surprise, more virtumonde >=(

**SBSDlover** · 2008-01-16, 01:47

hey guys, ive read through your forums for awhile, been tryin to deal with virtumonde all day...i ran combo fix and am runnin trend micros hijackthis as im typing this, im including both logs in this post(assuming thw fit) ive seen no replys for anyone on to get rid of virtumonde, but im hoping it will be different for me

ComboFix 08-01-16.1 - use this one 2008-01-15 18:35:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1538 [GMT -8:00]
Running from: C:\Documents and Settings\use this one\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\microsoft shared\web folders\ibm00001.dll
C:\Program Files\Common Files\microsoft shared\web folders\ibm00002.dll
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Helper
C:\Program Files\Intel Audio Studio\IntelAudioStudio .exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio .exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio .exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio .exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio .exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe
C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe
C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe
C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe
C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe
C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe
C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe
C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe
C:\WINDOWS\system32\byvsppn.dll
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\hgghhfc.dll
C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jjkkj.ini2
C:\WINDOWS\system32\jkkjj.dll
C:\WINDOWS\system32\jkkjj.exe
C:\WINDOWS\system32\pmnljjk.dll
C:\WINDOWS\system32\RCX1F.tmp
C:\WINDOWS\system32\ssttrsp.dll
C:\WINDOWS\system32\wingkb32.dll

Code:

 <pre>
C:\Program Files\ATI Technologies\ATI.ACE\cli .exe ---> cli.exe
C:\Program Files\DAEMON Tools Lite\daemon .exe ---> daemon.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio      .exe ---> IntelAudioStudio.exe
C:\Program Files\Messenger\msmsgs .exe ---> msmsgs.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe ---> GrooveMonitor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr         .Exe ---> MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
</pre>

