Virtumonde Strikes Back

**Bluefoot** · 2008-06-25, 06:59

Well here is the story thus far...After Virtumonde had attacked my system until it was too-far-gone I decided to reformat. Yet after I finally had my set up dialed in...BLAM

Virtumonde was back to its same old nasties.

This time it made it's way around Kaspersky as I have given up on Norton. Next, Kaspersky and Spybot tried to stop Virtumonde to futile ends.

Around this time I had to restore my system due to a poor application installation.

Next I tried updating Kaspersky and let it have another go at eliminating the virus. It reported to have gotten the virus, yet the browser was still acting weird and Kaspersky reported that expoler.exe had been changed.(?)

After the restore Spybot was no longer installed, so rather than reinstall immediately I downloaded HJT and ran the Kaspersky Online Scanner. (while my browser was still functioning)

Both the Online scanner and the trial version of Kaspersky Internet Security found no threats.
Next I made a HJT log.
Then I installed Spybot and it found this...

Virtumonde
1
(SBI $42352499) User settings
HKEY_USERS\S-1-5-21-507921405-57989841-725345543-1003\Software\Microsoft\rdfa
2
(SBI $47E741CD) Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde.dll
1
(SBI $7C99AA97) Library
File: C:\WINDOWS\system32\cbYPlaYr.dll
2
(SBI $B1464014) Browser helper object
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio9n\Explorer\Browser Helper Object\{642D4273-6066-428F-85D2-A17CA5DAE356}
3
(SBI $B1464014) Class ID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{642D4273-6066-428F-85D2-A17CA5DAE356}

Strangely Immediately after running the Spybot search I ran another Kaspersky Scan to find positive virus results(unfortuneatly I couldn't get my browser to work again for the online scan.) The Kaspersky Scan found this...

detected: Trojan program Trojan.Win32.Monder.zq

File: C:\WINDOWS\system32\aysabacu.dll
File: C:\WINDOWS\system32\onamxjjq.dll
File: C:\Sysetem Volume Information\_restore{1a4b95e1-45f6-4231-ab92-0c9c641bb653}\RP57\A0085170.dll
File: C:\Sysetem Volume Information\_restore{1a4b95e1-45f6-4231-ab92-0c9c641bb653}\RP57\A0086620.dll
File: C:\Sysetem Volume Information\_restore{1a4b95e1-45f6-4231-ab92-0c9c641bb653}\RP57\A0087441.dll
File: C:\Sysetem Volume Information\_restore{1a4b95e1-45f6-4231-ab92-0c9c641bb653}\RP57\A0087444.dll
File: C:\Sysetem Volume Information\_restore{1a4b95e1-45f6-4231-ab92-0c9c641bb653}\RP57\A0088601.dll
File: C:\Documents and Settings\Dragonflower\Local Settings\Temporary Internet Files\Content.IE5\03YVIL2X\KB456456[1]

Oddly neither Spybot's 5 infected discoveries or Kaspersky's 8 infected discoveries had any files in common. (?)

So I decided to run HJT again, just to be sure. Here is the second HJT log followed by the first.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:47:17 PM, on 6/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\frxhser.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\desk95.exe
C:\WINDOWS\system32\viewport.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {642D4273-6066-428F-85D2-A17CA5DAE356} - C:\WINDOWS\system32\cbXPIaYr.dll
O2 - BHO: (no name) - {6B82B972-AE36-404D-9A7C-C437DD287D17} - C:\WINDOWS\system32\jkkIXnlI.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - C:\WINDOWS\system32\urqPhiIY.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [frxmxins] frxmxins
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HydraVisionViewport] viewport.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [a05ed09b] rundll32.exe "C:\WINDOWS\system32\aysabacu.dll",b
O4 - HKLM\..\Run: [BMa36de307] Rundll32.exe "C:\WINDOWS\system32\nerilaky.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1213935383911
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: urqPhiIY - C:\WINDOWS\SYSTEM32\urqPhiIY.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FGLRXUTIL (FGLRXUtil) - ATI Technologies, Inc. - C:\WINDOWS\system32\frxhser.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 9095 bytes

