Virtumonde: braviax-induced, Kasperski & HJT

**rich97702** · 2008-03-31, 22:38

Thanks so much for taking a look.
It's taken me 6 days to get a windows interface back (even in "safe"-mode!) and the ability to use the web.
As far as I can tell- all traces of braviax and cru629 themselves are gone; the virtumonde has remained elusive.
I've run Spybot S&D and "fixed" the red entries, then Kasperski from web, then HJT. The two reports follow.
Thank you again for your offer to take a look,
Rich

KASPERSKY ONLINE SCANNER REPORT
Monday, March 31, 2008 1:14:56 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/03/2008
Kaspersky Anti-Virus database records: 674513
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 166074
Number of viruses found: 4
Number of infected objects: 25
Number of suspicious objects: 0
Duration of the scan process: 03:15:31

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Desktop\catchme.zip/beep.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\Documents and Settings\Administrator\Desktop\catchme.zip/beep.sys.1 Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\Documents and Settings\Administrator\Desktop\catchme.zip ZIP: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0061_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0062_Mail_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0063_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0310\values Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Richard Feldman\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Richard Feldman\Desktop\Misc\F-pres v2000 dbx\Sent Items.dbx/[From "Rich Feldman" <rfeldman@bendcable.com>][Date Mon, 4 Dec 2006 23:48:50 -0800]/UNNAMED/setupwavtomp3.exe/WISE0016.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Richard Feldman\Desktop\Misc\F-pres v2000 dbx\Sent Items.dbx/[From "Rich Feldman" <rfeldman@bendcable.com>][Date Mon, 4 Dec 2006 23:48:50 -0800]/UNNAMED/setupwavtomp3.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Richard Feldman\Desktop\Misc\F-pres v2000 dbx\Sent Items.dbx/[From "Rich Feldman" <rfeldman@bendcable.com>][Date Mon, 4 Dec 2006 23:48:50 -0800]/UNNAMED Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Richard Feldman\Desktop\Misc\F-pres v2000 dbx\Sent Items.dbx Mail MS Outlook 5: infected - 3 skipped
C:\Documents and Settings\Richard Feldman\Desktop\Misc\F-pres v2000 dbx\Spin.dbx/[From "eBay Member: alwaysonthelevel" <member@ebay.com>][Date Thu, 5 May 2005 10:46:25 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Richard Feldman\Desktop\Misc\F-pres v2000 dbx\Spin.dbx/[From "eBay Member: alwaysonthelevel" <member@ebay.com>][Date Wed, 18 May 2005 10:15:37 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Richard Feldman\Desktop\Misc\F-pres v2000 dbx\Spin.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Application Data\Identities\{DC40B654-6026-4B52-AAF7-9998CE175EAF}\Microsoft\Outlook Express\Spin.bak/[From "eBay Member: alwaysonthelevel" <member@ebay.com>][Date Thu, 5 May 2005 10:46:25 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Application Data\Identities\{DC40B654-6026-4B52-AAF7-9998CE175EAF}\Microsoft\Outlook Express\Spin.bak/[From "eBay Member: alwaysonthelevel" <member@ebay.com>][Date Wed, 18 May 2005 10:15:37 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Application Data\Identities\{DC40B654-6026-4B52-AAF7-9998CE175EAF}\Microsoft\Outlook Express\Spin.bak Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Richard Feldman\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Richard Feldman\Local Settings\History\History.IE5\MSHist012008033120080401\index.dat Object is locked skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Richard Feldman\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Richard Feldman\ntuser.dat Object is locked skipped
C:\Documents and Settings\Richard Feldman\ntuser.dat.LOG Object is locked skipped
C:\SDFix\backups_old4\backups.zip/backups/beep.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\SDFix\backups_old4\backups.zip/backups/winivstr.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\SDFix\backups_old4\backups.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP294\A0029527.exe/WISE0016.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP294\A0029527.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP337\A0038205.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP339\A0038318.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP342\A0041326.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP343\A0042329.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP343\A0042332.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP343\A0042340.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP343\A0042346.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP346\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\twain_32\tzraqlo.dll Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

---------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:20 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Richard Feldman\My Documents\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {0B05BAFD-9A65-4DCB-87D1-58BDD8B65628} - C:\WINDOWS\system32\awtqq.dll (file

missing)
O2 - BHO: (no name) - {D8810E13-F0A9-4ED5-8299-C29100A6EF4A} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {E438A7F5-82E1-4786-9E44-B064135451AB} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {E97B3691-C10E-40CD-9597-81151D366D45} - C:\WINDOWS\system32\awtqr.dll (file missing)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program

Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) -

http://h50203.www5.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) -

http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.microsoft.com/micr...?1187565712125
O16 - DPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} (QBMASSyncCom2_2005.UserControl1) -

https://merchantaccount.quickbooks.c...cCom2_2005.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) -

http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) -

http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A} (IntuitRecurPayCom.UserControl1) -

https://merchantaccount.quickbooks.c...ecurPayCom.cab
O16 - DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} (QBMASSyncCom1.UserControl1) -

https://merchantaccount.quickbooks.c...ASSyncCom1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft

Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: vturopo - C:\WINDOWS\
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} -

C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007

\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus

7.0\avp.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program

Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-

Packard\Shared\hpqwmiex.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O24 - Desktop Component 0: (no name) -

http://images.metacafe.com/image215_...nny_cats_2.jpg

--
End of file - 5307 bytes

**ken545** · 2008-04-01, 13:23

Hello Rich

Welcome to Safer Networking.

Please read Before YouPost
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

You need to move HJT to its own folder and set it up this way, its hard to read your log the way you posted it, you need to uncheck wordwrap. You can delete HJT where you currently have it and download and install it properly.

Download Trendmicros Hijackthis to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe

Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Then you need to run these scans in the order I have them posted and when your done, post all the logs including a new HJT log

Download VundoFix to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <------
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.

Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

This is what I need.
1. Vundofix log
2. Malwarebytes log
3. Combofix log
4. New HJT log run from the proper folder and wordwrap unchecked.

Ken

**rich97702** · 2008-04-01, 17:35

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:47 AM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {0B05BAFD-9A65-4DCB-87D1-58BDD8B65628} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {D8810E13-F0A9-4ED5-8299-C29100A6EF4A} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {E438A7F5-82E1-4786-9E44-B064135451AB} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {E97B3691-C10E-40CD-9597-81151D366D45} - C:\WINDOWS\system32\awtqr.dll (file missing)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187565712125
O16 - DPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} (QBMASSyncCom2_2005.UserControl1) - https://merchantaccount.quickbooks.c...cCom2_2005.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A} (IntuitRecurPayCom.UserControl1) - https://merchantaccount.quickbooks.c...ecurPayCom.cab
O16 - DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} (QBMASSyncCom1.UserControl1) - https://merchantaccount.quickbooks.c...ASSyncCom1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: vturopo - C:\WINDOWS\
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O24 - Desktop Component 0: (no name) - http://images.metacafe.com/image215_...nny_cats_2.jpg

--
End of file - 5348 bytes

----------------------------------------------------

VundoFix V7.0.3

Scan started at 7:41:03 AM 4/1/2008

Listing files found while scanning....

No infected files were found.

----------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:19 AM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {0B05BAFD-9A65-4DCB-87D1-58BDD8B65628} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {D8810E13-F0A9-4ED5-8299-C29100A6EF4A} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {E438A7F5-82E1-4786-9E44-B064135451AB} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {E97B3691-C10E-40CD-9597-81151D366D45} - C:\WINDOWS\system32\awtqr.dll (file missing)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187565712125
O16 - DPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} (QBMASSyncCom2_2005.UserControl1) - https://merchantaccount.quickbooks.c...cCom2_2005.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A} (IntuitRecurPayCom.UserControl1) - https://merchantaccount.quickbooks.c...ecurPayCom.cab
O16 - DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} (QBMASSyncCom1.UserControl1) - https://merchantaccount.quickbooks.c...ASSyncCom1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: vturopo - C:\WINDOWS\
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O24 - Desktop Component 0: (no name) - http://images.metacafe.com/image215_...nny_cats_2.jpg

--
End of file - 5381 bytes

------------------------------------------------------

Malwarebytes' Anti-Malware 1.09
Database version: 578

Scan type: Quick Scan
Objects scanned: 30962
Time elapsed: 6 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c5af49a2-94f3-42bd-f434-2604812c897d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5af49a2-94f3-42bd-f434-2604812c897d} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Richard Feldman\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

