triaddraykin
2009-02-02, 10:47
I have, in order:
Updated HJT and Spybot
Tried unsuccessfully to remove Virtumonde from my computer via Spybot
Tried going to the castlecops.com address in the Virtumonde.generic description, they're going offline and were of no help
Run through a dozen or so forum postings about Virtumonde
Run Combofix.exe, saved the log
Run Hijack this, saved the log
Run ERUNT
Started this post
ComboFix 09-02-01.01 - Triad 2009-02-02 2:50:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.542 [GMT -5:00]
Running from: c:\documents and settings\Triad\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\AbIhQXbc.ini
c:\windows\system32\AbIhQXbc.ini2
c:\windows\system32\antiwpa.dll
c:\windows\system32\cbXQhIbA.dll
c:\windows\system32\ffchgedn.dll
c:\windows\system32\lhwkmjul.ini
c:\windows\system32\lujmkwhl.dll
c:\windows\system32\MSVolume.dll
c:\windows\system32\opnnlLbb.dll
c:\windows\system32\rgrwhwmn.dll
c:\windows\system32\ruzlzx.dll
c:\windows\system32\yoixpe.dll
.
((((((((((((((((((((((((( Files Created from 2009-01-02 to 2009-02-02 )))))))))))))))))))))))))))))))
.
2009-02-02 03:11 . 2009-02-02 03:11 2,422 --a------ c:\windows\system32\wpa.bak
2009-02-01 19:09 . 2009-02-01 19:09 <DIR> d-------- c:\program files\Trend Micro
2009-01-31 22:14 . 2009-02-01 03:01 <DIR> d-------- c:\documents and settings\Triad\Application Data\cogad
2009-01-24 05:53 . 2009-01-24 05:54 <DIR> d-------- c:\program files\AresSearch
2009-01-20 22:32 . 2009-01-20 22:32 <DIR> d-------- c:\windows\system32\URTTEMP
2009-01-18 19:09 . 2009-01-18 19:09 <DIR> d-------- c:\program files\Transparent Windows
2009-01-16 20:25 . 2009-01-16 20:25 <DIR> d-------- c:\program files\Windows Journal Viewer
2009-01-12 01:50 . 2009-01-12 01:50 <DIR> d-------- c:\program files\NifTools
2009-01-11 12:18 . 2009-01-11 12:18 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-09 02:56 . 2009-01-09 05:32 <DIR> d-------- c:\program files\Free Video Converter
2009-01-09 02:56 . 2009-01-09 02:56 61,208 --a------ c:\windows\system32\MPEG4E-uninstall.exe
2009-01-09 02:52 . 2009-01-09 02:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\VideoConverter
2009-01-05 00:26 . 2009-01-05 00:54 <DIR> d-------- c:\documents and settings\Brandye\Application Data\uTorrent
2009-01-03 16:53 . 2009-01-03 16:54 <DIR> d-------- C:\Ratchet
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-02 08:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-02 08:04 --------- d-----w c:\documents and settings\Triad\Application Data\WTablet
2009-02-02 07:58 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-02-02 06:36 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-02 01:19 --------- d-----w c:\documents and settings\LocalService\Application Data\WTablet
2009-02-01 13:40 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-31 22:52 --------- d-----w c:\documents and settings\Triad\Application Data\Skype
2009-01-27 14:44 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-27 07:25 --------- d-----w c:\documents and settings\Triad\Application Data\OpenOffice.org2
2009-01-25 14:22 --------- d-----w c:\documents and settings\Brandye\Application Data\WTablet
2009-01-24 10:56 --------- d-----w c:\program files\Ares
2009-01-23 18:15 --------- d-----w c:\documents and settings\Brandye\Application Data\OpenOffice.org2
2009-01-22 01:40 --------- d-----w c:\program files\Trillian
2009-01-17 01:30 --------- d-----w c:\program files\Tablet
2009-01-12 22:00 --------- d-----w c:\documents and settings\Brandye\Application Data\U3
2009-01-06 04:03 --------- d-----w c:\documents and settings\Triad\Application Data\uTorrent
2009-01-05 08:11 --------- d-----w c:\program files\palmOne
2009-01-05 08:10 --------- d-----w c:\program files\Documents To Go
2009-01-02 22:45 --------- d-----w c:\documents and settings\Rodent\Application Data\WTablet
2008-12-31 02:32 --------- d-----w c:\program files\ActivIcons
2008-12-31 01:59 --------- d-----w c:\documents and settings\Brandye\Application Data\BitTorrent
2008-12-31 01:31 --------- d-----w c:\documents and settings\Triad\Application Data\U3
2008-12-30 20:10 --------- d-----w c:\program files\Java
2008-12-28 06:26 --------- d-----w c:\program files\DAP
2008-12-28 06:25 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2008-12-27 00:19 --------- d-----w c:\program files\iTunes
2008-12-27 00:19 --------- d-----w c:\program files\iPod
2008-12-27 00:19 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-27 00:17 --------- d-----w c:\program files\Bonjour
2008-12-27 00:16 --------- d-----w c:\program files\QuickTime
2008-12-27 00:14 --------- d-----w c:\program files\Common Files\Apple
2008-12-23 14:04 --------- d-----w c:\program files\Yahoo!
