internet explorer, and second because it has no scanning feature to it that I know of.
I ran Spybot - Search & Destroy to check if I had a virus and somehow I had 17. I removed them and rescanned immediately to make sure it worked. That number dropped to 13.
Every time I run spybot it says it cannot get rid of virtumonde.sci and somehow one of the viruses also deleted my system restore points, so I figured I'd ask for help.
I've also run Hijack this, Ad-Aware SE, and trendmicro's housecall65, but none could solve my problem.
This is a list from my last Spybot "fix", and I'm running it again currently.

--- Report generated: 2009-01-30 09:31 ---

Hint of the Day: Click the bar at the right of this to see more information! ()


Smitfraud-C.: [SBI $99619F8C] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-2025429265-583907252-682003330-1003\Software\Microsoft\instkey

Virtumonde: [SBI $8F2A4A7E] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde.generic: [SBI $1BB1339D] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde.generic: [SBI $2F10E03B] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde: [SBI $1D86E0B2] Configuration file (File, fixed)
C:\WINDOWS\Tasks\iynursxp.job

Virtumonde: [SBI $4D2BC948] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim

Virtumonde: [SBI $779C9C0D] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP

Virtumonde: [SBI $FD08B4B7] Configuration file (File, fixed)
C:\WINDOWS\system32\kUFPYccf.ini2

Virtumonde: [SBI $2A2DCEAC] Configuration file (File, fixed)
C:\WINDOWS\system32\kUFPYccf.ini

Virtumonde.Dll: [SBI $9D9A5FC6] Library (File, fixed)
C:\WINDOWS\system32\ddcDvuut.dll

Virtumonde.sci: [SBI $D87CA6BD] Class ID (Registry value, fixing failed)
HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\=...C:\WINDOWS\system32\khfFWOEx.dll...


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-11-07 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2009-01-22 Includes\Adware.sbi (*)
2009-01-22 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-01-06 Includes\Dialer.sbi (*)
2009-01-22 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2009-01-22 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2009-01-22 Includes\KeyloggersC.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2009-01-28 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-01-27 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-01-27 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-01-28 Includes\Spyware.sbi (*)
2009-01-28 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-01-21 Includes\Trojans.sbi (*)
2009-01-27 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Sorry for the second post, couldn't find a way to edit the original. I've just read the "BEFORE you POST" and this is the log I received from my latest scan.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:40 AM, on 1/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\SoftEther VPN Client 2.0\vpnclient.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\VM305_STI.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://housecall65.trendmicro.com/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: DXWnd.lnk = C:\Program Files\DXWnd\DXwnd.exe
O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O20 - AppInit_DLLs: vrbteu.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: PacketiX VPN Client (vpnclient) - SoftEther Corporation - C:\Program Files\SoftEther VPN Client 2.0\vpnclient.exe

--
End of file - 4367 bytes

--------------------------
FYI: "before You Post" ;)


[B]Can I edit my own posts?

In the Spybot-S&D forum, there is a 15 minute time frame to edit one's post.
In the Malware Removal Forum, members may not edit their posts. A helper may already be analysing the information given.
DeadByComputer
2009-01-31, 05:21
I was trying to edit it within 5 minutes of posting, though it did randomly log me out...
I also noticed a new symptom that I didn't expect. For some reason I cannot connect to any other computer on my network now, though the internet still works. That along with my randomly dissapearing system restore dates is confusing me.
I know I shouldn't jump ahead of people who know more than myself, but I had backed up all of my files on another computer about a week before this problem started, so I thought I'd attempt the general advice that was given to everyone else.
I backed up my registry with ERUNT, and ran combo fix. Unlike what I've seen in every explanation, it never allowed me to install the recovery console.

This is my log from combo fix...

ComboFix 09-01-21.04 - Ryan 2009-01-30 23:02:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.648 [GMT -5:00]
Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Temp\tmp3.tmp

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))
.

