Can't remove Virtumonde...driving...me...crazy!!

**jasonnix** · 2008-12-07, 02:12

I have somehow become infected with Virtumonde and can't get rid of it. I've run SS&D to no avail and also run ComboFix multiple times without success. I have my ComboFIx and Hijack This logs included in this post, so please help!! It's almost my birthday and I might now make it if I can't get rid of this!! Thanks in advance.
Jason

ComboFix 08-12-06.04 - jnix 2008-12-06 19:02:02.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.521 [GMT -5:00]
Running from: c:\documents and settings\jnix\My Documents\My Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\axploo.dll
c:\windows\system32\kmibdtyp.ini
c:\windows\system32\pytdbimk.dll
c:\windows\system32\rqWxwyay.ini
c:\windows\system32\rqWxwyay.ini2
c:\windows\system32\yaywxWqr.dll
c:\windows\system32\yxmostgr.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 18:53 . 2008-12-06 18:53 <DIR> d-------- c:\program files\Trend Micro
2008-12-06 09:21 . 2008-12-06 09:21 34,816 --a------ c:\windows\system32\wvUoMcdD.dll
2008-12-04 12:49 . 2008-12-04 12:49 <DIR> d-------- c:\documents and settings\jnix\Application Data\DivX
2008-12-04 12:43 . 2008-12-04 12:44 <DIR> d-------- c:\program files\DivX
2008-12-01 12:32 . 2008-12-01 12:32 200 --a------ c:\windows\pdf2txt.INI
2008-12-01 12:15 . 2008-12-01 12:15 <DIR> d-------- c:\program files\PDF2TXT
2008-12-01 12:13 . 2008-12-01 12:15 615 --a------ c:\windows\system32\winpdf.ini
2008-11-30 23:44 . 2008-11-30 23:44 <DIR> d-------- c:\program files\AviSynth 2.5
2008-11-24 23:53 . 2008-12-01 09:12 <DIR> d-------- c:\program files\AWall
2008-11-21 16:47 . 2008-11-21 16:47 3,596,288 --a------ c:\windows\system32\qt-dx331.dll
2008-11-21 16:47 . 2008-11-21 16:47 524,288 --a------ c:\windows\system32\DivXsm.exe
2008-11-21 16:47 . 2008-11-21 16:47 4,816 --a------ c:\windows\system32\divxsm.tlb
2008-11-21 16:46 . 2008-11-21 16:46 1,044,480 --a------ c:\windows\system32\libdivx.dll
2008-11-21 16:46 . 2008-11-21 16:46 200,704 --a------ c:\windows\system32\ssldivx.dll
2008-11-21 16:44 . 2008-11-21 16:44 161,096 --a------ c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 . 2008-11-21 16:44 12,288 --a------ c:\windows\system32\DivXWMPExtType.dll
2008-11-21 07:43 . 2008-11-21 07:43 <DIR> d-------- c:\program files\iTunes
2008-11-21 07:43 . 2008-11-21 07:43 <DIR> d-------- c:\program files\iPod
2008-11-21 07:43 . 2008-11-21 07:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-21 07:36 . 2008-11-21 07:37 <DIR> d-------- c:\program files\QuickTime
2008-11-21 07:23 . 2008-11-21 07:24 <DIR> d-------- c:\program files\Safari
2008-11-17 10:29 . 2003-06-19 15:05 561,424 --a------ c:\windows\system32\dao360.dll
2008-11-17 10:29 . 2003-06-19 15:05 491,792 --a------ c:\windows\system32\msado15.dll
2008-11-17 10:29 . 2006-03-21 12:50 382,552 --a------ c:\windows\system32\AddFlow5.ocx
2008-11-17 10:29 . 2003-06-19 15:05 57,616 --a------ c:\windows\system32\msador15.dll
2008-11-17 10:29 . 2007-05-22 14:46 53,248 --a------ c:\windows\system32\PrnFlow5.ocx
2008-11-17 10:29 . 2004-05-12 10:51 49,152 --a------ c:\windows\system32\eFileActDirOcx.ocx
2008-11-17 10:29 . 2001-06-06 13:04 45,328 --a------ c:\windows\system32\PIXRAMN.DLL
2008-11-13 16:59 . 2008-11-13 16:59 <DIR> d-------- c:\program files\Freeze.com
2008-11-13 16:50 . 2008-11-13 16:50 <DIR> d-------- c:\program files\Expert Software
2008-11-13 16:50 . 2008-11-13 16:50 <DIR> d-------- c:\documents and settings\jnix\WINDOWS
2008-11-13 16:50 . 1996-01-09 10:38 283,648 --a------ c:\windows\uninst.exe
2008-11-11 19:33 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 19:33 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 00:13 5,337,204 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-07 00:11 38,565,920 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-06 21:59 454,844 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-06 14:39 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 14:39 --------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software