2008-12-23 14:04 --------- d-----w c:\documents and settings\Triad\Application Data\Yahoo!
2008-12-23 14:04 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-17 04:07 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-09 12:14 --------- d-----w c:\documents and settings\Triad\Application Data\LimeWire
2008-12-08 11:06 --------- d-----w c:\program files\MP3Gain
2008-12-04 09:34 --------- d-----w c:\documents and settings\Triad\Application Data\WinMX Music
2008-05-25 00:46 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-05-22 05:12 1,075 ----a-w c:\documents and settings\Triad\Application Data\SAS7_000.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{a00d7cbb-1428-47c6-9e5c-5fb92391f8c0}"= "c:\program files\QuickKnife\tbQuic.dll" [2006-04-09 912408]
[HKEY_CLASSES_ROOT\clsid\{a00d7cbb-1428-47c6-9e5c-5fb92391f8c0}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A00D7CBB-1428-47C6-9E5C-5FB92391F8C0}"= "c:\program files\QuickKnife\tbQuic.dll" [2006-04-09 912408]
[HKEY_CLASSES_ROOT\clsid\{a00d7cbb-1428-47c6-9e5c-5fb92391f8c0}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ares"="c:\program files\Ares\Ares.exe" [2008-12-04 3075584]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2008-12-28 3114496]
"Google Update"="c:\documents and settings\Triad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-16 133104]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"SpybotSD TeaTimer"="i:\program files\Spybot\TeaTimer.exe" [2009-01-26 2144088]
"Fraps"="c:\fraps\FRAPS.EXE" [2008-01-14 3182248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-30 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-27 1601304]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]
c:\documents and settings\Brandye\Start Menu\Programs\Startup\
Shortcut to procexp.lnk - c:\process explorer\procexp.exe [2008-05-08 3654696]
c:\documents and settings\Triad\Start Menu\Programs\Startup\
Shortcut to procexp.lnk - c:\process explorer\procexp.exe [2008-05-08 3654696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-27 09:44 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mp4e"= MPEG4Evfw.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start Firewall (2).lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Start Firewall (2).lnk
backup=c:\windows\pss\Start Firewall (2).lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Brandye^Start Menu^Programs^Startup^BitTorrent (2).lnk]
path=c:\documents and settings\Brandye\Start Menu\Programs\Startup\BitTorrent (2).lnk
backup=c:\windows\pss\BitTorrent (2).lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Triad^Start Menu^Programs^Startup^BitTorrent.lnk]
path=c:\documents and settings\Triad\Start Menu\Programs\Startup\BitTorrent.lnk
backup=c:\windows\pss\BitTorrent.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Triad^Start Menu^Programs^Startup^Dragon NaturallySpeaking.lnk]
path=c:\documents and settings\Triad\Start Menu\Programs\Startup\Dragon NaturallySpeaking.lnk
backup=c:\windows\pss\Dragon NaturallySpeaking.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Triad^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\Triad\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Triad^Start Menu^Programs^Startup^ScrHots.lnk]
path=c:\documents and settings\Triad\Start Menu\Programs\Startup\ScrHots.lnk
backup=c:\windows\pss\ScrHots.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Triad^Start Menu^Programs^Startup^Transparent Windows.lnk]
path=c:\documents and settings\Triad\Start Menu\Programs\Startup\Transparent Windows.lnk
backup=c:\windows\pss\Transparent Windows.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-03-20 11:46 217544 c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
--a------ 2008-12-04 10:51 3075584 c:\program files\Ares\Ares.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-11-16 07:57 133104 c:\documents and settings\Triad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 15:15 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-10-25 15:33 563984 c:\program files\Common Files\logishrd\LComMgr\Communications_Helper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-10-25 15:37 2178832 c:\program files\Logitech\QuickCam\Quickcam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-11-06 03:27 200704 c:\program files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-05-30 14:54 21718312 c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-03 18:02 36352 c:\program files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-08-11 20:43 1519616 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"f:\\Program Files\\SecondLife\\SLVoice.exe"=
"f:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Triad\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Triad\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"26595:TCP"= 26595:TCP:Bittorrent1