Here is the first HJT log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:54 PM, on 6/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\frxhser.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\desk95.exe
C:\WINDOWS\system32\viewport.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {642D4273-6066-428F-85D2-A17CA5DAE356} - C:\WINDOWS\system32\cbXPIaYr.dll
O2 - BHO: (no name) - {6B82B972-AE36-404D-9A7C-C437DD287D17} - C:\WINDOWS\system32\jkkIXnlI.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - C:\WINDOWS\system32\urqPhiIY.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [frxmxins] frxmxins
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HydraVisionViewport] viewport.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [a05ed09b] rundll32.exe "C:\WINDOWS\system32\aysabacu.dll",b
O4 - HKLM\..\Run: [BMa36de307] Rundll32.exe "C:\WINDOWS\system32\nerilaky.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1213935383911
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: urqPhiIY - C:\WINDOWS\SYSTEM32\urqPhiIY.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FGLRXUTIL (FGLRXUtil) - ATI Technologies, Inc. - C:\WINDOWS\system32\frxhser.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8564 bytes

The 2 logs apparently are different as they have a differing number of bytes posted at the end of the logs. Perhaps this is due to the belated Spybot installation.(?)

Please help me if you can.

p.s. I had a botch up posting process for my previous infection before reformatting. I apoligise for my earlier forum inadequicies that you may find at this llink here http://forums.spybot.info/showthread.php?=29292

**ken545** · 2008-06-26, 10:48

Hello Bluefoot

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {642D4273-6066-428F-85D2-A17CA5DAE356} - C:\WINDOWS\system32\cbXPIaYr.dll
O2 - BHO: (no name) - {6B82B972-AE36-404D-9A7C-C437DD287D17} - C:\WINDOWS\system32\jkkIXnlI.dll (file missing)
O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - C:\WINDOWS\system32\urqPhiIY.dll

O4 - HKLM\..\Run: [a05ed09b] rundll32.exe "C:\WINDOWS\system32\aysabacu.dll",b G
O4 - HKLM\..\Run: [BMa36de307] Rundll32.exe "C:\WINDOWS\system32\nerilaky.dll",s

O20 - Winlogon Notify: urqPhiIY - C:\WINDOWS\SYSTEM32\urqPhiIY.dll

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.

**Bluefoot** · 2008-06-27, 06:13

Hi Ken
Thanks for the instructions

here is the Malwarebytes log followed by the newest HJT log

Malwarebytes' Anti-Malware 1.18
Database version: 894

8:59:26 PM 6/26/2008
mbam-log-6-26-2008 (20-59-26).txt

Scan type: Quick Scan
Objects scanned: 42633
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\aysabacu.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\cbXPIaYr.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\ynehmprg.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\urqPhiIY.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d8d6863-a626-44aa-8c18-47edc3d7c112} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2d8d6863-a626-44aa-8c18-47edc3d7c112} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{be7e4ce1-8cba-44a6-956f-462a667d3286} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{be7e4ce1-8cba-44a6-956f-462a667d3286} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqphiiy (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{be7e4ce1-8cba-44a6-956f-462a667d3286} (Trojan.FakeAlert) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxpiayr -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxpiayr -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\aysabacu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ucabasya.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXPIaYr.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rYaIPXbc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rYaIPXbc.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\onamxjjq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qjjxmano.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ynehmprg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\grpmheny.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqPhiIY.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\geBqOiFw.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnllJaY.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dragonflower\Local Settings\Temporary Internet Files\Content.IE5\6DQVY1EN\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:35 PM, on 6/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\frxhser.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\desk95.exe
C:\WINDOWS\system32\viewport.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [frxmxins] frxmxins
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HydraVisionViewport] viewport.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1213935383911
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FGLRXUTIL (FGLRXUtil) - ATI Technologies, Inc. - C:\WINDOWS\system32\frxhser.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8810 bytes

Am I clear?

**ken545** · 2008-06-27, 13:58

Good Morning,

You had quite a bit of nasty stuff on this system, your HJT log is clean, but lets make sure we got it all.

Please download ATF Cleaner by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**Bluefoot** · 2008-06-27, 18:25

and Good Morning to you!

here are the requested logs

ComboFix 08-06-20.4 - Dragonflower 2008-06-27 8:38:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.623 [GMT -7:00]
Running from: C:\Documents and Settings\Dragonflower\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMa36de307.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AJTwHRqr.ini2
C:\WINDOWS\system32\cbXPIaYr.dll
C:\WINDOWS\system32\ewmkouea.ini
C:\WINDOWS\system32\IlnXIkkj.ini
C:\WINDOWS\system32\IlnXIkkj.ini2
C:\WINDOWS\system32\lvrbkruk.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pdfblsbe.ini
C:\WINDOWS\system32\pjtpugvp.ini
C:\WINDOWS\system32\rYaIPXbc.ini
C:\WINDOWS\system32\rYaIPXbc.ini2
C:\WINDOWS\system32\urqPhiIY.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.

