PDA

View Full Version : Help needed removing Virtumonde



macnab
2009-02-25, 09:38
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:35:27, on 25/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\General\Bluetooth\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Internet\AVG\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
D:\Internet\Comodo Firewall\Comodo\Firewall\cmdagent.exe
D:\Nero 8\Nero 8\InCD\InCDsrv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Nero 8\Nero 8\Nero BackItUp\NBService.exe
D:\Internet\AVG\avgrsx.exe
D:\Internet\AVG\avgnsx.exe
D:\Internet\AVG\avgcsrvx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
D:\Internet\AVG\avgemc.exe
D:\Internet\AVG\avgcsrvx.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
D:\Internet\Comodo Firewall\Comodo\Firewall\CPF.exe
D:\Internet\AVG\avgtray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Internet\AVG\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Internet\Comodo Firewall\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SecurDisc] D:\Nero 8\Nero 8\InCD\NBHGui.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [AVG8_TRAY] D:\Internet\AVG\avgtray.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - D:\General\Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Internet\AVG\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\Internet\AVG\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\Internet\AVG\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - D:\General\Bluetooth\bin\btwdins.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Internet\Comodo Firewall\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Update Service (gupdate1c989c9eb7d5a64) (gupdate1c989c9eb7d5a64) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Nero 8\Nero 8\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Nero 8\Nero 8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

--
End of file - 6514 bytes

pskelley
2009-02-27, 15:21
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

For your benefit, the instructions are pinned (sticky) to the top of the Malware Removal forum, please read and be sure you have followed those instructions. I have also posted the "Before you Post" instructions at the top of this thread.

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks

macnab
2009-02-27, 18:45
ComboFix 09-02-24.02 - Nigel 2009-02-26 9:40:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.625 [GMT 2:00]
Running from: c:\documents and settings\Nigel\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: COMODO Firewall Pro *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.

