Multiple goblins: Virtumonde and Magicantispy mostly

**HeartfulHands** · 2007-12-13, 21:05

Thank you so much for taking the time to help with this...

I've been battling a series of spy/malware/somethingorother for days. I seem to have removed most of it, but here's where it stands now.

System restore is off. Trend Micro PcCillin doesn't register any viruses. Spybot consistently finds Virtumonde, even immediately after "fixing" it, even in safemode. Seems like Magicantispy appears on spybot as soon as the computer is connected to the internet. Also, the last time I connected to the internet on the infected computer, PcCillin Realtime Scan intercepted a series of viruses and TeaTime intercepted an infinite number of attempted changes to the registry. I rebooted.

Here are the scan results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:10 AM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\procexp.exe
C:\Program Files\Stickynotes\Stickynotes.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?auth=DQ...hD4EhFNNVhw91w
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=6061018
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: procexp.exe
O4 - Global Startup: Shortcut to Stickynotes.lnk = C:\Program Files\Stickynotes\Stickynotes.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.bctransit.com/activex/ScriptX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1195310708167
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 8892 bytes

Next I'll post the kasper results...

**HeartfulHands** · 2007-12-13, 21:06

Wednesday, December 12, 2007 9:23:47 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/12/2007
Kaspersky Anti-Virus database records: 481175
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
E:\
Scan Statistics
Total number of scanned objects 72556
Number of viruses found 24
Number of infected objects 51
Number of suspicious objects 0
Duration of the scan process 02:35:54