-------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:05 AM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {0B05BAFD-9A65-4DCB-87D1-58BDD8B65628} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {D8810E13-F0A9-4ED5-8299-C29100A6EF4A} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {E438A7F5-82E1-4786-9E44-B064135451AB} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {E97B3691-C10E-40CD-9597-81151D366D45} - C:\WINDOWS\system32\awtqr.dll (file missing)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187565712125
O16 - DPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} (QBMASSyncCom2_2005.UserControl1) - https://merchantaccount.quickbooks.c...cCom2_2005.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A} (IntuitRecurPayCom.UserControl1) - https://merchantaccount.quickbooks.c...ecurPayCom.cab
O16 - DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} (QBMASSyncCom1.UserControl1) - https://merchantaccount.quickbooks.c...ASSyncCom1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: vturopo - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O24 - Desktop Component 0: (no name) - http://images.metacafe.com/image215_...nny_cats_2.jpg

--
End of file - 5289 bytes

------------------------------------------------

COMBOFIX AND HJT IN NEXT REPLY

**rich97702** · 2008-04-01, 19:15

ComboFix 08-03-30.5 - Richard Feldman 2008-04-01 8:40:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.72 [GMT -7:00]
Running from: C:\Documents and Settings\Richard Feldman\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Richard Feldman\Application Data\inst.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\hjjlm.ini
C:\WINDOWS\system32\hjjlm.ini2
C:\WINDOWS\system32\klnmp.ini
C:\WINDOWS\system32\klnmp.ini2
C:\WINDOWS\system32\qqtwa.ini
C:\WINDOWS\system32\qqtwa.ini2
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip

((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-04-01 08:00 . 2008-04-01 08:00 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\Malwarebytes
2008-04-01 08:00 . 2008-04-01 08:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-01 07:59 . 2008-04-01 08:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-01 07:27 . 2008-04-01 07:27 <DIR> d-------- C:\VundoFix Backups
2008-03-31 06:24 . 2004-08-04 06:00 135,680 --a------ C:\WINDOWS\system32\taskmgr.exe
2008-03-31 06:24 . 2004-08-04 06:00 135,680 --a------ C:\WINDOWS\system32\dllcache\taskmgr.exe
2008-03-30 17:52 . 2008-03-30 17:52 0 --a------ C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
2008-03-30 11:51 . 2008-03-30 11:51 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-03-30 11:51 . 2008-03-30 11:51 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-03-30 11:50 . 2008-04-01 08:50 9,424,160 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-30 11:50 . 2008-04-01 08:50 130,400 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-30 11:50 . 2008-04-01 08:51 15,392 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-30 11:50 . 2008-04-01 08:50 2,468 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-03-30 11:49 . 2008-03-30 11:49 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-03-30 00:45 . 2008-03-30 00:45 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-29 22:26 . 2008-03-29 22:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-29 22:26 . 2008-03-30 09:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 10:12 . 2008-03-29 10:12 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\Grisoft
2008-03-28 19:27 . 2007-01-18 05:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-03-28 19:05 . 2008-03-28 19:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-28 19:04 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-28 16:11 . 2008-03-28 18:03 <DIR> d-------- C:\kav
2008-03-28 12:41 . 2008-03-28 12:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-28 12:26 . 2008-03-28 12:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-28 12:26 . 2008-04-01 08:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-28 01:39 . 2008-03-28 01:39 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7
2008-03-28 01:03 . 2008-03-28 01:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\VersionTracker Pro
2008-03-28 00:46 . 2008-03-29 08:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-28 00:33 . 2008-03-28 00:38 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\AVG7
2008-03-28 00:33 . 2008-03-28 00:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-28 00:32 . 2008-03-30 11:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-28 00:13 . 2008-03-28 00:13 <DIR> d-------- C:\Program Files\CCleaner
2008-03-27 22:43 . 2008-03-30 08:50 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-27 22:30 . 2008-03-27 22:30 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-27 22:09 . 2008-03-30 10:54 <DIR> d-------- C:\SDFix
2008-03-27 21:50 . 2008-03-27 21:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-03-26 23:07 . 2008-03-26 23:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-26 23:05 . 2008-03-26 23:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-26 10:33 . 2008-03-26 18:19 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\VersionTracker Pro
2008-03-26 10:32 . 2008-03-26 10:32 <DIR> d-------- C:\Program Files\TechTracker
2008-03-24 13:05 . 2008-03-26 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-24 07:34 . 2008-03-24 07:34 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\IObit
2008-03-21 18:16 . 2008-03-21 18:16 <DIR> d-------- C:\Program Files\IObit
2008-03-21 18:15 . 2008-03-21 18:15 <DIR> d-------- C:\Program Files\Auslogics
2008-03-21 18:15 . 2008-03-21 18:15 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\Auslogics
2008-03-20 09:02 . 2004-08-04 06:00 5,632 --a------ C:\WINDOWS\system32\write.exe
2008-03-20 09:02 . 2004-08-04 06:00 5,632 --a------ C:\WINDOWS\system32\dllcache\write.exe
2008-03-20 09:01 . 2004-08-04 06:00 214,528 --a------ C:\WINDOWS\system32\dllcache\wordpad.exe
2008-03-19 10:05 . 2008-03-19 10:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-03-18 00:52 . 2008-03-18 00:52 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\PCF-VLC
2008-03-17 21:35 . 2008-03-17 21:35 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\Participatory Culture Foundation
2008-03-17 21:34 . 2008-03-17 21:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Participatory Culture Foundation
2008-03-17 21:33 . 2008-03-17 21:33 <DIR> d-------- C:\Program Files\Participatory Culture Foundation
2008-03-14 17:17 . 2008-03-14 17:22 <DIR> d-------- C:\Program Files\Microsoft Expression
2008-03-14 08:21 . 2008-03-14 08:21 <DIR> d-------- C:\Program Files\Uniblue
2008-03-13 22:03 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-03-13 21:01 . 2008-03-13 21:01 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-03-13 20:54 . 2008-03-13 20:54 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-03-13 20:53 . 2008-03-14 16:58 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-13 20:50 . 2008-03-15 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-13 20:48 . 2008-03-13 20:48 <DIR> dr-h----- C:\MSOCache
2008-03-13 19:00 . 2008-03-13 19:00 <DIR> d-------- C:\Program Files\MagicISO
2008-03-10 21:26 . 2008-03-10 21:26 <DIR> d-------- C:\Program Files\ProXoft
2008-03-10 17:59 . 2008-03-10 17:59 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2008-03-10 17:59 . 2008-03-10 17:59 12,896 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2008-03-10 17:54 . 2008-03-10 17:54 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\AccurateRip
2008-03-09 00:57 . 2008-03-09 00:57 107,928 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-03-09 00:36 . 1999-10-10 11:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2008-03-08 13:32 . 2008-03-09 01:03 <DIR> d-------- C:\Program Files\Picasa2
2008-03-05 13:01 . 2008-03-05 13:00 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.bmp
2008-03-05 13:01 . 2008-03-05 13:01 3,625 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2008-03-04 10:29 . 2008-03-04 10:28 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.bmp
2008-03-04 10:29 . 2008-03-04 10:29 3,400 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
2008-03-02 23:04 . 2008-03-02 23:04 <DIR> d-------- C:\Documents and Settings\Richard Feldman\Application Data\dBpoweramp
2008-03-02 21:12 . 2008-03-02 21:12 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Wave64 Codec.bmp
2008-03-02 21:12 . 2008-03-02 21:12 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBPoweramp tooLame MP2 codec.bmp
2008-03-02 21:12 . 2008-03-02 21:11 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Real Audio (Helix) Encoder.bmp
2008-03-02 21:12 . 2008-03-02 21:12 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Mp2 and BwfMp2 codec.bmp
2008-03-02 21:12 . 2008-03-02 21:12 11,473 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Real Audio (Helix) Encoder.dat
2008-03-02 21:12 . 2008-03-02 21:12 2,228 --a------ C:\WINDOWS\system32\SpoonUninstall-dBPoweramp tooLame MP2 codec.dat
2008-03-02 21:12 . 2008-03-02 21:12 1,844 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Mp2 and BwfMp2 codec.dat
2008-03-02 21:12 . 2008-03-02 21:12 1,224 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Wave64 Codec.dat
2008-03-02 21:11 . 2008-03-02 21:11 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp WavPack Codec.bmp
2008-03-02 21:11 . 2008-03-02 21:11 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.bmp
2008-03-02 21:11 . 2008-03-02 21:10 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.bmp
2008-03-02 21:11 . 2008-03-02 21:11 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Dalet Codec.bmp
2008-03-02 21:11 . 2008-03-02 21:11 3,153 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.dat
2008-03-02 21:11 . 2008-03-02 21:11 3,061 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.dat
2008-03-02 21:11 . 2008-03-02 21:11 3,008 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp WavPack Codec.dat
2008-03-02 21:11 . 2008-03-02 21:11 1,206 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Dalet Codec.dat
2008-03-02 21:10 . 2008-03-02 21:10 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.bmp
2008-03-02 21:10 . 2008-03-02 21:10 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2008-03-02 21:10 . 2008-03-02 21:10 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp [Calculate Audio CRC] Codec.bmp
2008-03-02 21:10 . 2008-03-02 21:10 3,107 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.dat
2008-03-02 21:10 . 2008-03-02 21:10 2,987 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2008-03-02 21:10 . 2008-03-02 21:10 2,843 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp [Calculate Audio CRC] Codec.dat
2008-03-02 21:00 . 2008-03-02 20:59 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp DSP Effects.bmp
2008-03-02 21:00 . 2008-03-02 21:00 8,457 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp DSP Effects.dat
2008-03-02 20:59 . 2008-03-04 10:24 4,230,520 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2008-03-02 20:58 . 2008-03-02 20:58 <DIR> d-------- C:\Program Files\Illustrate