2009-02-25 09:33 . 2009-02-25 09:33 <DIR> d-------- c:\program files\Trend Micro
2009-02-25 09:29 . 2009-02-25 09:29 <DIR> d-------- c:\program files\ERUNT
2009-02-23 09:29 . 2009-02-23 09:29 <DIR> d-------- c:\documents and settings\Nigel\Bluetooth Software
2009-02-23 09:28 . 2008-04-14 05:41 21,504 --a------ c:\windows\system32\hidserv.dll
2009-02-23 09:28 . 2008-04-14 05:41 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2009-02-23 09:27 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2009-02-23 09:27 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2009-02-23 09:23 . 2007-03-31 07:02 876,384 --a------ c:\windows\system32\drivers\btkrnl.sys
2009-02-23 09:23 . 2007-03-23 04:49 539,072 --a------ c:\windows\system32\drivers\btaudio.sys
2009-02-23 09:23 . 2007-03-23 04:50 149,123 --a------ c:\windows\system32\drivers\btwdndis.sys
2009-02-23 09:23 . 2007-03-23 04:50 106,557 --a------ c:\windows\system32\btw_ci.dll
2009-02-23 09:23 . 2007-03-23 04:50 67,960 --a------ c:\windows\system32\drivers\btwusb.sys
2009-02-23 09:23 . 2007-03-31 07:02 55,352 --a------ c:\windows\system32\drivers\btwhid.sys
2009-02-23 09:23 . 2007-03-23 04:50 37,424 --a------ c:\windows\system32\drivers\btport.sys
2009-02-16 10:25 . 2009-02-16 10:25 27,958 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP WMA V9 Codec.bmp
2009-02-16 10:25 . 2009-02-16 10:25 2,162 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP WMA V9 Codec.dat
2009-02-16 10:24 . 2009-02-16 10:24 36,085 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-02-16 10:24 . 2009-02-16 10:23 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp
2009-02-15 08:17 . 2009-02-26 09:32 <DIR> d-------- c:\documents and settings\Nigel\Application Data\Simple Sudoku
2009-02-09 07:57 . 2009-02-09 07:57 <DIR> d-------- c:\documents and settings\Nigel\Application Data\EPSON
2009-02-08 11:49 . 2009-02-08 11:49 <DIR> d-------- c:\program files\MSXML 4.0
2009-02-08 11:28 . 2008-06-13 13:05 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-02-08 11:28 . 2008-06-13 13:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-02-08 11:24 . 2008-08-14 12:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-08 11:24 . 2008-08-14 12:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-08 11:24 . 2008-08-14 11:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-08 11:24 . 2008-08-14 11:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-08 11:21 . 2008-10-24 13:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-02-08 10:58 . 2005-02-25 05:35 22,752 --a------ c:\windows\system32\spupdsvc.exe
2009-02-08 10:42 . 2009-02-13 16:24 <DIR> d-------- c:\program files\Google
2009-02-08 07:36 . 2009-02-24 07:20 540 --a------ c:\windows\system32\PDBootState
2009-02-08 06:48 . 2009-02-08 06:48 <DIR> d-------- c:\windows\SHELLNEW
2009-02-08 06:48 . 2009-02-08 06:48 <DIR> d-------- c:\program files\Microsoft.NET
2009-02-08 06:48 . 2009-02-08 06:48 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-02-06 08:54 . 2009-02-06 08:54 <DIR> d-------- c:\documents and settings\Nigel\Application Data\Corel
2009-02-06 08:11 . 2009-02-06 08:11 <DIR> d-------- c:\program files\Common Files\Corel
2009-02-06 07:08 . 2005-01-12 19:56 335,872 --a------ c:\windows\system32\m4atag.dll
2009-02-06 07:08 . 2004-07-22 15:00 214,016 --a------ c:\windows\system32\sqlite.dll
2009-02-06 07:01 . 2009-02-16 10:25 167,936 --a------ c:\windows\system32\SpoonUninstall.exe
2009-02-06 06:50 . 2009-02-06 06:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-02-06 06:43 . 2009-02-06 06:43 <DIR> d-------- c:\program files\Common Files\Adobe Systems Shared
2009-02-05 17:53 . 2009-02-26 09:12 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-05 17:53 . 2009-02-11 12:15 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-05 17:53 . 2009-02-11 12:15 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-05 17:53 . 2009-02-11 12:15 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-05 09:42 . 2005-05-05 22:50 151,552 --------- c:\windows\system32\pxwma.dll
2009-02-05 09:42 . 2005-04-25 11:03 109,568 --------- c:\windows\system32\pxinsi64.exe
2009-02-05 09:42 . 2004-09-27 10:00 108,544 --------- c:\windows\system32\pxcpyi64.exe
2009-02-05 09:42 . 2005-04-25 11:03 20,640 --------- c:\windows\system32\drivers\PxHelp20.sys
2009-02-04 12:24 . 2009-02-04 12:28 455 --a------ c:\windows\VFO.VST
2009-02-04 12:24 . 2009-02-04 12:24 51 --a------ c:\windows\system32\blue.SITENAME
2009-02-04 12:08 . 1999-11-10 12:05 86,016 --a------ c:\windows\unvise32qt.exe
2009-02-04 12:07 . 2009-02-04 12:08 <DIR> d-------- c:\windows\system32\QuickTime
2009-02-04 12:07 . 2009-02-04 12:08 <DIR> d-------- c:\program files\QuickTime
2009-02-04 12:07 . 2009-02-04 12:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\QuickTime
2009-02-04 12:07 . 2009-02-25 18:49 1,208 --a------ c:\windows\VFO.INI
2009-02-04 12:06 . 2009-02-04 12:06 <DIR> d-------- c:\program files\DivX
2009-02-04 12:06 . 2003-11-25 05:02 196,096 --a------ c:\windows\system32\macd32.dll
2009-02-04 12:06 . 2005-06-02 19:28 171,008 --a------ c:\windows\system32\drivers\MarvinBus.sys
2009-02-04 12:06 . 2003-11-25 05:02 138,752 --a------ c:\windows\system32\mase32.dll
2009-02-04 12:06 . 2003-11-25 05:02 136,192 --a------ c:\windows\system32\mamc32.dll
2009-02-04 12:06 . 2003-11-25 05:02 57,856 --a------ c:\windows\system32\masd32.dll
2009-02-04 12:06 . 2003-11-25 05:02 27,648 --a------ c:\windows\system32\ma32.dll
2009-02-04 12:05 . 2004-02-24 12:04 41,219 --a------ c:\windows\RSETPATH.exe