2008-06-26 19:35 . 2008-06-26 19:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-26 19:35 . 2008-06-26 19:35 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\Malwarebytes
2008-06-26 19:35 . 2008-06-26 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-26 19:35 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-26 19:35 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-26 15:48 . 2008-06-26 21:20 106,496 --a------ C:\WINDOWS\system32\chosmxpc.dll
2008-06-26 15:47 . 2008-06-26 21:16 91,648 --a------ C:\WINDOWS\system32\coqvkkpf.dll
2008-06-26 15:47 . 2008-06-26 20:59 80,896 --------- C:\WINDOWS\system32\ynehmprg.dll
2008-06-26 15:47 . 2008-06-26 15:47 48 --a------ C:\WINDOWS\wininit.ini
2008-06-26 15:31 . 2008-06-26 15:38 104,535 --------- C:\WINDOWS\hpoins04.dat
2008-06-26 15:31 . 2004-06-21 03:14 17,176 --------- C:\WINDOWS\hpomdl04.dat
2008-06-25 23:31 . 2008-06-25 23:31 91,136 --a------ C:\WINDOWS\system32\paqmaief.dll
2008-06-25 20:24 . 2008-06-26 15:38 104,535 --------- C:\WINDOWS\hpoins04.dat.temp
2008-06-25 20:24 . 2004-06-21 03:14 17,176 --------- C:\WINDOWS\hpomdl04.dat.temp
2008-06-25 00:26 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-25 00:26 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-06-24 13:29 . 2008-06-24 13:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-24 08:51 . 2008-06-24 08:51 <DIR> d-------- C:\WINDOWS\Sun
2008-06-23 23:53 . 2004-08-03 18:07 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-06-23 23:47 . 2008-06-26 20:59 81,408 --------- C:\WINDOWS\system32\aysabacu.dll
2008-06-23 23:24 . 2008-06-23 23:24 91,136 --a------ C:\WINDOWS\system32\nerilaky.dll
2008-06-23 21:31 . 2008-06-23 21:31 1,727,736 --ahs---- C:\WINDOWS\system32\ivjcfwjm.tmp
2008-06-23 17:14 . 2008-06-24 13:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-23 17:14 . 2008-06-26 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-23 15:58 . 2008-06-23 15:58 <DIR> d-------- C:\Program Files\Common Files\HP
2008-06-23 15:39 . 2008-06-23 15:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-06-23 15:27 . 2008-06-23 15:27 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-23 15:14 . 2008-06-23 22:59 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-06-23 13:11 . 2008-06-23 23:00 <DIR> d-------- C:\Program Files\HP
2008-06-22 22:00 . 2008-06-22 22:00 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\Ahead
2008-06-22 21:53 . 2008-06-22 21:53 <DIR> d-------- C:\Program Files\Nero
2008-06-22 21:53 . 2008-06-25 16:38 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-06-22 10:00 . 2008-06-22 10:00 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\Apple Computer
2008-06-22 09:59 . 2008-06-23 23:01 <DIR> d-------- C:\Program Files\iTunes
2008-06-22 09:59 . 2008-06-22 09:59 <DIR> d-------- C:\Program Files\iPod
2008-06-22 09:58 . 2008-06-22 09:58 <DIR> d-------- C:\Program Files\Bonjour
2008-06-22 09:55 . 2008-06-22 09:57 <DIR> d-------- C:\Program Files\QuickTime
2008-06-22 09:55 . 2008-06-22 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-22 09:54 . 2008-06-22 09:54 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-22 09:54 . 2008-06-22 09:54 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-22 09:52 . 2008-06-22 09:52 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-22 09:52 . 2008-06-22 09:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-22 09:43 . 2008-06-26 17:38 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-06-22 09:43 . 2008-06-22 09:43 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\Thunderbird
2008-06-21 21:54 . 2008-06-21 21:54 376 --a------ C:\WINDOWS\ODBC.INI
2008-06-21 21:48 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-06-21 21:39 . 2008-06-21 21:39 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-06-21 21:39 . 2008-06-21 21:39 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-06-20 22:29 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-20 22:26 . 2008-06-20 22:29 <DIR> d-------- C:\Program Files\Java
2008-06-20 22:25 . 2008-06-20 22:25 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-20 20:26 . 2008-06-20 20:26 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-06-20 20:25 . 2003-12-04 11:19 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-06-20 20:25 . 2003-12-04 11:19 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-06-20 20:25 . 2003-12-04 11:19 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-06-20 17:46 . 2008-04-22 21:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-20 17:46 . 2008-04-22 21:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-20 17:46 . 2008-04-22 21:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-20 17:46 . 2008-04-22 21:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-20 17:46 . 2008-04-22 21:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-20 17:46 . 2008-04-22 21:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-20 17:46 . 2008-04-22 00:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-20 09:47 . 2004-08-16 17:40 16,384 --a------ C:\WINDOWS\system32\FileOps.exe
2008-06-20 09:22 . 2008-06-20 09:22 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-19 23:18 . 2008-06-19 23:18 <DIR> d-------- C:\Program Files\Stardock