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 20:24 360 ----a-w C:\drmHeader.bin
2008-03-27 04:41 --------- d-----w C:\Documents and Settings\Richard Feldman\Application Data\uTorrent
2008-03-27 00:16 --------- d-----w C:\Program Files\LimeWire
2008-03-26 17:33 43,162 ----a-w C:\Documents and Settings\Richard Feldman\Application Data\wklnhst.dat
2008-03-26 17:26 --------- d-----w C:\Documents and Settings\Richard Feldman\Application Data\LimeWire
2008-03-25 20:08 --------- d-----w C:\Program Files\Replay Media Catcher
2008-03-25 17:29 --------- d-----w C:\Documents and Settings\Richard Feldman\Application Data\U3
2008-03-22 03:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 15:45 --------- d-----w C:\Program Files\Creative
2008-03-20 15:38 --------- d-----w C:\Program Files\Google
2008-03-18 23:52 --------- d-----w C:\Documents and Settings\Richard Feldman\Application Data\OpenOffice.org2
2008-03-17 03:00 --------- d-----w C:\Program Files\IrfanView
2008-03-15 03:41 --------- d-----w C:\Program Files\uTorrent
2008-03-14 16:12 --------- d-----w C:\Documents and Settings\Richard Feldman\Application Data\MailWasherPro
2008-03-14 04:28 --------- d-----w C:\Program Files\Microsoft Works
2008-03-14 04:23 --------- d-----w C:\Program Files\MSBuild
2008-03-12 00:26 --------- d-----w C:\Documents and Settings\Richard Feldman\Application Data\Lavasoft
2008-03-11 20:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-11 15:20 --------- d-----w C:\Program Files\Java
2008-03-10 04:53 --------- d--h--w C:\Program Files\Creative Installation Information
2008-03-10 04:39 --------- d-----w C:\Documents and Settings\Richard Feldman\Application Data\albumart
2008-03-07 17:20 --------- d-----w C:\Program Files\Auctiontamer atx files
2008-03-05 15:34 --------- d-----w C:\Documents and Settings\Richard Feldman\Application Data\Vso
2008-03-01 01:19 --------- d-----w C:\Documents and Settings\Richard Feldman\Application Data\Creative
2008-02-29 21:24 --------- d-----w C:\Program Files\Common Files\Creative
2008-02-25 19:54 105,088 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
2008-02-25 17:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-24 04:55 34,622 ----a-w C:\Program Files\INSTALL.LOG
2008-02-15 15:22 --------- d-----w C:\Program Files\CONEXANT
2008-02-12 18:51 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-09 01:35 23,604 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-02-01 22:21 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-01-28 14:37 47,360 ----a-w C:\Documents and Settings\Richard Feldman\Application Data\pcouffin.sys
2008-01-22 15:22 3,993,600 ----a-w C:\Program Files\atamer.exe
2007-10-22 01:06 1,861 ----a-w C:\Program Files\atamer.log
2007-10-21 00:29 2,272 ----a-w C:\Program Files\atamer1.log
2007-10-19 19:23 459 ----a-w C:\Program Files\atamer2.log
2007-10-19 14:46 1,108 ----a-w C:\Program Files\atamer3.log
2007-10-19 03:25 4,390 ----a-w C:\Program Files\atamer4.log
2007-10-19 03:24 3,039,846 ----a-w C:\Program Files\auctamerprobuy.exe
2007-10-17 15:24 607 ----a-w C:\Program Files\atamer5.log
2007-10-01 15:21 6,457 ----a-w C:\Program Files\atlist.htm
2007-01-19 17:22 906,248 ----a-w C:\Program Files\atbuy20070102.exe
2006-11-25 06:30 1,062 ----a-w C:\Program Files\uninstal.log
2006-11-06 16:59 904,662 ----a-w C:\Program Files\atbuy20061030.exe
2006-10-27 14:50 904,608 ----a-w C:\Program Files\atbuy20061024.exe
2006-04-14 01:33 20,992 ----a-w C:\Program Files\atsmtpdll.dll
2006-03-26 01:13 70,116 ----a-w C:\Program Files\itemfinder.wav
2006-03-17 16:24 689 ----a-w C:\Program Files\atamer.exe.manifest
2004-06-10 16:26 68,592 ----a-w C:\Program Files\won.wav
2001-01-22 18:05 435,136 ----a-w C:\Program Files\Vsflex7d.ocx
2001-01-10 18:23 162,304 ----a-w C:\Program Files\UNWISE.EXE
2000-03-23 06:08 40,766 ----a-w C:\Program Files\hammer.wav
2000-03-05 03:38 35,140 ----a-w C:\Program Files\paid.wav
1998-05-02 00:01 13,292 ----a-w C:\Program Files\5Min.wav
1997-07-11 16:37 1,758 ----a-w C:\Program Files\add.wav
1996-09-05 01:03 64,556 ----a-w C:\Program Files\coin.wav
1996-09-05 01:03 64,556 ----a-w C:\Program Files\ching.wav