2009-02-04 12:02 . 2009-02-04 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pinnacle Studio
2009-02-04 09:34 . 2009-02-04 09:34 <DIR> d-------- c:\windows\nview
2009-02-04 09:33 . 2009-02-04 09:33 <DIR> d-------- C:\NVIDIA
2009-02-03 16:24 . 2004-02-04 22:11 81,920 --a------ c:\windows\system32\AC3ACM.acm
2009-02-03 14:25 . 2009-02-26 09:03 69 --a------ c:\windows\NeroDigital.ini
2009-02-03 14:04 . 2006-01-05 13:27 <DIR> d-------- c:\documents and settings\Nigel\Application Data\LEAPS
2009-02-03 14:03 . 2006-01-05 13:27 <DIR> d-------- c:\documents and settings\Nigel\Application Data\Pegasys Inc
2009-02-03 09:58 . 2009-02-03 09:56 145,504 --a------ c:\windows\system32\bgsvcgen.exe
2009-02-03 09:58 . 2009-02-03 09:56 59,488 --a------ c:\windows\system32\GenSvcInst.exe
2009-02-03 09:58 . 2009-02-03 09:56 33,408 --a------ c:\windows\system32\drivers\CDRBSDRV.SYS
2009-02-03 09:50 . 2009-02-03 09:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2009-02-03 09:44 . 2003-03-15 22:15 90,112 --a------ c:\windows\unvise32.exe
2009-02-03 09:40 . 2009-02-03 09:40 <DIR> d-------- c:\program files\Pinnacle
2009-02-03 09:40 . 2009-02-04 12:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pinnacle
2009-02-03 09:40 . 2005-02-09 11:59 14,165 --a------ c:\windows\system32\drivers\Pclepci.sys
2009-02-03 09:21 . 2009-02-13 16:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\SlySoft
2009-02-03 09:19 . 2009-02-03 09:21 24 ---hs---- c:\windows\S6E6835BE.tmp
2009-02-03 09:17 . 2009-02-03 09:17 <DIR> d-------- c:\documents and settings\Nigel\Application Data\MCMPEGEnc
2009-02-03 09:14 . 2004-01-12 00:00 348,160 --a------ c:\windows\system\msvcr71.dll
2009-02-03 08:42 . 2009-02-25 07:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-03 05:43 . 2009-02-03 05:43 <DIR> d-------- c:\documents and settings\Nigel\Application Data\Malwarebytes
2009-02-03 05:43 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-03 05:43 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-03 05:41 . 2009-02-03 05:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-02 18:01 . 2009-02-02 18:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-02 17:08 . 2009-02-02 17:08 <DIR> d-------- c:\program files\Java
2009-02-02 17:08 . 2009-02-02 17:08 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-02 17:08 . 2009-02-02 17:08 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-02 15:22 . 2009-02-02 15:22 <DIR> d-------- c:\documents and settings\Nigel\Application Data\Nero
2009-02-02 15:15 . 2006-08-17 14:57 1,712,128 -ra------ c:\windows\system32\gdiplus.dll
2009-02-02 15:15 . 2006-08-17 14:57 317,952 -ra------ c:\windows\system32\Roboex32.dll
2009-02-02 15:15 . 2006-08-17 14:57 48,640 -ra------ c:\windows\system32\INETWH32.DLL
2009-02-02 15:07 . 2009-02-02 15:07 <DIR> d-------- c:\program files\Raxco
2009-02-02 15:07 . 2009-02-02 15:07 <DIR> d-------- c:\program files\Common Files\Raxco
2009-02-02 15:07 . 2009-02-02 15:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Raxco
2009-02-02 14:53 . 2009-02-02 14:53 <DIR> d-------- c:\documents and settings\Nigel\Application Data\Comodo
2009-02-02 14:53 . 2009-02-02 14:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Comodo
2009-02-02 14:52 . 2009-02-02 09:17 211 --a------ C:\boot.ini.comodofirewall
2009-02-02 14:45 . 2009-02-02 14:46 <DIR> d-------- c:\program files\Common Files\Nero
2009-02-02 14:45 . 2009-02-02 14:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2009-02-02 14:25 . 2009-02-20 12:04 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-02 14:18 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-02-02 14:18 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-02-02 14:15 . 2006-05-22 00:00 163,840 --a------ c:\windows\system32\esint66.dll
2009-02-02 14:15 . 2006-05-22 00:00 65,793 --a------ c:\windows\system32\esfw66.bin
2009-02-02 14:15 . 2006-03-20 00:00 64,512 --a------ c:\windows\system32\eswia66.dll
2009-02-02 14:15 . 2005-02-08 02:00 5,632 --a------ c:\windows\system32\escdev.dll
2009-02-02 14:15 . 2006-03-10 00:00 3,584 --a------ c:\windows\system32\eswiaml.dll
2009-02-02 14:10 . 2006-12-08 04:04 76,800 --a------ c:\windows\system32\E_FLBBZR.DLL
2009-02-02 14:10 . 2006-04-19 11:00 62,976 --a------ c:\windows\system32\E_FD4BBZR.DLL
2009-02-02 14:10 . 2004-09-11 05:12 49,152 --a------ c:\windows\system32\E_DCINST.DLL
2009-02-02 14:09 . 2009-02-04 09:37 <DIR> d-------- c:\program files\EPSON
2009-02-02 14:09 . 2009-02-02 14:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\EPSON
2009-02-02 13:58 . 2009-02-04 12:03 <DIR> d--h----- c:\program files\InstallShield Installation Information
2009-02-02 13:57 . 2009-02-02 14:03 <DIR> d-------- c:\program files\iBurst Dashboard V2
2009-02-02 13:57 . 2009-02-06 08:10 <DIR> d-------- c:\program files\Common Files\InstallShield
2009-02-02 13:56 . 2009-02-02 13:56 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-02 13:55 . 2009-02-02 13:55 <DIR> d-------- c:\windows\system32\URTTemp
2009-02-02 13:53 . 2009-02-02 13:53 <DIR> d-------- c:\windows\system32\NtmsData
2009-02-02 13:31 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-02-02 13:31 . 2008-04-14 00:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 04:44 --------- d-----w c:\program files\Common Files\Adobe
2009-02-05 15:53 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-02 08:37 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-02-02 08:06 --------- d-----w c:\program files\Intel
2009-02-02 08:05 53,248 ----a-w c:\windows\system32\CSVer.dll