Infected Object Name Virus Name Last Action
C:\DDrive\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\dbdam Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\dbdao Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\dbeam Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\dbeao Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\dbm Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\fii.cf1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\fiih.ht1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\hp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\rpm.cf1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\c87b9d3b3b20\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\Kate\Application Data\printer.exe Infected: Trojan.Win32.Qhost.aaw skipped
C:\Documents and Settings\Kate\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kate\Local Settings\Application Data\BVRP Software\NetWaiting\MoHlog.txt Object is locked skipped
C:\Documents and Settings\Kate\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Kate\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kate\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kate\Local Settings\Application Data\Mozilla\Firefox\Profiles\yojxk4f3.default\Cache\63892F6Dd01/data.rar/keygen.exe Infected: Trojan.Win32.Pakes.btc skipped
C:\Documents and Settings\Kate\Local Settings\Application Data\Mozilla\Firefox\Profiles\yojxk4f3.default\Cache\63892F6Dd01/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.bme skipped
C:\Documents and Settings\Kate\Local Settings\Application Data\Mozilla\Firefox\Profiles\yojxk4f3.default\Cache\63892F6Dd01/data.rar/serial.exe Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\Kate\Local Settings\Application Data\Mozilla\Firefox\Profiles\yojxk4f3.default\Cache\63892F6Dd01/data.rar/install.exe Infected: Virus.Win32.Virut.av skipped
C:\Documents and Settings\Kate\Local Settings\Application Data\Mozilla\Firefox\Profiles\yojxk4f3.default\Cache\63892F6Dd01/data.rar Infected: Virus.Win32.Virut.av skipped
C:\Documents and Settings\Kate\Local Settings\Application Data\Mozilla\Firefox\Profiles\yojxk4f3.default\Cache\63892F6Dd01 RarSFX: infected - 5 skipped
C:\Documents and Settings\Kate\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kate\Local Settings\History\History.IE5\MSHist012007121220071213\index.dat Object is locked skipped
C:\Documents and Settings\Kate\Local Settings\Temp\Perflib_Perfdata_db4.dat Object is locked skipped
C:\Documents and Settings\Kate\Local Settings\Temp\~DF6323.tmp Object is locked skipped
C:\Documents and Settings\Kate\Local Settings\Temp\~DF6F87.tmp Object is locked skipped
C:\Documents and Settings\Kate\Local Settings\Temp\~DF9D87.tmp Object is locked skipped
C:\Documents and Settings\Kate\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Kate\Local Settings\Temporary Internet Files\Content.IE5\0OVUFOK5\303[1].htm Infected: Trojan-Downloader.HTML.Agent.ao skipped
C:\Documents and Settings\Kate\Local Settings\Temporary Internet Files\Content.IE5\0OVUFOK5\count[1].htm Infected: Trojan-Downloader.JS.Inor.a skipped
C:\Documents and Settings\Kate\Local Settings\Temporary Internet Files\Content.IE5\0OVUFOK5\spoolsv[1].exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\Kate\Local Settings\Temporary Internet Files\Content.IE5\8R3RQ0PB\ptch[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\Documents and Settings\Kate\Local Settings\Temporary Internet Files\Content.IE5\8R3RQ0PB\ucleaner_setup[1].exe Infected: not-a-virus:Downloader.Win32.UltimateFix.e skipped
C:\Documents and Settings\Kate\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kate\Local Settings\Temporary Internet Files\Content.IE5\NI71T56Q\302[1].htm Infected: Trojan-Downloader.JS.Psyme.ls skipped
C:\Documents and Settings\Kate\Local Settings\Temporary Internet Files\Content.IE5\NI71T56Q\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\Documents and Settings\Kate\Local Settings\Temporary Internet Files\Content.IE5\NI71T56Q\smss[1].exe Infected: Trojan.Win32.Qhost.abh skipped
C:\Documents and Settings\Kate\Local Settings\Temporary Internet Files\Content.IE5\UJN8I8OW\304[1].htm Infected: Trojan-Downloader.JS.Agent.hv skipped
C:\Documents and Settings\Kate\Local Settings\Temporary Internet Files\Content.IE5\UJN8I8OW\gamadril20071203[1] Infected: Backdoor.Win32.Agent.dbm skipped
C:\Documents and Settings\Kate\Local Settings\Temporary Internet Files\Content.IE5\UJN8I8OW\installer[1].exe Infected: Trojan-Spy.Win32.BZub.buz skipped
C:\Documents and Settings\Kate\ntuser.dat Object is locked skipped
C:\Documents and Settings\Kate\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Kate\Shared\_\xzxzxzxzxzxz.exe Infected: Trojan-Dropper.Win32.VB.lu skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol 120\StarWind\logs\starwind.2007-12-12.15-59-13.log Object is locked skipped
C:\Program Files\qhabedol\kvolepmp.dll Infected: Trojan-Downloader.Win32.Zlob.fec skipped
C:\Program Files\spoolsv.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\PCCMAIN.EXE Infected: Virus.Win32.Sality.l skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\wmimgr32.dll Infected: Virus.Win32.Sality.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\wmimgr32_1d4.VIR Infected: Virus.Win32.Sality.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\wmimgr32_27c.VIR Infected: Virus.Win32.Sality.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\wmimgr32_280.VIR Infected: Virus.Win32.Sality.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\wmimgr32_2c8.VIR Infected: Virus.Win32.Sality.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\wmimgr32_2d4.VIR Infected: Virus.Win32.Sality.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\wmimgr32_2dc.VIR Infected: Virus.Win32.Sality.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\wmimgr32_2e0.VIR Infected: Virus.Win32.Sality.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\wmimgr32_2f4.VIR Infected: Virus.Win32.Sality.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\wmimgr32_308.VIR Infected: Virus.Win32.Sality.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\wmimgr32_318.VIR Infected: Virus.Win32.Sality.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\wmimgr32_324.VIR Infected: Virus.Win32.Sality.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\wmimgr32_32c.VIR Infected: Virus.Win32.Sality.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\wmimgr32_338.VIR Infected: Virus.Win32.Sality.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\wmimgr32_5f4.VIR Infected: Virus.Win32.Sality.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\wmimgr32_700.VIR Infected: Virus.Win32.Sality.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\wmimgr32_71c.VIR Infected: Virus.Win32.Sality.k skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\wmimgr32_c8.VIR Infected: Virus.Win32.Sality.k skipped
C:\Program Files\ucleaner_setup.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.e skipped
C:\Sams D Drive\Downloads\kazaa_lite_202_english.exe/data0014 Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\Sams D Drive\Downloads\kazaa_lite_202_english.exe Inno: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant HDA D110 MDC V.92 Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9337C7CB-FAB5-4880-9BF9-71C8BE8BA611}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dpfqqbbm.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hlvbfwoq\hlvbfwoq2.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\WINDOWS\system32\hlvbfwoq\hlvbfwoq3.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.d skipped
C:\WINDOWS\system32\iifccby.dll Infected: Trojan.Win32.Obfuscated.lf skipped
C:\WINDOWS\system32\mljkkkj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bme skipped
C:\WINDOWS\system32\ubadxusj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winpsa32.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\WINDOWS\system32\wowfx.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