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-26 325128]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-26 298264]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-08-12 3406120]
R2 TeamViewer;TeamViewer 3;c:\program files\TeamViewer3\TeamViewer_Service.exe [2008-08-29 181544]
S3 ICAM3NT5;Intel USB Video Camera III;c:\windows\system32\drivers\Icam3.sys [2008-05-09 141056]
--- Other Services/Drivers In Memory ---
*Deregistered* - PROCEXP111
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60ad0afe-1ccb-11dd-a6fd-0011093ce74a}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddb2642a-4bbb-11dd-8248-001d7e9a5c7c}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-02-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-448539723-1417001333-1004.job
- c:\documents and settings\Triad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-16 07:57]
2009-02-01 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- i:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]
.
- - - - ORPHANS REMOVED - - - -
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
BHO-{A8C48152-D42E-4CB6-A384-E9D7FAFE4ADF} - (no file)
BHO-{F302F17A-8F26-421A-8CB6-194E07FA92AD} - c:\windows\system32\cbXQhIbA.dll
Notify-Antiwpa - (no file)
Notify-opnnlLbb - (no file)
MSConfigStartUp-DNS7reminder - c:\program files\Nuance\NaturallySpeaking9\Program\ereg.exe
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
TCP: {6B9C6E0C-CE92-46DF-85DA-9616B52E7190} = 65.24.7.10,65.24.7.11
FF - ProfilePath - c:\documents and settings\Triad\Application Data\Mozilla\Firefox\Profiles\hj2sx4qw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com/ig
FF - plugin: c:\documents and settings\Triad\Application Data\Mozilla\Firefox\Profiles\hj2sx4qw.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\Triad\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Triad\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-02 03:11:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1292428093-448539723-1417001333-1004\Software\SecuROM\License information*]
"datasecu"=hex:96,0c,5d,41,e6,bd,ee,ed,a8,73,60,ad,15,77,a0,b3,66,59,0a,b3,a7,
5b,c4,68,d4,e1,6c,7d,82,2d,1a,17,68,8a,c7,1c,44,af,a6,1b,2f,de,ad,f5,6f,fd,\
"rkeysecu"=hex:cf,a6,c9,dc,e1,07,23,9b,7b,f1,7b,89,0f,5f,f6,06
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-02-02 3:23:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-02 08:23:24
Pre-Run: 2,292,137,984 bytes free
Post-Run: 2,553,479,168 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
291 --- E O F --- 2008-11-28 22:45:58
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:58, on 2-2-2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\TeamViewer3\TeamViewer_Service.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\DAP\DAP.EXE
C:\Documents and Settings\Triad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\FRAPS\FRAPS.EXE
C:\Process Explorer\procexp.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Triad\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: QuickKnife toolbar - {a00d7cbb-1428-47c6-9e5c-5fb92391f8c0} - C:\Program Files\QuickKnife\tbQuic.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Triad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] I:\Program Files\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - Startup: ERUNT AutoBackup.lnk = I:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Shortcut to procexp.lnk = C:\Process Explorer\procexp.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B9C6E0C-CE92-46DF-85DA-9616B52E7190}: NameServer = 65.24.7.10,65.24.7.11
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: TeamViewer 3 (TeamViewer) - TeamViewer GmbH - C:\Program Files\TeamViewer3\TeamViewer_Service.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
--
End of file - 6553 bytes
Do NOT run 'fixes' before helpers have analyzed HJT log (http://forums.spybot.info/showthread.php?t=16806)
Updated HJT and Spybot
Tried unsuccessfully to remove Virtumonde from my computer via Spybot
Tried going to the castlecops.com address in the Virtumonde.generic description, they're going offline and were of no help
Run through a dozen or so forum postings about Virtumonde
Run Combofix.exe, saved the log
Run Hijack this, saved the log
Run ERUNT
Started this post
ComboFix 09-02-01.01 - Triad 2009-02-02 2:50:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.542 [GMT -5:00]
Running from: c:\documents and settings\Triad\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\AbIhQXbc.ini
c:\windows\system32\AbIhQXbc.ini2
c:\windows\system32\antiwpa.dll
c:\windows\system32\cbXQhIbA.dll
c:\windows\system32\ffchgedn.dll
c:\windows\system32\lhwkmjul.ini
c:\windows\system32\lujmkwhl.dll
c:\windows\system32\MSVolume.dll
c:\windows\system32\opnnlLbb.dll
c:\windows\system32\rgrwhwmn.dll
c:\windows\system32\ruzlzx.dll
c:\windows\system32\yoixpe.dll
.