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SYSLIBRARY

((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-15 18:30 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 09:38 . 2008-01-15 09:38 <DIR> d-------- C:\Program Files\Safer Networking
2008-01-15 08:02 . 2008-01-15 08:02 327,168 --a------ C:\WINDOWS\system32\jkkjj.dll_old
2008-01-15 04:18 . 2008-01-15 15:59 832 --a------ C:\WINDOWS\wininit.ini
2008-01-15 04:09 . 2003-07-19 07:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-01-15 04:09 . 2005-01-02 22:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-01-15 03:53 . 2008-01-15 04:06 <DIR> d-------- C:\Program Files\SealOnlineUSA
2008-01-15 03:53 . 2008-01-15 03:53 65,536 --a------ C:\WINDOWS\IFinst27.exe
2008-01-15 02:58 . 2008-01-15 02:58 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-01-15 02:58 . 2008-01-15 02:58 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-01-15 02:09 . 2008-01-15 02:51 <DIR> d-------- C:\Program Files\Eudemons Online
2008-01-15 01:56 . 2008-01-15 02:57 <DIR> d-------- C:\Program Files\Netdevil
2008-01-15 01:56 . 2006-01-06 17:54 107,696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-15 01:56 . 2006-01-06 17:54 87,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-15 01:56 . 2008-01-15 01:56 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-01-15 01:50 . 2008-01-15 01:57 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2008-01-15 01:18 . 2008-01-15 01:18 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Longbow Digital Arts
2008-01-15 01:12 . 2008-01-15 01:12 <DIR> d-------- C:\Documents and Settings\use this one\Application Data\Longbow Digital Arts
2008-01-15 01:08 . 2008-01-15 01:08 <DIR> d-------- C:\Program Files\LDA Games
2008-01-15 00:41 . 2008-01-15 00:41 <DIR> d-------- C:\WINDOWS\95FC26FB19FD4A96BBB1B1062E8648F5.TMP
2008-01-14 18:56 . 2008-01-14 18:56 54,764 --a------ C:\WINDOWS\system32\dxdss.sys
2008-01-14 18:12 . 2008-01-14 18:12 <DIR> d-------- C:\Program Files\Guild Wars
2008-01-14 09:20 . 2008-01-14 09:22 <DIR> d-------- C:\Program Files\Talisman
2008-01-14 08:44 . 2008-01-14 08:44 25 --a------ C:\WINDOWS\TDH_Launcher.ini
2008-01-14 05:26 . 2008-01-14 09:00 <DIR> d-------- C:\Mgame
2008-01-14 05:06 . 2008-01-14 08:34 <DIR> d-------- C:\Program Files\Scions of Fate
2008-01-14 01:25 . 2008-01-14 01:25 <DIR> d-------- C:\Program Files\ExtractNow
2008-01-14 01:25 . 2008-01-14 01:25 34,308 --a------ C:\WINDOWS\system32\Chip.dll
2008-01-13 16:15 . 2008-01-13 16:15 <DIR> d-------- C:\Program Files\Rockstar Games
2008-01-13 16:11 . 2008-01-15 18:45 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-01-13 16:11 . 2008-01-13 16:11 <DIR> d-------- C:\Documents and Settings\use this one\Application Data\DAEMON Tools
2008-01-13 16:08 . 2008-01-13 16:08 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-13 02:42 . 2008-01-13 02:42 2,444 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-10 16:58 . 2008-01-10 16:58 <DIR> d-------- C:\Documents and Settings\Random Name\Application Data\ATI
2008-01-10 16:29 . 2008-01-10 16:29 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-03 13:09 . 2008-01-03 16:51 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-01-03 01:30 . 2008-01-03 01:30 <DIR> d-------- C:\Program Files\THQ
2007-12-31 04:52 . 2008-01-15 09:49 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-12-19 09:12 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-18 20:49 . 2007-12-18 20:49 <DIR> d-------- C:\Documents and Settings\use this one\Application Data\teamspeak2
2007-12-18 18:21 . 2007-12-18 18:21 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-12-17 14:43 . 2007-12-17 14:43 <DIR> d-------- C:\Program Files\uTorrent
2007-12-17 14:43 . 2008-01-14 18:13 <DIR> d-------- C:\Documents and Settings\use this one\Application Data\uTorrent
2007-12-16 23:37 . 2006-10-26 16:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-12-16 23:32 . 2007-12-18 03:01 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2007-12-16 20:11 . 2007-12-16 20:11 <DIR> d-------- C:\Documents and Settings\use this one\Application Data\MSNInstaller
2007-12-16 08:49 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-16 08:49 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-12-16 08:49 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-16 05:28 . 2007-12-16 05:28 <DIR> d---s---- C:\Documents and Settings\use this one\UserData
2007-12-16 03:00 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 02:45 --------- d-----w C:\Program Files\Intel Audio Studio
2008-01-15 10:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 09:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-15 09:57 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-15 09:56 --------- d-----w C:\Program Files\Symantec
2008-01-15 09:56 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-15 02:53 --------- d-s---w C:\Program Files\Xfire
2008-01-15 02:21 --------- d-----w C:\Documents and Settings\use this one\Application Data\Xfire
2008-01-14 19:17 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-01-14 09:34 --------- d-----w C:\Program Files\Electronic Arts
2008-01-13 14:03 --------- d-----w C:\Program Files\Silkroad
2008-01-13 12:01 --------- d-----w C:\Program Files\XoftSpySE
2007-12-28 08:00 --------- d-----w C:\Program Files\PokerStars
2007-12-19 08:46 --------- d-----w C:\Program Files\PokerStars.TEST
2007-12-19 04:00 --------- d-----w C:\Program Files\VUGames
2007-12-16 02:44 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-16 02:44 --------- d-----w C:\Program Files\Windows Live
2007-12-15 17:56 --------- d-----w C:\Documents and Settings\use this one\Application Data\Talkback
2007-12-15 17:47 --------- d-----w C:\Documents and Settings\NetworkService.NT AUTHORITY.001\Application Data\Xfire
2007-12-15 14:31 --------- d-----w C:\Documents and Settings\use this one\Application Data\InterTrust
2007-12-15 08:22 743 ----a-w C:\Program Files\INSTALL.LOG
2007-12-15 08:07 155,995 ----a-w C:\WINDOWS\java\Packages\C5NJ7HB5.ZIP
2007-12-15 08:07 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Motive
2007-12-15 07:59 --------- d-----w C:\Documents and Settings\use this one\Application Data\ATI
2007-12-13 22:40 --------- d-----w C:\Documents and Settings\sabbath.THE-CRAPPER\Application Data\Xfire
2007-12-12 22:13 --------- d-----w C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\Xfire
2007-12-12 20:11 --------- d-----w C:\Program Files\MSECache
2007-12-09 14:55 --------- d-----w C:\Documents and Settings\sabbath.THE-CRAPPER\Application Data\Apple Computer
2007-12-09 14:01 --------- d-----w C:\Documents and Settings\sabbath.THE-CRAPPER\Application Data\Nero
2007-12-09 14:00 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-09 13:59 --------- d-----w C:\Program Files\Nero
2007-12-09 13:56 --------- d-----w C:\Program Files\The Weather Channel FW
2007-12-01 03:34 41,472 --sha-w C:\Program Files\Thumbs.db
2007-12-01 03:34 --------- d-----w C:\Program Files\XoftSpy
2007-12-01 03:34 --------- d-----w C:\Program Files\wxDownload Fast
2007-12-01 03:34 --------- d-----w C:\Program Files\World of Warcraft
2007-12-01 03:34 --------- d-----w C:\Program Files\Trickster Online
2007-11-30 18:44 --------- d-----w C:\Documents and Settings\sabbath.THE-CRAPPER\Application Data\Ventrilo
2007-11-30 18:25 --------- d-----w C:\Program Files\Ventrilo
2007-11-29 17:26 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-18 13:09 --------- d-----w C:\Program Files\QuickTime
2007-11-18 13:08 --------- d-----w C:\Program Files\Apple Software Update
2007-11-17 23:26 --------- d-----w C:\Program Files\Telltale Games
2007-11-17 23:20 --------- d-----w C:\Documents and Settings\sabbath.THE-CRAPPER\Application Data\GetRightToGo
2007-11-16 10:45 --------- d-----w C:\Documents and Settings\jenna.THE-CRAPPER.000\Application Data\ATI
2007-11-16 10:36 --------- d-----w C:\Documents and Settings\sabbath.THE-CRAPPER\Application Data\uTorrent
2007-11-16 07:11 --------- d-----w C:\Documents and Settings\sabbath.THE-CRAPPER\Application Data\ATI
2007-11-16 06:31 --------- d-----w C:\Program Files\Real
2007-11-16 06:30 --------- d-----w C:\Program Files\MSN Messenger
2007-11-16 06:07 --------- d-----w C:\Documents and Settings\sabbath.THE-CRAPPER\Application Data\MSNInstaller
2007-03-18 19:47 21,184 -c--a-w C:\Program Files\DRIED SHRIMP.jpg
2007-03-18 19:47 16,466 -c--a-w C:\Program Files\SHRIMP PASTE.jpg
2007-03-18 19:44 76,315 -c--a-w C:\Program Files\grilled shrimp.gif
2007-03-18 19:43 200,621 -c--a-w C:\Program Files\FROZEN WHITE SHRIMP.jpg
2007-03-18 19:42 19,183 -c--a-w C:\Program Files\White_Vennamei_Shrimp.jpg
2007-03-18 19:41 17,318 -c--a-w C:\Program Files\RAW WHITE SHRIMP.jpg
2007-03-18 19:41 11,356 -c--a-w C:\Program Files\WHITE SHRIMP.jpg
2006-12-09 06:06 32,090 ----a-w C:\Program Files\conanmanatee.jpg
2006-10-07 23:25 137,039,872 -c--a-w C:\Program Files\BEML6_testpack1.exe
2006-10-07 23:11 2,010,624 ----a-w C:\Program Files\ventrilo-2.3.0-Windows-i386.exe
2004-10-01 19:00 40,960 -c--a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr .exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-15 16:00 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-15 16:00 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2008-01-15 16:00 45056]
"SigmatelSysTrayApp"="sttray.exe" []
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio .exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-01-15 16:00 31016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA6394"="command /c del C:\WINDOWS\system32\jkkjj.dll_old" [ ]
"SpybotDeletingC6393"="cmd /c del C:\WINDOWS\system32\jkkjj.dll_old" [ ]