**Blade81** · 2007-12-17, 19:30

Hi

Navigate into C:\Program Files\Trend Micro\HijackThis folder and rename HijackThis.exe file -> HeartfulHands.exe. Post a fresh hjt log after renaming is done.

**HeartfulHands** · 2007-12-17, 20:00

Got it....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:59 AM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\procexp.exe
C:\Program Files\Stickynotes\Stickynotes.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HeartfulHands.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?auth=DQ...hD4EhFNNVhw91w
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=6061018
O2 - BHO: (no name) - {0022682C-C925-4083-98B4-E96EBB6EA573} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1515B906-999A-48F3-8BF4-B7EC61BF5B38} - C:\WINDOWS\system32\mljkkkj.dll
O2 - BHO: (no name) - {39D50A34-9B80-470C-8A36-2F89DA29B4FB} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5B208036-559A-4557-BFD6-441A518B40A3} - C:\WINDOWS\system32\mlljg.dll
O2 - BHO: (no name) - {65FF10BB-F36A-68E9-AA35-02257E958C1F} - C:\Program Files\Whcihqsr\npadprdg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8AB49D1E-2240-484F-832D-8C3E1D923128} - (no file)
O2 - BHO: (no name) - {A8F21A5B-9446-4950-88E8-E800E23ED333} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {D2984A95-CE37-4113-83A9-6E4103D607D3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: procexp.exe
O4 - Global Startup: Shortcut to Stickynotes.lnk = C:\Program Files\Stickynotes\Stickynotes.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.bctransit.com/activex/ScriptX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1195310708167
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: mljkkkj - C:\WINDOWS\SYSTEM32\mljkkkj.dll
O20 - Winlogon Notify: winpsa32 - C:\WINDOWS\SYSTEM32\winpsa32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 9746 bytes

**Blade81** · 2007-12-17, 20:44

Hi

1. Download this file -
combofix.exe to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall

**HeartfulHands** · 2007-12-17, 21:00

When I started up ComboFix, a Spybot S&D window popped up saying:

--
Spybot has detected an important registry entry that has been changed

Category: Command processor
Change: Value Deleted
Entry: AutoRun

Allow Change/Deny Change
--

ComboFix is still in the disclaimer window. Shall I Allow, Deny or just ignore the window and continue with ComboFix?

**Blade81** · 2007-12-17, 21:15

Allow it. Those alerts are normal while Combofix is running.

**HeartfulHands** · 2007-12-17, 21:52

I greatly appreciate your help with this, by the way...

So,

When ComboFix rebooted, Spybot made note of a number of registry lines that combo fix had deleted. Then it showed this.

Category: Browser page
Change: Value added
Entry: Search Page
New data: http://www.microsoft.com/isapi/redir...=iear=iesearch

Allow Change/Deny Change

What shall I do?

Oh, and here is the ComboFix log.