2008-06-19 23:18 . 2008-06-19 23:18 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-06-19 23:15 . 2008-06-19 23:22 32,256 --a------ C:\Documents and Settings\Dragonflower\winmsd.exe
2008-06-19 22:48 . 2008-06-19 22:48 <DIR> d-------- C:\Program Files\Analog Devices
2008-06-19 22:48 . 2001-09-11 18:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-06-19 22:40 . 2008-06-20 13:38 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-19 22:22 . 2008-06-19 22:22 <DIR> d-------- C:\Program Files\MediaMonkey
2008-06-19 22:16 . 2008-06-19 22:16 <DIR> d-------- C:\WINDOWS\system32\WTablet
2008-06-19 22:16 . 2004-07-14 09:57 2,760,704 --a------ C:\WINDOWS\system32\WacomTablet.cpl
2008-06-19 22:16 . 2004-07-13 14:51 679,936 --a------ C:\WINDOWS\system32\Tablet.exe
2008-06-19 22:16 . 2004-07-13 14:50 102,400 --a------ C:\WINDOWS\system32\Wintab32.dll
2008-06-19 22:16 . 2004-07-13 14:40 44,544 --a------ C:\WINDOWS\system32\TabHook.dll
2008-06-19 22:16 . 1999-05-07 09:12 15,744 --a------ C:\WINDOWS\system32\Wintab.dll
2008-06-19 22:16 . 2001-04-09 13:45 8,138 --------- C:\WINDOWS\system32\drivers\PenClass.sys
2008-06-19 22:04 . 2008-06-19 22:07 <DIR> d-------- C:\Program Files\Azureus
2008-06-19 21:49 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-19 21:49 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-19 21:45 . 2008-06-19 21:45 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-06-19 21:45 . 2008-06-19 21:45 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-06-19 21:21 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-19 21:18 . 2008-06-19 21:18 <DIR> d-------- C:\kav
2008-06-19 21:16 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-06-19 21:09 . 2007-05-14 22:03 445,696 -ra------ C:\WINDOWS\system32\drivers\rt73.sys
2008-06-19 21:08 . 2008-06-19 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-06-19 20:45 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-06-19 20:45 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-06-17 17:00 . 2008-06-20 20:25 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-06-17 16:58 . 2008-06-20 20:25 <DIR> d-------- C:\Program Files\Macromedia
2008-06-17 16:46 . 2008-06-21 21:39 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-06-17 16:44 . 2008-06-17 16:44 <DIR> dr-h----- C:\MSOCache
2008-06-17 15:59 . 2008-06-19 20:36 <DIR> d-------- C:\Program Files\Analog Devices(2)
2008-06-17 15:12 . 2008-06-26 17:29 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\U3
2008-06-17 09:04 . 2008-06-21 15:40 <DIR> d-------- C:\WINDOWS\system32\images
2008-06-17 09:03 . 2008-06-17 09:03 <DIR> d-------- C:\Program Files\ATI FGL
2008-06-17 08:59 . 2008-06-17 08:59 <DIR> d-------- C:\Program Files\Intel
2008-06-17 08:11 . 2008-06-17 13:05 <DIR> d-------- C:\swsetup
2008-06-17 08:11 . 2008-06-17 08:11 <DIR> d-------- C:\Compaq
2008-06-16 23:56 . 2008-06-16 23:56 0 --a------ C:\t1jc.l0
2008-06-16 23:56 . 2008-06-16 23:56 0 --a------ C:\t1jc.ko
2008-06-16 21:50 . 2008-06-16 21:50 0 --a------ C:\t2b0.ja
2008-06-16 21:50 . 2008-06-16 21:50 0 --a------ C:\t2b0.j0
2008-06-16 21:50 . 2008-06-16 21:50 0 --a------ C:\t2b0.ip
2008-06-16 21:46 . 2008-06-20 22:28 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.n0
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.mp
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.me
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.mc
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.lv
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.lt
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.l0
2008-06-16 21:38 . 2008-06-16 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-06-16 21:34 . 2008-06-20 09:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-16 21:30 . 2008-06-20 15:02 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-16 17:34 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-16 17:34 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-16 17:03 . 2008-06-16 17:03 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-16 17:03 . 2008-06-16 17:03 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-16 16:59 . 2008-06-16 16:59 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-16 16:18 . 2004-08-03 18:07 381,425 -----c--- C:\WINDOWS\system32\dllcache\copycd.wmv
2008-06-16 16:18 . 2004-08-03 18:07 9,585 -----c--- C:\WINDOWS\system32\dllcache\controls.css
2008-06-16 16:18 . 2004-08-03 18:07 8,298 -----c--- C:\WINDOWS\system32\dllcache\contents.htm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 04:32 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-15 06:21 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:07 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 12:34 69632]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58 856064]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"frxmxins"="frxmxins" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"HydraVisionDesktopManager"="desk95.exe" [2003-03-21 11:25 507904 C:\WINDOWS\system32\Desk95.exe]
"HydraVisionViewport"="viewport.exe" [2002-10-30 14:20 503808 C:\WINDOWS\system32\ViewPort.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]