2009-02-02 07:54 --------- d-----w c:\program files\AVG
2009-02-02 07:24 --------- d-----w c:\program files\microsoft frontpage
2009-02-02 07:19 --------- d-----w c:\program files\Windows Media Connect 2
2009-01-08 21:11 103,488 ----a-w c:\windows\system32\drivers\AnyDVD.sys
2009-01-02 02:15 24,872 ----a-w c:\windows\system32\drivers\ElbyCDIO.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"COMODO Firewall Pro"="d:\internet\Comodo Firewall\Comodo\Firewall\CPF.exe" [2009-02-02 1115728]
"SecurDisc"="d:\nero 8\Nero 8\InCD\NBHGui.exe" [2007-08-04 2043688]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"AVG8_TRAY"="d:\internet\AVG\avgtray.exe" [2009-02-11 1601304]
"nwiz"="nwiz.exe" [2008-05-03 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "d:\internet\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-11 12:15 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.I420"= vdrcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dashboard Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dashboard Launcher.lnk
backup=c:\windows\pss\Dashboard Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^iBurst_Terminal UTL.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\iBurst_Terminal UTL.lnk
backup=c:\windows\pss\iBurst_Terminal UTL.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Nigel^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Nigel\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-08-03 12:51 202024 c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CorelDRAW Graphics Suite 11b]
--a------ 2003-11-25 13:39 729088 d:\graphics\Corel Draw\Languages\EN\Programs\registration.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-08-04 10:29 1056552 d:\nero 8\Nero 8\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-08-08 09:25 1828136 d:\nero 8\Nero 8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-03 05:46 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-02-04 12:08 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-02-02 17:08 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Video\\Studio 10\\programs\\RM.exe"=
"d:\\Video\\Studio 10\\programs\\Studio.exe"=
"d:\\Video\\Studio 10\\programs\\PMSRegisterFile.exe"=
"d:\\Video\\Studio 10\\programs\\umi.exe"=
"d:\\Internet\\AVG\\avgemc.exe"=
"d:\\Internet\\AVG\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-05 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-05 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;d:\internet\AVG\avgemc.exe [2009-02-05 903960]
R2 avg8wd;AVG Free8 WatchDog;d:\internet\AVG\avgwdsvc.exe [2009-02-05 298264]
R3 iBurstu;iBurst Terminal;c:\windows\system32\drivers\iBurstu.sys [2008-10-15 37362]
S2 gupdate1c989c9eb7d5a64;Google Update Service (gupdate1c989c9eb7d5a64);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 133104]
S3 autorun;autorun;\??\c:\huadio.tmp --> c:\huadio.tmp [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-26 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 10:47]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
MSConfigStartUp-AnyDVD - d:\video\AnyDVD\AnyDVDtray.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.za/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - d:\general\Bluetooth\btsendto_ie_ctx.htm
TCP: {CE745ADF-6643-4A5D-8E99-880492E3B488} = 196.30.31.193 196.7.0.138
FF - ProfilePath - c:\documents and settings\Nigel\Application Data\Mozilla\Firefox\Profiles\w19ld30a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.metacrawler.com
FF - component: c:\documents and settings\Nigel\Application Data\Mozilla\Firefox\Profiles\w19ld30a.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}\components\PlainOldFavorites.dll
FF - component: d:\internet\AVG\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 09:41:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\autorun]
"ImagePath"="\??\C:\huadio.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,ec,da,af,84,d3,
a4,88,6c,e2,63,26,f1,3f,c8,ff,68,a3,53,bc,d8,0f,20,b9,b7,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,9d,dc,56,1c,5e,
57,02,78,6a,9c,d6,61,af,45,84,18,90,cc,20,05,90,24,be,b8,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,bd,09,c5,b4,47,
15,4d,db,ff,7c,85,e0,43,d4,0e,fe,cb,ba,94,e9,1f,cc,aa,ce,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,00,3a,aa,7d,3b,
5f,e3,0d,86,8c,21,01,be,91,eb,e7,32,99,d3,e1,5e,68,81,34,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,84,b5,a9,30,e2,
93,bf,30,f5,1d,4d,73,a8,13,5c,05,07,c6,35,38,c1,b3,51,0e,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,38,a4,48,c9,a0,
2f,91,76,df,20,58,62,78,6b,cf,c8,67,c5,88,1f,e5,73,f3,09,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,03,e7,2e,71,04,
4c,27,eb,fb,a7,78,e6,12,2f,9a,ea,c7,9c,44,c5,16,0a,ec,40,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,81,5a,4c,39,6d,
e5,ff,cb,01,3a,48,fc,e8,04,4a,f1,f1,f5,1a,1f,2b,f0,fb,bd,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,1f,57,ab,48,f1,
7d,ff,5d,f6,0f,4e,58,98,5b,89,c9,ea,53,1e,47,50,58,11,2e,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,e8,23,dc,80,a2,
5c,49,2e,3d,ce,ea,26,2d,45,aa,78,9f,16,c7,86,b6,85,23,ec,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,34,9d,da,6f,87,
f7,20,45,2a,b7,cc,b5,b9,7f,41,e7,2b,20,d5,44,06,98,0a,d5,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,96,8b,7c,86,51,
59,6e,6f,6c,43,2d,1e,aa,22,2f,9c,42,17,53,6a,d8,49,d9,7d,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
Completion time: 2009-02-26 9:42:50
ComboFix-quarantined-files.txt 2009-02-26 07:42:48