2008-12-05 16:22 --------- d-----w c:\documents and settings\jnix\Application Data\WeatherBug
2008-12-05 11:53 --------- d-----w c:\documents and settings\jnix\Application Data\uTorrent
2008-12-01 15:46 --------- d-----w c:\program files\eMule
2008-11-25 20:45 1,630,208 ----a-w c:\windows\Internet Logs\xDB2.tmp
2008-11-22 22:50 --------- d-----w c:\documents and settings\jnix\Application Data\Apple Computer
2008-11-21 21:47 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
2008-11-21 21:47 9,336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2008-11-21 21:47 43,528 ------w c:\windows\system32\drivers\PxHelp20.sys
2008-11-21 21:47 129,784 ----a-w c:\windows\system32\pxafs.dll
2008-11-21 21:47 120,056 ----a-w c:\windows\system32\pxcpyi64.exe
2008-11-21 21:47 118,520 ----a-w c:\windows\system32\pxinsi64.exe
2008-11-21 12:43 --------- d-----w c:\program files\Common Files\Apple
2008-11-19 21:47 --------- d-----w c:\program files\Paint Shop Pro 5
2008-11-12 04:07 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-04 12:31 --------- d-----w c:\program files\Agilysys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 02:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-18 01:46 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-18 01:03 --------- d-----w c:\program files\Common
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 01:32 471,552 ----a-w c:\windows\uninstall.exe
2008-09-19 10:34 1,488,896 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2006-10-03 07:43 2,402,550 ----a-w c:\windows\inf\SETEA.tmp
2006-10-03 07:43 2,402,550 ----a-w c:\windows\inf\SET99.tmp
2006-10-03 07:43 2,402,550 ----a-w c:\windows\inf\SET6C.tmp
2006-10-03 07:43 2,402,550 ----a-w c:\windows\inf\SET5C.tmp
2006-10-03 06:43 2,402,550 ----a-w c:\windows\inf\SET13A.tmp
2006-08-31 13:01 17,536 ----a-w c:\documents and settings\jnix\Application Data\GDIPFONTCACHEV1.DAT
2003-12-20 20:21 65,536 ----a-w c:\windows\inf\i386\StbXpExt.dll
2003-12-19 01:11 49,152 ----a-w c:\windows\inf\i386\DriverPnPInstall.exe
2003-12-19 00:21 13,824 ----a-w c:\windows\inf\i386\Stbxpins.dll
2003-12-14 07:04 57,344 ----a-w c:\windows\inf\i386\StbxpC9x.exe
2003-12-14 07:02 57,344 ----a-w c:\windows\inf\i386\StbxpCfg.exe
2003-12-14 06:07 155,648 ----a-w c:\windows\inf\i386\Stbxp200.dll
2003-12-14 06:05 20,480 ----a-w c:\windows\inf\i386\Stbxpint.dll
2003-12-14 06:01 61,440 ----a-w c:\windows\inf\i386\Stbxpdrv.dll
2003-07-31 09:53 147,456 ----a-w c:\windows\inf\EL2K_XP.sys
2003-07-31 09:50 448,768 ----a-w c:\windows\inf\EL2K_N64.sys
2003-07-31 09:43 147,456 ----a-w c:\windows\inf\EL2K_2K.sys
2002-01-05 08:37 344,064 ----a-w c:\windows\inf\i386\msvcr70.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_16.43.36.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-06 21:36:27 230,685 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-07 00:17:12 230,686 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2008-12-06 09:21 34816 --a------ c:\windows\system32\wvUoMcdD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE47501F-AC2C-4139-8DD6-604E5A4F5750}]
2008-12-06 19:38 302592 --a------ c:\windows\system32\awtqnkhe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Iomega Automatic Backup"="c:\program files\Iomega\Iomega Automatic Backup\ibackup.exe" [2002-10-15 3014656]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"GetModule30"="c:\program files\GetModule\GetModule30.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-10-10 86016]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-09-14 157592]
"Iomega Automatic Backup 1.0.1"="c:\program files\Iomega\Iomega Automatic Backup\ibackup.exe" [2002-10-15 3014656]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"EPSON Stylus Photo R220 Series on Jasonalien (from L3CTCV5)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2003-05-04 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2003-05-04 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"C-Media Mixer"="Mixer.exe" [2002-06-12 c:\windows\mixer.exe]