C:\Documents and Settings\Dragonflower\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-06-19 23:18:58 3581680]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-06-20 10:09:58 25214]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2008-06-19 22:16:43 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\kav\\kis\\setup.exe"=
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 FGLRXUtil;FGLRXUTIL;C:\WINDOWS\system32\frxhser.exe [2003-05-07 18:46]
R3 atifglrx;atifglrx;C:\WINDOWS\system32\DRIVERS\fglrxm.sys [2003-05-07 18:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10bbdbe9-4203-11dd-8a48-00d041ac5a86}]
\Shell\AutoRun\command - H:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-26 04:02:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 08:44:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-27 8:52:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-27 15:52:11

Pre-Run: 19,138,043,904 bytes free
Post-Run: 19,066,040,320 bytes free

239 --- E O F --- 2008-06-21 02:01:48

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:45 AM, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\frxhser.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\desk95.exe
C:\WINDOWS\system32\viewport.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [frxmxins] frxmxins
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HydraVisionViewport] viewport.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1213935383911
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FGLRXUTIL (FGLRXUtil) - ATI Technologies, Inc. - C:\WINDOWS\system32\frxhser.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 8551 bytes

Thanks again
what's next boss

**ken545** · 2008-06-27, 20:06

No, I am not the boss, my wife is the boss

Please download OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\chosmxpc.dll
C:\WINDOWS\system32\coqvkkpf.dll
C:\WINDOWS\system32\ynehmprg.dll
C:\WINDOWS\system32\aysabacu.dll
C:\WINDOWS\system32\nerilaky.dll
C:\WINDOWS\system32\ivjcfwjm.tmp
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

The rest of your log looks fine

How is your system running now??

**Bluefoot** · 2008-06-27, 22:07

Hi Ken

Well the system seems to be working but I'm not really sure

Kaspersky reported A0089722.dll as being infected between the last postings

also

OT Move it reported ynehmprg.dll & aysabacu as not being proper files (or some such statement)
Then upon restart after posting the following log OTMoveit was forced to quit and I "sent error report" to MS

here's the OTMoveIt log

LoadLibrary failed for C:\WINDOWS\system32\chosmxpc.dll
C:\WINDOWS\system32\chosmxpc.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\chosmxpc.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\coqvkkpf.dll
C:\WINDOWS\system32\coqvkkpf.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\coqvkkpf.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\ynehmprg.dll
C:\WINDOWS\system32\ynehmprg.dll NOT unregistered.
C:\WINDOWS\system32\ynehmprg.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\aysabacu.dll
C:\WINDOWS\system32\aysabacu.dll NOT unregistered.
C:\WINDOWS\system32\aysabacu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\nerilaky.dll
C:\WINDOWS\system32\nerilaky.dll NOT unregistered.
C:\WINDOWS\system32\nerilaky.dll moved successfully.
C:\WINDOWS\system32\ivjcfwjm.tmp moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 06272008_124340

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\WINDOWS\system32\chosmxpc.dll
C:\WINDOWS\system32\chosmxpc.dll NOT unregistered.

It sure is a mean little virus

___________________________

p.s. do you want another HJT log?