((((((((((((((((((((((((( Files Created from 2009-01-02 to 2009-02-02 )))))))))))))))))))))))))))))))
.
2009-02-02 03:11 . 2009-02-02 03:11 2,422 --a------ c:\windows\system32\wpa.bak
2009-02-01 19:09 . 2009-02-01 19:09 <DIR> d-------- c:\program files\Trend Micro
2009-01-31 22:14 . 2009-02-01 03:01 <DIR> d-------- c:\documents and settings\Triad\Application Data\cogad
2009-01-24 05:53 . 2009-01-24 05:54 <DIR> d-------- c:\program files\AresSearch
2009-01-20 22:32 . 2009-01-20 22:32 <DIR> d-------- c:\windows\system32\URTTEMP
2009-01-18 19:09 . 2009-01-18 19:09 <DIR> d-------- c:\program files\Transparent Windows
2009-01-16 20:25 . 2009-01-16 20:25 <DIR> d-------- c:\program files\Windows Journal Viewer
2009-01-12 01:50 . 2009-01-12 01:50 <DIR> d-------- c:\program files\NifTools
2009-01-11 12:18 . 2009-01-11 12:18 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-09 02:56 . 2009-01-09 05:32 <DIR> d-------- c:\program files\Free Video Converter
2009-01-09 02:56 . 2009-01-09 02:56 61,208 --a------ c:\windows\system32\MPEG4E-uninstall.exe
2009-01-09 02:52 . 2009-01-09 02:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\VideoConverter
2009-01-05 00:26 . 2009-01-05 00:54 <DIR> d-------- c:\documents and settings\Brandye\Application Data\uTorrent
2009-01-03 16:53 . 2009-01-03 16:54 <DIR> d-------- C:\Ratchet
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-02 08:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-02 08:04 --------- d-----w c:\documents and settings\Triad\Application Data\WTablet
2009-02-02 07:58 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-02-02 06:36 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-02 01:19 --------- d-----w c:\documents and settings\LocalService\Application Data\WTablet
2009-02-01 13:40 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-31 22:52 --------- d-----w c:\documents and settings\Triad\Application Data\Skype
2009-01-27 14:44 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-27 07:25 --------- d-----w c:\documents and settings\Triad\Application Data\OpenOffice.org2
2009-01-25 14:22 --------- d-----w c:\documents and settings\Brandye\Application Data\WTablet
2009-01-24 10:56 --------- d-----w c:\program files\Ares
2009-01-23 18:15 --------- d-----w c:\documents and settings\Brandye\Application Data\OpenOffice.org2
2009-01-22 01:40 --------- d-----w c:\program files\Trillian
2009-01-17 01:30 --------- d-----w c:\program files\Tablet
2009-01-12 22:00 --------- d-----w c:\documents and settings\Brandye\Application Data\U3
2009-01-06 04:03 --------- d-----w c:\documents and settings\Triad\Application Data\uTorrent
2009-01-05 08:11 --------- d-----w c:\program files\palmOne
2009-01-05 08:10 --------- d-----w c:\program files\Documents To Go
2009-01-02 22:45 --------- d-----w c:\documents and settings\Rodent\Application Data\WTablet
2008-12-31 02:32 --------- d-----w c:\program files\ActivIcons
2008-12-31 01:59 --------- d-----w c:\documents and settings\Brandye\Application Data\BitTorrent
2008-12-31 01:31 --------- d-----w c:\documents and settings\Triad\Application Data\U3
2008-12-30 20:10 --------- d-----w c:\program files\Java
2008-12-28 06:26 --------- d-----w c:\program files\DAP
2008-12-28 06:25 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit
2008-12-27 00:19 --------- d-----w c:\program files\iTunes
2008-12-27 00:19 --------- d-----w c:\program files\iPod
2008-12-27 00:19 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-27 00:17 --------- d-----w c:\program files\Bonjour
2008-12-27 00:16 --------- d-----w c:\program files\QuickTime
2008-12-27 00:14 --------- d-----w c:\program files\Common Files\Apple
2008-12-23 14:04 --------- d-----w c:\program files\Yahoo!