ComboFix 07-12-17.1 - Kate 2007-12-17 12:20:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.430 [GMT -8:00]
Running from: C:\Documents and Settings\Kate\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Kate\Application Data\printer.exe
C:\Program Files\Dcstqnwe
C:\Program Files\Dcstqnwe\mshmyyse.dll
C:\Program Files\qhabedol
C:\Program Files\qhabedol\kvolepmp.dll
C:\Program Files\spoolsv.exe
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Whcihqsr
C:\Program Files\Whcihqsr\npadprdg.dll
C:\WINDOWS\b.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bbejwbsr.ini
C:\WINDOWS\system32\ceiuksqg.dll
C:\WINDOWS\system32\dpfqqbbm.dll
C:\WINDOWS\system32\fccdbcy.dll
C:\WINDOWS\system32\fxlcgpli.dll
C:\WINDOWS\system32\gjllm.ini
C:\WINDOWS\system32\gjllm.ini2
C:\WINDOWS\system32\gqskuiec.ini
C:\WINDOWS\system32\hlvbfwoq
C:\WINDOWS\system32\hlvbfwoq\bg1.gif
C:\WINDOWS\system32\hlvbfwoq\bgtop.gif
C:\WINDOWS\system32\hlvbfwoq\bottom1.gif
C:\WINDOWS\system32\hlvbfwoq\essentials.gif
C:\WINDOWS\system32\hlvbfwoq\hlvbfwoq1.exe
C:\WINDOWS\system32\hlvbfwoq\hlvbfwoq2.exe
C:\WINDOWS\system32\hlvbfwoq\hlvbfwoq3.exe
C:\WINDOWS\system32\hlvbfwoq\icon1.ico
C:\WINDOWS\system32\hlvbfwoq\install1.gif
C:\WINDOWS\system32\hlvbfwoq\left1.gif
C:\WINDOWS\system32\hlvbfwoq\li.gif
C:\WINDOWS\system32\hlvbfwoq\logo.gif
C:\WINDOWS\system32\hlvbfwoq\main.htm
C:\WINDOWS\system32\hlvbfwoq\mainframe.htm
C:\WINDOWS\system32\hlvbfwoq\reinstall1.gif
C:\WINDOWS\system32\hlvbfwoq\right1.gif
C:\WINDOWS\system32\hlvbfwoq\s1.htm
C:\WINDOWS\system32\hlvbfwoq\s2.htm
C:\WINDOWS\system32\hlvbfwoq\s3.htm
C:\WINDOWS\system32\hlvbfwoq\SMTop1.gif
C:\WINDOWS\system32\hlvbfwoq\SMTop2.gif
C:\WINDOWS\system32\hlvbfwoq\SMTop3.gif
C:\WINDOWS\system32\hlvbfwoq\SMTop4.gif
C:\WINDOWS\system32\hlvbfwoq\soft1_off.gif
C:\WINDOWS\system32\hlvbfwoq\soft1_off_ext.gif
C:\WINDOWS\system32\hlvbfwoq\soft1_on.gif
C:\WINDOWS\system32\hlvbfwoq\soft1_on_ext.gif
C:\WINDOWS\system32\hlvbfwoq\soft2_off.gif
C:\WINDOWS\system32\hlvbfwoq\soft2_off_ext.gif
C:\WINDOWS\system32\hlvbfwoq\soft2_on.gif
C:\WINDOWS\system32\hlvbfwoq\soft2_on_ext.gif
C:\WINDOWS\system32\hlvbfwoq\soft3_off.gif
C:\WINDOWS\system32\hlvbfwoq\soft3_off_ext.gif
C:\WINDOWS\system32\hlvbfwoq\soft3_on.gif
C:\WINDOWS\system32\hlvbfwoq\soft3_on_ext.gif
C:\WINDOWS\system32\hlvbfwoq\softbottom_off.gif
C:\WINDOWS\system32\hlvbfwoq\softbottom_on.gif
C:\WINDOWS\system32\hlvbfwoq\softleft_off.gif
C:\WINDOWS\system32\hlvbfwoq\softleft_on.gif
C:\WINDOWS\system32\hlvbfwoq\top1.gif
C:\WINDOWS\system32\hlvbfwoq\top2.gif
C:\WINDOWS\system32\hlvbfwoq\turnoff1.gif
C:\WINDOWS\system32\hlvbfwoq\turnon1.gif
C:\WINDOWS\system32\iifccby.dll
C:\WINDOWS\system32\jsuxdabu.ini
C:\WINDOWS\system32\mljkkkj.dll
C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\system32\rsbwjebb.dll
C:\WINDOWS\system32\tjukpjua.dll
C:\WINDOWS\system32\ubadxusj.dll
C:\WINDOWS\system32\winpsa32.dll
C:\WINDOWS\system32\wowfx.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.