Pre-Run: 18,773,770,240 bytes free
Post-Run: 18,777,145,344 bytes free

327 --- E O F --- 2009-02-13 17:40:11


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:55:28, on 26/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\General\Bluetooth\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Internet\AVG\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
D:\Internet\Comodo Firewall\Comodo\Firewall\cmdagent.exe
D:\Nero 8\Nero 8\InCD\InCDsrv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Nero 8\Nero 8\Nero BackItUp\NBService.exe
D:\Internet\AVG\avgrsx.exe
D:\Internet\AVG\avgnsx.exe
D:\Internet\AVG\avgcsrvx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
D:\Internet\AVG\avgemc.exe
C:\WINDOWS\system32\RunDll32.exe
D:\Internet\AVG\avgcsrvx.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\iBurst Dashboard V2\DashboardLauncher.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Internet\AVG\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Internet\Comodo Firewall\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SecurDisc] D:\Nero 8\Nero 8\InCD\NBHGui.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [AVG8_TRAY] D:\Internet\AVG\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - D:\General\Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE745ADF-6643-4A5D-8E99-880492E3B488}: NameServer = 196.30.31.193 196.7.0.138
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Internet\AVG\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\Internet\AVG\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\Internet\AVG\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - D:\General\Bluetooth\bin\btwdins.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Internet\Comodo Firewall\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Update Service (gupdate1c989c9eb7d5a64) (gupdate1c989c9eb7d5a64) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Nero 8\Nero 8\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Nero 8\Nero 8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

--
End of file - 6278 bytes


Uninstall Log:
AC-3 ACM Decompressor
AC3Filter (remove only)
Ac3Tool (remove only)
Adobe AIR
Adobe AIR
Adobe Audition 2.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Help Center 2.0
Adobe Reader 9
AnyDVD
AVG Free 8.0
CCleaner (remove only)
C-Media WDM Audio Driver
COMODO Firewall Pro
CorelDRAW Graphics Suite 12
dBpowerAMP Music Converter
dBpowerAMP WMA V9 Codec
DiscAPI (Studio 10)
DivX
DVD Decrypter (Remove Only)
EPSON Copy Utility 3
EPSON Printer Software
EPSON Scan
EPSON Web-To-Page
ERUNT 1.1j
Eudora
Google Earth
Google Update Helper
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
iBurst Dashboard V2
iBurst Terminal
IrfanView (remove only)
Java(TM) 6 Update 11
MainConcept MPEG Encoder
Malwarebytes' Anti-Malware
Media Catalog Studio 5.1
Media Tagger v1.3.5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft FxCop 1.36 RTM
Microsoft Office Professional Edition 2003
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.6)
MSXML 4.0 SP2 (KB954430)
Nero 8
NVIDIA Drivers
PerfectDisk
QuickTime
Quintessential Player
RAPID (Studio 10)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
Simple Sudoku 4.2
Spybot - Search & Destroy
Studio 10
TMPGEnc DVD Author 3 with DivX Authoring
TSUNAMI-MPEG DVD Author PRO
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VOB2MPG 2.5
WIDCOMM Bluetooth Software
WinRAR archiver
WinZip

macnab
2009-02-27, 19:01
I see Recovery Console did not download , so I have downloaded it.

pskelley
2009-02-27, 20:16
No Virtumonde showing in the combofix scan or the HJT logs? What program is showing you this infection, what names and locations is it showing? What are the symptoms you are having?