**ken545** · 2008-06-27, 22:49

Wha I would like you to do is to run Combofix again and post the log

**Bluefoot** · 2008-06-28, 03:05

Here is

ComboFix 08-06-20.4 - Dragonflower 2008-06-27 17:38:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.586 [GMT -7:00]
Running from: C:\Documents and Settings\Dragonflower\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\msssc.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-28 )))))))))))))))))))))))))))))))
.

2008-06-27 13:47 . 2008-06-27 13:47 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-27 12:43 . 2008-06-27 12:43 <DIR> d-------- C:\_OTMoveIt
2008-06-26 19:35 . 2008-06-26 19:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-26 19:35 . 2008-06-26 19:35 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\Malwarebytes
2008-06-26 19:35 . 2008-06-26 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-26 19:35 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-26 19:35 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-26 15:47 . 2008-06-26 15:47 48 --a------ C:\WINDOWS\wininit.ini
2008-06-26 15:31 . 2008-06-26 15:38 104,535 --------- C:\WINDOWS\hpoins04.dat
2008-06-26 15:31 . 2004-06-21 03:14 17,176 --------- C:\WINDOWS\hpomdl04.dat
2008-06-25 23:31 . 2008-06-25 23:31 91,136 --a------ C:\WINDOWS\system32\paqmaief.dll
2008-06-25 20:24 . 2008-06-26 15:38 104,535 --------- C:\WINDOWS\hpoins04.dat.temp
2008-06-25 20:24 . 2004-06-21 03:14 17,176 --------- C:\WINDOWS\hpomdl04.dat.temp
2008-06-25 00:26 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-25 00:26 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-06-24 13:29 . 2008-06-24 13:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-24 08:51 . 2008-06-24 08:51 <DIR> d-------- C:\WINDOWS\Sun
2008-06-23 23:53 . 2004-08-03 18:07 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-06-23 17:14 . 2008-06-24 13:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-23 17:14 . 2008-06-26 15:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-23 15:58 . 2008-06-23 15:58 <DIR> d-------- C:\Program Files\Common Files\HP
2008-06-23 15:39 . 2008-06-23 15:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-06-23 15:27 . 2008-06-23 15:27 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-23 15:14 . 2008-06-23 22:59 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-06-23 13:11 . 2008-06-23 23:00 <DIR> d-------- C:\Program Files\HP
2008-06-22 22:00 . 2008-06-22 22:00 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\Ahead
2008-06-22 21:53 . 2008-06-22 21:53 <DIR> d-------- C:\Program Files\Nero
2008-06-22 21:53 . 2008-06-25 16:38 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-06-22 10:00 . 2008-06-22 10:00 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\Apple Computer
2008-06-22 09:59 . 2008-06-23 23:01 <DIR> d-------- C:\Program Files\iTunes
2008-06-22 09:59 . 2008-06-22 09:59 <DIR> d-------- C:\Program Files\iPod
2008-06-22 09:58 . 2008-06-22 09:58 <DIR> d-------- C:\Program Files\Bonjour
2008-06-22 09:55 . 2008-06-22 09:57 <DIR> d-------- C:\Program Files\QuickTime
2008-06-22 09:55 . 2008-06-22 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-22 09:54 . 2008-06-22 09:54 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-22 09:54 . 2008-06-22 09:54 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-22 09:52 . 2008-06-22 09:52 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-22 09:52 . 2008-06-22 09:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-22 09:43 . 2008-06-26 17:38 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-06-22 09:43 . 2008-06-22 09:43 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\Thunderbird
2008-06-21 21:54 . 2008-06-21 21:54 376 --a------ C:\WINDOWS\ODBC.INI
2008-06-21 21:48 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-06-21 21:39 . 2008-06-21 21:39 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-06-21 21:39 . 2008-06-21 21:39 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-06-20 22:29 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-20 22:26 . 2008-06-20 22:29 <DIR> d-------- C:\Program Files\Java
2008-06-20 22:25 . 2008-06-20 22:25 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-20 20:26 . 2008-06-20 20:26 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-06-20 20:25 . 2003-12-04 11:19 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-06-20 20:25 . 2003-12-04 11:19 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-06-20 20:25 . 2003-12-04 11:19 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-06-20 17:46 . 2008-04-22 21:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-20 17:46 . 2008-04-22 21:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-20 17:46 . 2008-04-22 21:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-20 17:46 . 2008-04-22 21:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-20 17:46 . 2008-04-22 21:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-20 17:46 . 2008-04-22 21:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-20 17:46 . 2008-04-22 00:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-20 09:47 . 2004-08-16 17:40 16,384 --a------ C:\WINDOWS\system32\FileOps.exe