2008-12-23 14:04 --------- d-----w c:\documents and settings\Triad\Application Data\Yahoo!
2008-12-23 14:04 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-17 04:07 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-09 12:14 --------- d-----w c:\documents and settings\Triad\Application Data\LimeWire
2008-12-08 11:06 --------- d-----w c:\program files\MP3Gain
2008-12-04 09:34 --------- d-----w c:\documents and settings\Triad\Application Data\WinMX Music
2008-05-25 00:46 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-05-22 05:12 1,075 ----a-w c:\documents and settings\Triad\Application Data\SAS7_000.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{a00d7cbb-1428-47c6-9e5c-5fb92391f8c0}"= "c:\program files\QuickKnife\tbQuic.dll" [2006-04-09 912408]
[HKEY_CLASSES_ROOT\clsid\{a00d7cbb-1428-47c6-9e5c-5fb92391f8c0}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A00D7CBB-1428-47C6-9E5C-5FB92391F8C0}"= "c:\program files\QuickKnife\tbQuic.dll" [2006-04-09 912408]
[HKEY_CLASSES_ROOT\clsid\{a00d7cbb-1428-47c6-9e5c-5fb92391f8c0}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ares"="c:\program files\Ares\Ares.exe" [2008-12-04 3075584]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2008-12-28 3114496]
"Google Update"="c:\documents and settings\Triad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-16 133104]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"SpybotSD TeaTimer"="i:\program files\Spybot\TeaTimer.exe" [2009-01-26 2144088]
"Fraps"="c:\fraps\FRAPS.EXE" [2008-01-14 3182248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-30 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-27 1601304]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]
c:\documents and settings\Brandye\Start Menu\Programs\Startup\
Shortcut to procexp.lnk - c:\process explorer\procexp.exe [2008-05-08 3654696]
c:\documents and settings\Triad\Start Menu\Programs\Startup\
Shortcut to procexp.lnk - c:\process explorer\procexp.exe [2008-05-08 3654696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-27 09:44 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mp4e"= MPEG4Evfw.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start Firewall (2).lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Start Firewall (2).lnk
backup=c:\windows\pss\Start Firewall (2).lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Brandye^Start Menu^Programs^Startup^BitTorrent (2).lnk]
path=c:\documents and settings\Brandye\Start Menu\Programs\Startup\BitTorrent (2).lnk
backup=c:\windows\pss\BitTorrent (2).lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Triad^Start Menu^Programs^Startup^BitTorrent.lnk]
path=c:\documents and settings\Triad\Start Menu\Programs\Startup\BitTorrent.lnk
backup=c:\windows\pss\BitTorrent.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Triad^Start Menu^Programs^Startup^Dragon NaturallySpeaking.lnk]
path=c:\documents and settings\Triad\Start Menu\Programs\Startup\Dragon NaturallySpeaking.lnk
backup=c:\windows\pss\Dragon NaturallySpeaking.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Triad^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\Triad\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Triad^Start Menu^Programs^Startup^ScrHots.lnk]
path=c:\documents and settings\Triad\Start Menu\Programs\Startup\ScrHots.lnk
backup=c:\windows\pss\ScrHots.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Triad^Start Menu^Programs^Startup^Transparent Windows.lnk]
path=c:\documents and settings\Triad\Start Menu\Programs\Startup\Transparent Windows.lnk
backup=c:\windows\pss\Transparent Windows.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-03-20 11:46 217544 c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
--a------ 2008-12-04 10:51 3075584 c:\program files\Ares\Ares.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-11-16 07:57 133104 c:\documents and settings\Triad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 15:15 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-10-25 15:33 563984 c:\program files\Common Files\logishrd\LComMgr\Communications_Helper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-10-25 15:37 2178832 c:\program files\Logitech\QuickCam\Quickcam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-11-06 03:27 200704 c:\program files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-05-30 14:54 21718312 c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-03 18:02 36352 c:\program files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-08-11 20:43 1519616 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"f:\\Program Files\\SecondLife\\SLVoice.exe"=