Let's also have MBAM take a look.

Looks like you have Malwarebytes' Anti-Malware, no need to download again, but do update the program and run it as instructed.

Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

http://www.besttechie.net/mbam/mbam-setup.exe <<< download

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

Thanks

macnab
2009-02-28, 06:13
Hi

MBAM finds nothing:

Malwarebytes' Anti-Malware 1.34
Database version: 1805
Windows 5.1.2600 Service Pack 3

26/02/2009 10:22:10
mbam-log-2009-02-26 (10-22-10).txt

Scan type: Quick Scan
Objects scanned: 60679
Time elapsed: 2 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Spybot finds Virtumonde in C:\Windows\System32\zipfldr.dll. I "Fix all problems", reboot immediately and rescan - back again.

As to symtoms, I don't know if the following qualify:
I have Comodo set to "ask" for svchost. When I boot, Comodo reports Explorer.exe trying to access the Internet through svchost (7 processes). Then svc host wants to connect (11 process) and then Explorer.exe wants to connect again (2 processes).

Nigel

macnab
2009-02-28, 06:38
Here is this mornings (MBAM updated) Full scan. Didn't do drive F as it only has mpg files on it.

Malwarebytes' Anti-Malware 1.34
Database version: 1812
Windows 5.1.2600 Service Pack 3

28/02/2009 06:37:40
mbam-log-2009-02-28 (06-37-40).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 147259
Time elapsed: 17 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Nigel

pskelley
2009-02-28, 14:00
Spybot finds Virtumonde in C:\Windows\System32\zipfldr.dll. I "Fix all problems", reboot immediately and rescan - back again.
Good morning Nigel, I have never seen this one before, here is the Google:
http://www.google.com/search?hl=en&q=zipfldr.dll&btnG=Google+Search&aq=f&oq=
From a first look, it appears valid, but I wonder why it is in the System 32 folder? Hackers hide their junk where they wish!

Before we can take any action, we need to find out what that is and I believe we should have the Spybot S&D techs look at it also.

1) Follow these directions so you can see all files and folders:
http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp

2) Use one more more of these free online scanners to scan that file and post the results:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

C:\Windows\System32\zipfldr.dll <<< file to scan

3) http://www.safer-networking.org/files/sfp.zip <<< download
Then Extract all files

Double click sfp.exe then copy/paste this information:

C:\Windows\System32\zipfldr.dll

Follow the prompts to send Spybot S&D those files. Please include the link to your thread if it is requested.
http://forums.spybot.info/showthread.php?t=46142

I have Comodo set to "ask" for svchost
I do not use Comodo so I know nothing about settings, you can ask Comodo questions here:
http://forums.comodo.com/index.php or here:
http://forum.aumha.org/viewtopic.php?f=20&t=22429

While malware can and does use svchost.exe, it is not unusual for multiple instances to be running as that hosts all running services.

http://support.microsoft.com/kb/314056
http://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/
http://www.google.com/search?hl=en&q=svchost.exe&btnG=Search
http://www.google.com/search?hl=en&q=multiple+svchost.exe&btnG=Search


Please be sure Spybot S&D is up to date and fully immunized.
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
http://www.safer-networking.org/en/faq/index.html
http://www.safer-networking.org/en/tutorial/index.html

macnab
2009-02-28, 17:40
BTW If I delete zipfldr.dll it reappears immediately.

Here is VirusTotals report:

Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.26 -
AhnLab-V3 2009.2.26.0 2009.02.25 -
AntiVir 7.9.0.88 2009.02.26 -
Authentium 5.1.0.4 2009.02.25 -
Avast 4.8.1335.0 2009.02.25 -
AVG 8.0.0.237 2009.02.25 -
BitDefender 7.2 2009.02.26 -
CAT-QuickHeal 10.00 2009.02.26 -
ClamAV 0.94.1 2009.02.25 -
Comodo 986 2009.02.20 -
DrWeb 4.44.0.09170 2009.02.26 -
eSafe 7.0.17.0 2009.02.25 -
eTrust-Vet 31.6.6375 2009.02.26 -
F-Prot 4.4.4.56 2009.02.25 -
F-Secure 8.0.14470.0 2009.02.26 -
Fortinet 3.117.0.0 2009.02.26 -
GData 19 2009.02.26 -
Ikarus T3.1.1.45.0 2009.02.26 -
K7AntiVirus 7.10.647 2009.02.25 -
Kaspersky 7.0.0.125 2009.02.26 -
McAfee 5536 2009.02.25 -
McAfee+Artemis 5536 2009.02.25 -
Microsoft 1.4306 2009.02.26 -
NOD32 3890 2009.02.26 -
Norman 6.00.06 2009.02.25 -
nProtect 2009.1.8.0 2009.02.26 -
Panda 10.0.0.10 2009.02.26 -
PCTools 4.4.2.0 2009.02.25 -
Prevx1 V2 2009.02.26 -
Rising 21.18.30.00 2009.02.26 -
SecureWeb-Gateway 6.0.0 2009.02.26 -
Sophos 4.39.0 2009.02.26 -
Sunbelt 3.2.1858.2 2009.02.25 -
Symantec 10 2009.02.26 -
TheHacker 6.3.2.5.265 2009.02.25 -
TrendMicro 8.700.0.1004 2009.02.26 -
VBA32 3.12.10.0 2009.02.26 -
ViRobot 2009.2.26.1624 2009.02.26 -
VirusBuster 4.5.11.0 2009.02.25 -
Additional information
File size: 338432 bytes
MD5...: c444b433a340c24b51a2dace9d13fc70
SHA1..: 18db98f46fcdfcdd823517cc5a73e209fca138da
SHA256: 32df665a6267231245235cc90cc17bc8f9869642d2d848e6fc8f9a417ba570fd
SHA512: 72c76947b06fd5c285194c36009b2546e43b08936c98605237eef3ef1aac545a
ae191fe21b18a274da0ebf3ee9bfb333528e8ad1c25bc8d7b958f61926469b4b
ssdeep: 6144:so8yrj4nxum0kKU1gEzXlXZqaYmurx5N0cAQA6sS5w:h8yrjWZdgEz5FwzG
cAL
PEiD..: -
TrID..: File type identification
DirectShow filter (52.6%)
Windows OCX File (32.2%)
Win32 Executable MS Visual C++ (generic) (9.8%)
Win32 Executable Generic (2.2%)
Win32 Dynamic Link Library (generic) (1.9%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x73393219
timedatestamp.....: 0x4802a12d (Mon Apr 14 00:11:25 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x33954 0x33a00 6.61 d864c816372a00daff88d150d141db3d
.data 0x35000 0x41bc 0x2600 4.33 09e0199be5b929a0aecf3511b883a249
.rsrc 0x3a000 0x19468 0x19600 5.14 54b99305966f2853a7e341265a8034b4
.reloc 0x54000 0x2fa2 0x3000 5.32 23d75f0953576fadddb7cbbf155859a3