2009-01-30 23:02 . 2009-01-30 23:02 120 ---hs---- c:\windows\system32\rvsvafxw.ini
2009-01-30 13:17 . 2009-01-30 13:17 <DIR> d-------- c:\windows\LastGood
2009-01-30 11:07 . 2009-01-30 11:07 <DIR> d-------- c:\program files\ERUNT
2009-01-30 10:18 . 2009-01-30 23:02 40,630 --ahs---- c:\windows\system32\kUFPYccf.ini2
2009-01-30 09:39 . 2009-01-30 09:39 129,024 --a------ c:\windows\system32\vrbteu.dll
2009-01-30 09:39 . 2009-01-30 09:39 129,024 --a------ c:\windows\system32\nxtxbynj.dll
2009-01-30 09:36 . 2009-01-30 09:36 72,704 --a------ c:\windows\system32\wxfavsvr.dll
2009-01-30 09:33 . 2009-01-30 09:33 75,776 --a------ c:\windows\system32\semkbdyp.dll
2009-01-30 09:33 . 2009-01-30 23:02 40,630 --ahs---- c:\windows\system32\kUFPYccf.ini
2009-01-30 00:18 . 2009-01-30 00:18 95 --a------ c:\windows\wininit.ini
2009-01-29 03:40 . 2009-01-29 03:40 129,024 --a------ c:\windows\system32\xwrhzp.dll
2009-01-29 03:40 . 2009-01-29 03:40 129,024 --a------ c:\windows\system32\whlthqvi.dll
2009-01-29 03:33 . 2009-01-29 03:33 315,904 --a------ c:\windows\system32\fccYPFUk.dll
2009-01-29 02:33 . 2009-01-29 02:33 315,904 --a------ c:\windows\system32\mlJDuuuu.dll
2009-01-29 02:27 . 2009-01-29 02:27 36,352 --a------ c:\windows\system32\khfFWOEx.dll
2009-01-11 14:33 . 2009-01-11 14:33 <DIR> d-------- C:\AeriaGames
2009-01-05 23:07 . 2009-01-05 23:07 <DIR> d-------- c:\program files\Pando Networks
2009-01-05 23:07 . 2009-01-05 23:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\PMB Files
2009-01-04 17:32 . 2009-01-04 17:32 <DIR> d-------- c:\program files\Winamp
2009-01-04 17:32 . 2009-01-05 10:47 <DIR> d-------- c:\documents and settings\Ryan\Application Data\Winamp
2008-12-23 18:06 . 2008-12-23 18:06 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-22 02:19 . 2008-12-22 02:26 139,264 --a------ c:\windows\War3Unin.exe
2008-12-22 02:19 . 2008-12-22 02:26 54,766 --a------ c:\windows\War3Unin.dat
2008-12-22 02:19 . 2008-12-22 02:26 2,829 --a------ c:\windows\War3Unin.pif
2008-12-22 02:15 . 2009-01-27 23:42 <DIR> d-------- c:\program files\Warcraft III
2008-12-22 01:23 . 2008-12-22 01:23 <DIR> d-------- c:\documents and settings\Ryan\Application Data\My Games
2008-12-22 00:15 . 2008-12-22 00:15 <DIR> d-------- c:\documents and settings\Ryan\Application Data\InstallShield Installation Information
2008-12-22 00:15 . 2008-12-22 00:15 <DIR> d-------- c:\documents and settings\Ryan\Application Data\Firaxis Games
2008-12-07 10:24 . 2008-12-07 10:25 <DIR> d-------- c:\program files\CodeBlocks
2008-12-05 16:57 . 2008-12-05 16:57 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-05 16:57 . 2008-12-05 16:57 1,409 --a------ c:\windows\QTFont.for
2008-12-03 15:01 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-31 03:03 --------- d-----w c:\program files\Windows Live Safety Center
2009-01-30 07:19 --------- d-----w c:\program files\SoftEther VPN Client 2.0
2009-01-25 00:14 --------- d-----w c:\documents and settings\Ryan\Application Data\uTorrent
2009-01-21 06:08 --------- d-----w c:\documents and settings\All Users\Application Data\Dragon's Eye Productions
2008-12-23 23:07 --------- d-----w c:\documents and settings\Ryan\Application Data\Ventrilo
2008-12-23 23:06 --------- d-----w c:\program files\Ventrilo
2008-12-23 23:06 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-16 18:12 --------- d-----w c:\documents and settings\Ryan\Application Data\codeblocks
2008-12-12 18:59 --------- d-----w c:\program files\Java
2008-12-08 22:33 --------- d--h--w c:\program files\Objects
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-08-11 04:08 978,396 ----a-w c:\program files\BDAXP.cab
2008-05-14 15:19 0 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2008-04-09 13:15 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7708A939-1971-4239-8D92-660F80E70CC3}]
2009-01-29 03:33 315904 --a------ c:\windows\system32\fccYPFUk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-04-09 282624]
"BigDog305"="c:\windows\VM305_STI.EXE" [2005-08-05 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"0c6f0127"="c:\windows\system32\wxfavsvr.dll" [2009-01-30 72704]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