2007-12-12 17:06 . 2007-12-12 17:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-12 17:06 . 2007-12-12 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-12 11:07 . 2007-12-12 11:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-12 11:05 . 2007-12-12 11:05 0 --a------ C:\LOG1.tmp
2007-12-12 11:04 . 2007-12-12 11:05 <DIR> d-------- C:\Documents and Settings\Kate\Application Data\U3
2007-12-11 16:16 . 2007-12-11 16:17 <DIR> d-------- C:\de573161ed717abc27c54b5da41957
2007-12-11 16:04 . 2007-12-11 16:05 <DIR> d-------- C:\Program Files\Matroska Pack
2007-12-10 20:29 . 2007-12-10 20:29 <DIR> d-------- C:\Program Files\On2 Technologies
2007-12-10 20:29 . 2006-03-24 17:01 630,784 --a------ C:\WINDOWS\system32\vp7vfw.dll
2007-12-10 20:29 . 2006-03-24 17:09 237,568 --a------ C:\WINDOWS\system32\vp7dec.ax
2007-12-10 20:29 . 2005-10-25 13:10 53,248 --a------ C:\WINDOWS\system32\vp7dec_settings.cpl
2007-12-08 15:00 . 2007-12-08 15:00 <DIR> d-------- C:\Program Files\Xvid
2007-12-08 15:00 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-12-08 15:00 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-12-08 15:00 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2007-11-17 15:42 . 2007-11-17 15:42 <DIR> d-------- C:\Program Files\BitTorrent
2007-11-17 15:42 . 2007-12-11 15:52 <DIR> d-------- C:\Documents and Settings\Kate\Application Data\BitTorrent
2007-11-17 06:50 . 2007-07-09 05:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-17 06:46 . 2007-07-30 18:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 18:55 --------- d-----w C:\Program Files\Trend Micro
2007-12-12 16:19 --------- d-----w C:\Program Files\eMule
2007-12-11 23:58 --------- d-----w C:\Program Files\IsoBuster
2007-12-11 04:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-10 17:26 --------- d-----w C:\Program Files\Google
2007-12-08 17:17 --------- d-----w C:\Program Files\Winamp
2007-12-07 22:54 --------- d-----w C:\Program Files\Canon
2007-12-07 22:52 --------- d-----w C:\Program Files\Telltale Games
2007-11-13 10:25 20,480 ------w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 00:50 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2007-11-13 00:49 --------- d--h--w C:\Program Files\CanonBJ
2007-10-23 03:53 --------- d-----w C:\Documents and Settings\Kate\Application Data\CyberLink
2007-10-21 02:23 --------- d-----w C:\Program Files\Common Files\Canon
2007-01-18 18:36 251 ------w C:\Program Files\wt3d.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0022682C-C925-4083-98B4-E96EBB6EA573}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1515B906-999A-48F3-8BF4-B7EC61BF5B38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39D50A34-9B80-470C-8A36-2F89DA29B4FB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65FF10BB-F36A-68E9-AA35-02257E958C1F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AB49D1E-2240-484F-832D-8C3E1D923128}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8F21A5B-9446-4950-88E8-E800E23ED333}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2984A95-CE37-4113-83A9-6E4103D607D3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-09 23:24]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-11-15 13:58]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-11-15 13:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 02:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-17 04:17]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 15:18]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 13:43]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\Samuel\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
Process Explorer.lnk - C:\Program Files\ProcessExplorer\procexp.exe [2006-11-01 12:07:34]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-10-18 16:32:55]
procexp.exe [2006-11-15 14:54:29]
Shortcut to Stickynotes.lnk - C:\Program Files\Stickynotes\Stickynotes.exe [2004-09-02 14:33:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljkkkj]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpsa32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"bgzefgdw"=regsvr32 /u "C:\Documents and Settings\All Users\Application Data\bgzefgdw.dll"
"avp"=C:\WINDOWS\TEMP\win634.exe
"smgr"=mgrs.exe