<<<<< CONTINUED >>>>>

**rich97702** · 2008-04-01, 19:21

<<<<< COMBOFIX LOG CONTINUED >>>>> (followed by HJT log)

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B05BAFD-9A65-4DCB-87D1-58BDD8B65628}]
C:\WINDOWS\system32\awtqq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D8810E13-F0A9-4ED5-8299-C29100A6EF4A}]
C:\WINDOWS\system32\pmnlk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E438A7F5-82E1-4786-9E44-B064135451AB}]
C:\WINDOWS\system32\mljjh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E97B3691-C10E-40CD-9597-81151D366D45}]
C:\WINDOWS\system32\awtqr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturopo]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=C:\WINDOWS\pss\Google Calendar Sync.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^Richard Feldman^Start Menu^Programs^Startup^MailWasherPro.lnk]
backup=C:\WINDOWS\pss\MailWasherPro.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-04-11 10:00 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 19:23 102400 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-08-14 13:18 1838592 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
--a------ 2002-11-22 12:48 348160 C:\WINDOWS\system32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 16:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MtdAcq]
--------- 2005-09-14 15:40 229466 C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 02:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-27 16:33 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tinySpell]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue ProcessQuickLink 2]
--a------ 2007-11-02 17:46 655640 C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vsc32cnf.exe]
--a------ 2000-02-07 04:02 36864 C:\Program Files\Roland\VSC32\vsc32cnf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vscvol.exe]
--a------ 2000-02-09 00:19 36864 C:\Program Files\Roland\VSC32\vscvol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"Iomega App Services"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"MaxBackServiceInt"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LightScribeService"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:*:Disabled:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:*:Disabled:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys [2005-07-01 10:15]
R2 RVIEG01;VSC Engine;C:\Program Files\Roland\Virtual Sound Canvas DXi\RVIEg01.sys [2001-04-13 19:16]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 16:06]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 vsc32;Virtual Sound Canvas 3.2;C:\WINDOWS\system32\DRIVERS\vsc.sys [2001-04-16 10:16]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]
S3 portio;portio;C:\Program Files\Zinf\portio.sys []
S3 RDID1027;EDIROL PCR;C:\WINDOWS\system32\Drivers\rdwm1027.sys [2003-10-31 03:59]
S3 XLoader;PLEXTOR EZ-USB FX2 FIRMWARE LOADER (XLoader.sys);C:\WINDOWS\system32\Drivers\XLoader.sys [2004-01-21 20:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 12:59:07 C:\WINDOWS\Tasks\HP Update.job"
- C:\PROGRA~1\Hp\HPSOFT~1\HPWUCli.exe
"2008-04-01 08:54:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 08:55:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-01 9:05:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-01 16:05:05
Pre-Run: 22,078,111,744 bytes free
Post-Run: 21,942,677,504 bytes free
.
2008-03-14 15:10:55 --- E O F ---