( 9 imports )
> ntdll.dll: RtlUnwind
> KERNEL32.dll: SetCurrentDirectoryW, LeaveCriticalSection, EnterCriticalSection, GetCurrentDirectoryW, RemoveDirectoryW, CreateThread, LocalFree, FormatMessageW, GetLastError, DeleteFileW, CopyFileW, DeleteCriticalSection, InitializeCriticalSection, DisableThreadLibraryCalls, InterlockedIncrement, InterlockedDecrement, FreeLibrary, GetProcAddress, LoadLibraryW, FindNextFileW, CloseHandle, CreateFileW, FileTimeToSystemTime, CreateDirectoryW, CompareFileTime, GetFileTime, lstrcmpiW, GlobalUnlock, GlobalLock, lstrcmpW, lstrcpynW, LocalAlloc, GetCalendarInfoW, TlsSetValue, TlsGetValue, TlsAlloc, TlsFree, GetDiskFreeSpaceExW, MultiByteToWideChar, lstrlenA, GetTempPathW, GetFileSizeEx, GetDriveTypeW, GlobalFree, lstrcpyW, GlobalAlloc, LocalFileTimeToFileTime, SystemTimeToFileTime, SetFileTime, GetFileInformationByHandle, GlobalSize, GetProcessHeap, HeapFree, HeapReAlloc, HeapAlloc, ReadFile, WriteFile, GetCurrentThreadId, GetCommandLineA, GetVersionExA, GetFileAttributesA, SetLastError, ExitProcess, GetModuleHandleA, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleFileNameA, FreeEnvironmentStringsA, FindFirstFileW, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, GetACP, GetOEMCP, GetCPInfo, UnhandledExceptionFilter, VirtualAlloc, LoadLibraryA, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, InterlockedExchange, VirtualQuery, VirtualProtect, GetSystemInfo, GetTimeZoneInformation, SetFilePointer, SetStdHandle, FlushFileBuffers, CompareStringA, CompareStringW, SetEnvironmentVariableA, FindClose, GetFileAttributesW, SetFileAttributesW, lstrlenW, ExitThread, GetVolumeInformationA, SetFileAttributesA, CreateDirectoryA, LocalLock, LocalUnlock, lstrcmpiA, IsDBCSLeadByte, FindFirstFileA, FileTimeToDosDateTime, DeleteFileA, GlobalReAlloc, CreateFileA, GetDriveTypeA, GlobalHandle, SetUnhandledExceptionFilter, GetCurrentProcess, GetWindowsDirectoryW, TerminateProcess, GetSystemTimeAsFileTime, QueryPerformanceCounter, DosDateTimeToFileTime, FileTimeToLocalFileTime, GetTickCount, GetModuleFileNameW, lstrcmpA, MoveFileA, SetVolumeLabelA, FindNextFileA, GetDiskFreeSpaceA, RemoveDirectoryA, SetCurrentDirectoryA, GetTempFileNameA, GetCurrentProcessId, GetSystemWindowsDirectoryW, LoadLibraryExA, GetCurrentDirectoryA, GetEnvironmentStrings, GetFullPathNameA, GetFileSize, GetModuleHandleW
> GDI32.dll: GetStockObject, DeleteObject, GetDeviceCaps, CreateFontIndirectW
> USER32.dll: GetSubMenu, GetParent, SetWindowTextW, GetDlgItem, LoadStringW, SetWindowLongW, EndDialog, ShowCursor, DeleteMenu, CreateWindowExW, CharUpperBuffA, CharPrevA, CharNextA, DispatchMessageA, PeekMessageA, CharUpperA, MessageBoxA, GetActiveWindow, CharLowerA, CharToOemBuffA, CharToOemA, OemToCharBuffA, SetDlgItemTextW, GetDesktopWindow, DialogBoxParamW, LoadMenuW, SendDlgItemMessageW, RemoveMenu, GetForegroundWindow, TrackPopupMenu, RegisterClassW, DefWindowProcW, CharNextW, GetWindowLongW, SystemParametersInfoW, GetWindowRect, SetForegroundWindow, GetDlgItemTextW, InsertMenuW, RegisterClipboardFormatW, LoadCursorW, SetCursor, SetMenuDefaultItem, DestroyMenu, GetAsyncKeyState, CheckDlgButton, SetFocus, EnableWindow, GetWindowTextW, PeekMessageW, IsDialogMessageW, TranslateMessage, DispatchMessageW, MessageBoxW, ShowWindow, IsDlgButtonChecked, DestroyWindow, SendMessageW, PostMessageW
> ADVAPI32.dll: RegQueryValueExW, RegOpenKeyExW, RegCloseKey
> SHELL32.dll: -, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetSpecialFolderLocation, SHGetFolderPathW, SHSetLocalizedName, -, -, -, SHGetFileInfoW, SHGetSpecialFolderPathW, -, DragQueryFileW, -, SHFileOperationW, -, -, -, -, -, -, -, ShellExecuteExW, ShellExecuteW, -, SHGetDesktopFolder, -, SHChangeNotify, SHGetMalloc
> ole32.dll: CreateBindCtx, CoInitializeEx, CoUninitialize, CoCreateInstance, ReleaseStgMedium, OleGetClipboard, CoTaskMemFree, OleSetClipboard
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -
> SHLWAPI.dll: wnsprintfW, PathAppendW, StrCpyNW, PathFileExistsW, PathRemoveBlanksW, SHStrDupW, PathFindFileNameW, StrChrW, PathFindExtensionW, PathCompactPathW, StrStrW, PathCombineW, PathCanonicalizeW, PathIsRelativeW, PathIsPrefixW, PathRemoveFileSpecW, PathSkipRootW, PathStripToRootW, -, StrFormatKBSizeW, PathFindFileNameA, StrCmpNIW, -, -, -, -, -, -, -, -, -, PathCommonPrefixW, PathRemoveBackslashW, PathCompactPathExW, StrCatBuffW, StrToIntW, StrRetToBufW

( 6 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer, RegisterSendto, RouteTheCall

pskelley
2009-02-28, 18:07
I have an idea that file is valid and a false postive. Please post here:
http://forums.spybot.info/forumdisplay.php?f=4 or here:
http://forums.spybot.info/forumdisplay.php?f=16

Post a link to this topic for the experts there.
http://forums.spybot.info/showthread.php?t=46142

and I would appreciate it if you post a link to where you post so I can see what they have to say.

Thanks

macnab
2009-03-01, 06:57
Hi

In the False Positives forum I saw that v1.5 finds Virtumonde in zipfldr.dll as a false positive. (When I updated to v1.6 earlier the downloaded files were corrupt). Downloading and installing new version.

Trying a third download site - all report file corrupted when I try to install.

There are a few reports that v1.5 finds it as a false positive. I will keep trying to successfully download v1.6, and in the meantime treat it as a false positive.

Thanks for the help.

Nigel

pskelley
2009-03-01, 13:15
Nigel, You would benefit greatly from asking your questions at the links I provided where there are folks who work with Spybot S&D issues all of the time.

Thanks...Phil