"f:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Triad\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Triad\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"26595:TCP"= 26595:TCP:Bittorrent1
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-26 325128]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-26 298264]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-08-12 3406120]
R2 TeamViewer;TeamViewer 3;c:\program files\TeamViewer3\TeamViewer_Service.exe [2008-08-29 181544]
S3 ICAM3NT5;Intel USB Video Camera III;c:\windows\system32\drivers\Icam3.sys [2008-05-09 141056]
--- Other Services/Drivers In Memory ---
*Deregistered* - PROCEXP111
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60ad0afe-1ccb-11dd-a6fd-0011093ce74a}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddb2642a-4bbb-11dd-8248-001d7e9a5c7c}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-02-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-448539723-1417001333-1004.job
- c:\documents and settings\Triad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-16 07:57]
2009-02-01 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- i:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]
.
- - - - ORPHANS REMOVED - - - -
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
BHO-{A8C48152-D42E-4CB6-A384-E9D7FAFE4ADF} - (no file)
BHO-{F302F17A-8F26-421A-8CB6-194E07FA92AD} - c:\windows\system32\cbXQhIbA.dll
Notify-Antiwpa - (no file)
Notify-opnnlLbb - (no file)
MSConfigStartUp-DNS7reminder - c:\program files\Nuance\NaturallySpeaking9\Program\ereg.exe
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
TCP: {6B9C6E0C-CE92-46DF-85DA-9616B52E7190} = 65.24.7.10,65.24.7.11
FF - ProfilePath - c:\documents and settings\Triad\Application Data\Mozilla\Firefox\Profiles\hj2sx4qw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com/ig
FF - plugin: c:\documents and settings\Triad\Application Data\Mozilla\Firefox\Profiles\hj2sx4qw.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\Triad\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Triad\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-02 03:11:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1292428093-448539723-1417001333-1004\Software\SecuROM\License information*]
"datasecu"=hex:96,0c,5d,41,e6,bd,ee,ed,a8,73,60,ad,15,77,a0,b3,66,59,0a,b3,a7,
5b,c4,68,d4,e1,6c,7d,82,2d,1a,17,68,8a,c7,1c,44,af,a6,1b,2f,de,ad,f5,6f,fd,\
"rkeysecu"=hex:cf,a6,c9,dc,e1,07,23,9b,7b,f1,7b,89,0f,5f,f6,06
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-02-02 3:23:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-02 08:23:24
Pre-Run: 2,292,137,984 bytes free
Post-Run: 2,553,479,168 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
291 --- E O F --- 2008-11-28 22:45:58
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:58, on 2-2-2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\TeamViewer3\TeamViewer_Service.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\DAP\DAP.EXE
C:\Documents and Settings\Triad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\FRAPS\FRAPS.EXE
C:\Process Explorer\procexp.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Triad\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: QuickKnife toolbar - {a00d7cbb-1428-47c6-9e5c-5fb92391f8c0} - C:\Program Files\QuickKnife\tbQuic.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Triad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] I:\Program Files\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - Startup: ERUNT AutoBackup.lnk = I:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Shortcut to procexp.lnk = C:\Process Explorer\procexp.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B9C6E0C-CE92-46DF-85DA-9616B52E7190}: NameServer = 65.24.7.10,65.24.7.11
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: TeamViewer 3 (TeamViewer) - TeamViewer GmbH - C:\Program Files\TeamViewer3\TeamViewer_Service.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
--
End of file - 6553 bytes
Do NOT run 'fixes' before helpers have analyzed HJT log (http://forums.spybot.info/showthread.php?t=16806)