S3 XDva068;XDva068;C:\WINDOWS\system32\XDva068.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-16 02:45:27 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-15 11:01:18 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 18:45:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 18:49:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-16 02:49:06
.
2008-01-15 17:52:10 --- E O F ---

and:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:46 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio .exe" TRAY
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA7962] command /c del "C:\WINDOWS\system32\jkkjj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1560] cmd /c del "C:\WINDOWS\system32\jkkjj.dll_old"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 4185 bytes
i did not rename hijackthis.exe to puppy.exe or anything like that (FYI)

**SBSDlover** · 2008-01-16, 01:50

im also having groovemonitor.exe and ctfmon.exe problems
im like 90% sure they are bad and i cant get rid of em...suggestions??

**SBSDlover** · 2008-01-16, 23:22

i know im not supposed to be putting in multiple replies to this, but i must apologize that trend micro is not yet finished..ive had comp restart on me and freeze and yadda yadda...so im attempting at getting the scan done now...if theres anything you can do with the log posted above that would be great
<3 SpyBot-S&D
-SBSDlover

**SBSDlover** · 2008-01-17, 10:46

k here it is (finally)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:09 AM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio .exe" TRAY
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 4936 bytes

Thread: surprise, more virtumonde >=(

Thread Tools

Display

surprise, more virtumonde >=(

also...

i know :(

finally

Posting Permissions