c:\documents and settings\Ryan\Start Menu\Programs\Startup\
DXWnd.lnk - c:\program files\DXWnd\DXwnd.exe [2007-09-12 266240]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Winamp.lnk - c:\program files\Winamp\winamp.exe [2008-08-03 1345376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\khfFWOEx.dll" [2009-01-29 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfFWOEx]
2009-01-29 02:27 36352 c:\windows\system32\khfFWOEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=G

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\fccYPFUk

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"l:\files\Games\Combat Arms\Combat Arms\CombatArms.exe"= l:\files\Games\Combat Arms\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"l:\files\Games\Combat Arms\Combat Arms\Engine.exe"= l:\files\Games\Combat Arms\Combat Arms\Engine.exe:*Enabled:Engine.exe
"l:\\Files\\Games\\Combat Arms\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\Ryan\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\SoftEther VPN Client 2.0\\vpnclient.exe"=
"c:\\Program Files\\SoftEther VPN Client 2.0\\vpncmgr.exe"=
"c:\\Program Files\\SoftEther VPN Client 2.0\\vpncmd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58342:TCP"= 58342:TCP:Pando Media Booster
"58342:UDP"= 58342:UDP:Pando Media Booster

S3 Neo_VPN;VPN Client Device Driver - VPN;c:\windows\system32\drivers\Neo_0108.sys [2008-04-03 22264]
S3 ZSMC0305;ZVC7100 PC CAMERA (VC0305);c:\windows\system32\drivers\usbVM305.sys [2008-06-18 392444]
S4 npkcjpn;npkcjpn;\??\f:\files\Games\JMS\npkcjpn.sys --> f:\files\Games\JMS\npkcjpn.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - aawservice
*Deregistered* - ALG
*Deregistered* - Ati HotKey Poller
*Deregistered* - ATI Smart
*Deregistered* - AudioSrv
*Deregistered* - Browser
*Deregistered* - CachemanXPService
*Deregistered* - COMSysApp
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ehRecvr
*Deregistered* - ehSched
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - ForcewareWebInterface
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTPFilter
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - NPPTNT2
*Deregistered* - nSvcLog
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - usnjsvc
*Deregistered* - Viewpoint Manager Service
*Deregistered* - vpnclient
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3487f8e5-f20e-11dc-a139-806d6172696f}]
\Shell\AutoRun\command - F:\ASUSACPI.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{C28D2835-BBFF-40A0-9D71-7C7C782DBC14} - (no file)
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://housecall65.trendmicro.com/
FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\e4vwcojx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPBelv32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 23:04:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog305 = c:\windows\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)???????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2025429265-583907252-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\khfFWOEx.dll

- - - - - - - > 'lsass.exe'(676)
c:\windows\system32\fccYPFUk.dll
.
Completion time: 2009-01-30 23:09:23
ComboFix-quarantined-files.txt 2009-01-31 04:08:47

Pre-Run: 5,739,376,640 bytes free
Post-Run: 5,974,663,168 bytes free

251 --- E O F --- 2008-08-28 19:11:46





*******And a log from re-running hijack this






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:48 PM, on 1/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\SoftEther VPN Client 2.0\vpnclient.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\VM305_STI.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\DXWnd\DXwnd.exe
C:\Documents and Settings\Ryan\Desktop\Utilities\jtk374en\JoyToKey.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://housecall65.trendmicro.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [0c6f0127] rundll32.exe "C:\WINDOWS\system32\wxfavsvr.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: DXWnd.lnk = C:\Program Files\DXWnd\DXwnd.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: PacketiX VPN Client (vpnclient) - SoftEther Corporation - C:\Program Files\SoftEther VPN Client 2.0\vpnclient.exe

--
End of file - 4923 bytes