2008-06-20 09:22 . 2008-06-20 09:22 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-19 23:18 . 2008-06-19 23:18 <DIR> d-------- C:\Program Files\Stardock
2008-06-19 23:18 . 2008-06-19 23:18 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-06-19 23:15 . 2008-06-19 23:22 32,256 --a------ C:\Documents and Settings\Dragonflower\winmsd.exe
2008-06-19 22:48 . 2008-06-19 22:48 <DIR> d-------- C:\Program Files\Analog Devices
2008-06-19 22:48 . 2001-09-11 18:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-06-19 22:40 . 2008-06-20 13:38 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-19 22:22 . 2008-06-19 22:22 <DIR> d-------- C:\Program Files\MediaMonkey
2008-06-19 22:16 . 2008-06-19 22:16 <DIR> d-------- C:\WINDOWS\system32\WTablet
2008-06-19 22:16 . 2004-07-14 09:57 2,760,704 --a------ C:\WINDOWS\system32\WacomTablet.cpl
2008-06-19 22:16 . 2004-07-13 14:51 679,936 --a------ C:\WINDOWS\system32\Tablet.exe
2008-06-19 22:16 . 2004-07-13 14:50 102,400 --a------ C:\WINDOWS\system32\Wintab32.dll
2008-06-19 22:16 . 2004-07-13 14:40 44,544 --a------ C:\WINDOWS\system32\TabHook.dll
2008-06-19 22:16 . 1999-05-07 09:12 15,744 --a------ C:\WINDOWS\system32\Wintab.dll
2008-06-19 22:16 . 2001-04-09 13:45 8,138 --------- C:\WINDOWS\system32\drivers\PenClass.sys
2008-06-19 22:04 . 2008-06-19 22:07 <DIR> d-------- C:\Program Files\Azureus
2008-06-19 21:49 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-19 21:49 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-19 21:45 . 2008-06-19 21:45 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-06-19 21:45 . 2008-06-19 21:45 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-06-19 21:21 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-19 21:18 . 2008-06-19 21:18 <DIR> d-------- C:\kav
2008-06-19 21:16 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-06-19 21:09 . 2007-05-14 22:03 445,696 -ra------ C:\WINDOWS\system32\drivers\rt73.sys
2008-06-19 21:08 . 2008-06-19 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-06-19 20:45 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-06-19 20:45 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-06-17 17:00 . 2008-06-20 20:25 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-06-17 16:58 . 2008-06-20 20:25 <DIR> d-------- C:\Program Files\Macromedia
2008-06-17 16:46 . 2008-06-21 21:39 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-06-17 16:44 . 2008-06-17 16:44 <DIR> dr-h----- C:\MSOCache
2008-06-17 15:59 . 2008-06-19 20:36 <DIR> d-------- C:\Program Files\Analog Devices(2)
2008-06-17 15:12 . 2008-06-26 17:29 <DIR> d-------- C:\Documents and Settings\Dragonflower\Application Data\U3
2008-06-17 09:04 . 2008-06-21 15:40 <DIR> d-------- C:\WINDOWS\system32\images
2008-06-17 09:03 . 2008-06-17 09:03 <DIR> d-------- C:\Program Files\ATI FGL
2008-06-17 08:59 . 2008-06-17 08:59 <DIR> d-------- C:\Program Files\Intel
2008-06-17 08:11 . 2008-06-17 13:05 <DIR> d-------- C:\swsetup
2008-06-17 08:11 . 2008-06-17 08:11 <DIR> d-------- C:\Compaq
2008-06-16 23:56 . 2008-06-16 23:56 0 --a------ C:\t1jc.l0
2008-06-16 23:56 . 2008-06-16 23:56 0 --a------ C:\t1jc.ko
2008-06-16 21:50 . 2008-06-16 21:50 0 --a------ C:\t2b0.ja
2008-06-16 21:50 . 2008-06-16 21:50 0 --a------ C:\t2b0.j0
2008-06-16 21:50 . 2008-06-16 21:50 0 --a------ C:\t2b0.ip
2008-06-16 21:46 . 2008-06-20 22:28 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.n0
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.mp
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.me
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.mc
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.lv
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.lt
2008-06-16 21:39 . 2008-06-16 21:39 0 --a------ C:\tpo.l0
2008-06-16 21:38 . 2008-06-16 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-06-16 21:34 . 2008-06-20 09:55 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-16 21:30 . 2008-06-20 15:02 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-16 17:34 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-16 17:34 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-16 17:03 . 2008-06-16 17:03 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-16 17:03 . 2008-06-16 17:03 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-16 16:59 . 2008-06-16 16:59 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-16 16:18 . 2004-08-03 18:07 381,425 -----c--- C:\WINDOWS\system32\dllcache\copycd.wmv
2008-06-16 16:18 . 2004-08-03 18:07 9,585 -----c--- C:\WINDOWS\system32\dllcache\controls.css
2008-06-16 16:18 . 2004-08-03 18:07 8,298 -----c--- C:\WINDOWS\system32\dllcache\contents.htm
2008-06-16 16:18 . 2004-08-03 18:07 6,878 -----c--- C:\WINDOWS\system32\dllcache\controls.js
2008-06-16 16:18 . 2004-08-03 18:07 999 -----c--- C:\WINDOWS\system32\dllcache\bktrh.gif
2008-06-16 16:18 . 2004-08-03 18:07 773 -----c--- C:\WINDOWS\system32\dllcache\cnth.gif
2008-06-16 16:18 . 2004-08-03 18:07 773 -----c--- C:\WINDOWS\system32\dllcache\cnt.gif