----------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:41 AM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {0B05BAFD-9A65-4DCB-87D1-58BDD8B65628} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {D8810E13-F0A9-4ED5-8299-C29100A6EF4A} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {E438A7F5-82E1-4786-9E44-B064135451AB} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {E97B3691-C10E-40CD-9597-81151D366D45} - C:\WINDOWS\system32\awtqr.dll (file missing)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187565712125
O16 - DPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} (QBMASSyncCom2_2005.UserControl1) - https://merchantaccount.quickbooks.c...cCom2_2005.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A} (IntuitRecurPayCom.UserControl1) - https://merchantaccount.quickbooks.c...ecurPayCom.cab
O16 - DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} (QBMASSyncCom1.UserControl1) - https://merchantaccount.quickbooks.c...ASSyncCom1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: vturopo - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O24 - Desktop Component 0: (no name) - http://images.metacafe.com/image215_...nny_cats_2.jpg

--
End of file - 4984 bytes

**ken545** · 2008-04-01, 19:53

Hello,

Your doing great

Do you have any software on your system related to an Auction??

Open Notepad ( this will only work in Notepad )and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

Code:

File::
C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\pmnlk.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\awtqr.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B05BAFD-9A65-4DCB-87D1-58BDD8B65628}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D8810E13-F0A9-4ED5-8299-C29100A6EF4A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E438A7F5-82E1-4786-9E44-B064135451AB}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E97B3691-C10E-40CD-9597-81151D366D45}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturopo]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**rich97702** · 2008-04-01, 21:15

Ken,
ComboFix Hang. Reads:
------------------------------------------
Scanning for infected files . . .
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double

ComboFix has changed your clock settings.
Do not change it back. It shall be restored later

Completed Stage_1
Completed Stage_2
----------------------------------------
(cusor still blinking where next entry would start)

Carefully saved script as directed in notepad as "CFScipt" (not as "CFScript.txt"), dragged, dropped on ComboFix, it started and got as far as you see above. I may not have gotten Kaspersky paused in time, if that could cause this.
Please advise. I have not closed the CF window at this point.
Thanks,
Rich

**ken545** · 2008-04-01, 23:48

Close down both Combofix and Kaspersky and do it this way, those files are most likely gone, it was just an double check to make sure.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {0B05BAFD-9A65-4DCB-87D1-58BDD8B65628} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {D8810E13-F0A9-4ED5-8299-C29100A6EF4A} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {E438A7F5-82E1-4786-9E44-B064135451AB} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {E97B3691-C10E-40CD-9597-81151D366D45} - C:\WINDOWS\system32\awtqr.dll (file missing)

O20 - Winlogon Notify: vturopo - C:\WINDOWS\

Please download OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\pmnlk.dll
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\awtqr.dll
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Post the OTMoveIt log and a New HJT log please

**rich97702** · 2008-04-02, 00:13

File/Folder C:\WINDOWS\system32\awtqq.dll not found.
File/Folder C:\WINDOWS\system32\pmnlk.dll not found.
File/Folder C:\WINDOWS\system32\mljjh.dll not found.
File/Folder C:\WINDOWS\system32\awtqr.dll not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 04012008_150926

----------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:12, on 2008-04-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\ComboFix\nircmd.cfexe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187565712125
O16 - DPF: {7DD82D6B-3553-470B-8D1E-D5C7086478A7} (QBMASSyncCom2_2005.UserControl1) - https://merchantaccount.quickbooks.c...cCom2_2005.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F21AC8A4-4322-11D6-8EBE-0001023D1A2A} (IntuitRecurPayCom.UserControl1) - https://merchantaccount.quickbooks.c...ecurPayCom.cab
O16 - DPF: {F8A9F96F-8375-4596-BD89-EEAE2781D810} (QBMASSyncCom1.UserControl1) - https://merchantaccount.quickbooks.c...ASSyncCom1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O24 - Desktop Component 0: (no name) - http://images.metacafe.com/image215_...nny_cats_2.jpg

--
End of file - 4271 bytes

**rich97702** · 2008-04-02, 00:18

Word wrap is now off again. Sorry.

Thread: Virtumonde: braviax-induced, Kasperski & HJT

Thread Tools

Display

Virtumonde: braviax-induced, Kasperski & HJT

Posting Permissions