S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-23 18:12]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc []
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc []
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc []
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 12:35:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-17 12:37:46 - machine was rebooted
.
2007-12-12 20:45:15 --- E O F ---

**Blade81** · 2007-12-18, 07:38

Hi

To make sure TeaTimer won't interfere fixing it's better to disable it until system is clean.

Disable Spybot's TeaTimer

Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer

Start hjt, click do a system scan only, check:
O2 - BHO: (no name) - {0022682C-C925-4083-98B4-E96EBB6EA573} - (no file)
O2 - BHO: (no name) - {1515B906-999A-48F3-8BF4-B7EC61BF5B38} - C:\WINDOWS\system32\mljkkkj.dll
O2 - BHO: (no name) - {39D50A34-9B80-470C-8A36-2F89DA29B4FB} - (no file)
O2 - BHO: (no name) - {5B208036-559A-4557-BFD6-441A518B40A3} - C:\WINDOWS\system32\mlljg.dll
O2 - BHO: (no name) - {65FF10BB-F36A-68E9-AA35-02257E958C1F} - C:\Program Files\Whcihqsr\npadprdg.dll
O2 - BHO: (no name) - {8AB49D1E-2240-484F-832D-8C3E1D923128} - (no file)
O2 - BHO: (no name) - {A8F21A5B-9446-4950-88E8-E800E23ED333} - (no file)
O2 - BHO: (no name) - {D2984A95-CE37-4113-83A9-6E4103D607D3} - (no file)
O20 - Winlogon Notify: mljkkkj - C:\WINDOWS\SYSTEM32\mljkkkj.dll
O20 - Winlogon Notify: winpsa32 - C:\WINDOWS\SYSTEM32\winpsa32.dll

Close browsers and other windows. Click fix checked.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\Documents and Settings\All Users\Application Data\bgzefgdw.dll
C:\WINDOWS\TEMP\win634.exe
C:\WINDOWS\System32\mgrs.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"bgzefgdw"=-
"avp"=-
"smgr"=-

Save this as
CFScript

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.

**HeartfulHands** · 2007-12-18, 16:49

Hi

Okay, so I finished Accepting the Changes, disabled TeaTime and restarted the computer. Then I ran HJT and none of the files you asked my to check were there! So this is my current HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:45 AM, on 12/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\procexp.exe
C:\Program Files\Stickynotes\Stickynotes.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HeartfulHands.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?auth=DQ...hD4EhFNNVhw91w
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=6061018
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: procexp.exe
O4 - Global Startup: Shortcut to Stickynotes.lnk = C:\Program Files\Stickynotes\Stickynotes.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.bctransit.com/activex/ScriptX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1195310708167
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 8638 bytes

Thread: Multiple goblins: Virtumonde and Magicantispy mostly

Thread Tools

Display

Multiple goblins: Virtumonde and Magicantispy mostly

kasper results

Posting Permissions