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 04:32 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-15 06:21 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:11 99,840 ----a-w C:\WINDOWS\system32\advpack(3).dll
2008-04-14 00:11 99,840 ----a-w C:\WINDOWS\system32\advpack(2).dll
2008-04-14 00:11 516,768 ----a-w C:\WINDOWS\system32\ativvaxx(2)(2).dll
2008-04-14 00:11 229,376 ----a-w C:\WINDOWS\system32\ati2cqag(2)(2).dll
2008-04-14 00:11 201,728 ----a-w C:\WINDOWS\system32\ati2dvag(2)(2).dll
2008-04-14 00:11 1,888,992 ----a-w C:\WINDOWS\system32\ati3duag(2)(2).dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-27_ 8.50.12.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-27 15:43:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-27 19:46:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2004-08-11 08:45:04 229,376 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2007-10-28 00:40:06 227,328 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2004-08-11 08:45:06 2,362,104 -c--a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
+ 2006-12-07 06:40:49 2,362,184 -c--a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
- 2008-06-27 15:42:38 18,018,592 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
+ 2008-06-27 19:45:44 18,018,592 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
- 2008-06-27 15:42:38 1,707,040 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
+ 2008-06-27 19:45:44 1,707,040 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
- 2004-08-11 08:45:04 229,376 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2007-10-28 00:40:06 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
- 2004-08-11 08:45:06 2,362,104 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2006-12-07 06:40:49 2,362,184 ----a-w C:\WINDOWS\system32\wmvcore.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:07 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 12:34 69632]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58 856064]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"frxmxins"="frxmxins" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"HydraVisionDesktopManager"="desk95.exe" [2003-03-21 11:25 507904 C:\WINDOWS\system32\Desk95.exe]
"HydraVisionViewport"="viewport.exe" [2002-10-30 14:20 503808 C:\WINDOWS\system32\ViewPort.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]

C:\Documents and Settings\Dragonflower\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-06-19 23:18:58 3581680]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-06-20 10:09:58 25214]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2008-06-19 22:16:43 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\kav\\kis\\setup.exe"=
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 FGLRXUtil;FGLRXUTIL;C:\WINDOWS\system32\frxhser.exe [2003-05-07 18:46]
R3 atifglrx;atifglrx;C:\WINDOWS\system32\DRIVERS\fglrxm.sys [2003-05-07 18:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10bbdbe9-4203-11dd-8a48-00d041ac5a86}]
\Shell\AutoRun\command - H:\LaunchU3.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-26 04:02:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 17:47:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-27 17:51:17
ComboFix-quarantined-files.txt 2008-06-28 00:51:09
ComboFix2.txt 2008-06-27 15:52:32

Pre-Run: 19,058,700,288 bytes free
Post-Run: 19,042,156,544 bytes free

234 --- E O F --- 2008-06-27 20:48:14

**ken545** · 2008-06-28, 03:29

Your fine , OTMoveIt got rid of those files

How are things running now ?

Thread: Virtumonde Strikes Back

Thread Tools

Display

Virtumonde Strikes Back

Done and Done

Combofix & HJT logs

Crying, Waiting, Hoping

Combofix log

Posting Permissions