c:\documents and settings\jnix\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\wvUoMcdD.dll" [2008-12-06 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUoMcdD]
2008-12-06 09:21 34816 c:\windows\system32\wvUoMcdD.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=uuhftd.dll axploo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\awtqnkhe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^jnix^Start Menu^Programs^Startup^Epson printer Registration.lnk]
path=c:\documents and settings\jnix\Start Menu\Programs\Startup\Epson printer Registration.lnk
backup=c:\windows\pss\Epson printer Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-04-20 12:10 50792 c:\program files\Common Files\AOL\1144680389\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2003-05-04 04:36 40960 c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
--a------ 2006-02-17 11:59 124520 c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2004-02-25 17:15 454656 c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2004-02-25 17:06 212992 c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2004-02-25 16:15 221184 c:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2003-05-04 04:12 57393 c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 18:42 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 12:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-10-10 20:49 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1144680389\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1144680389\\ee\\aim6.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys [2007-12-15 13696]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-10 24652]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-09-17 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-09-17 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2008-09-17 23680]
S4 LkWebLink;Inter-Tel Collaboration Remote Client;"c:\documents and settings\jnix\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe" -service [2007-12-12 32768]
.
Contents of the 'Scheduled Tasks' folder

2008-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-05 c:\windows\Tasks\Reminders.job
- c:\program files\Internet Explorer\IEXPLORE.EXE [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3EDFF654-B032-479E-8E3D-BB1AE7F07E92} - c:\windows\system32\yaywxWqr.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\TLIEFlashCtrlU.dll - O16 -: {94B82441-A413-4E43-8422-D49930E69764}
hxxps://chat1.j2.com/Media/Visitorchat/TLIEFlash.CAB
FireFox -: Profile - c:\documents and settings\jnix\Application Data\Mozilla\Firefox\Profiles\nxiwvx4w.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.cnn.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 19:33:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\windows\system32\wvUoMcdD.dll

- - - - - - - > 'explorer.exe'(1248)
c:\windows\system32\jpibnvtt.dll
c:\windows\system32\awtqnkhe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\searchindexer.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-12-06 19:41:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 00:41:14
ComboFix2.txt 2008-12-06 22:10:48
ComboFix3.txt 2008-12-06 21:46:03

Pre-Run: 50,086,449,152 bytes free
Post-Run: 49,988,222,976 bytes free

301 --- E O F --- 2008-11-12 04:07:34

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:06 PM, on 12/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series on Jasonalien (from L3CTCV5)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P59 "EPSON Stylus Photo R220 Series on Jasonalien (from L3CTCV5)" /O5 "TS004" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series on 192.168.1.100 (from BLUEMAN)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P62 "EPSON Stylus Photo R220 Series on 192.168.1.100 (from BLUEMAN)" /O5 "TS001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [b888408e] rundll32.exe "C:\WINDOWS\system32\jpibnvtt.dll",b
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [GetModule30] "C:\Program Files\GetModule\GetModule30.exe"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.walmart.com
O15 - Trusted IP range: http://172.27.2.168
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/F...ansferCtrl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://chat1.j2.com/Media/Visitorchat/TLIEFlash.CAB
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.33.7/ttinst.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://172.27.2.168/dmlogin/comdlg32.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: uuhftd.dll axploo.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9899 bytes

Please Help!!
Thanks again,
Jason

**Blade81** · 2008-12-10, 19:08

Hi

Do NOT run 'fixes' before helpers have analyzed HJT log (you ran ComboFix though it shouldn't be used without supervision)

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent
eMule

I'd like you to read the this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

c:\documents and settings\jnix\Application Data\uTorrent
c:\program files\eMule
c:\program files\uTorrent

Empty Recycle Bin.

After that:

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer

Download ResetTeaTimer.bat to the Desktop (right click the link and select save)
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

Delete old copy of ComboFix.exe file.

_______________

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.

________________________

Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

Run it and post back its report & a fresh hjt log.

**jasonnix** · 2008-12-14, 15:39

Hey, sorry it took a few days to reply, but the day you responded, I got impatient and reformatted my PC...it was about due anyway. Yes, I do believe one the the P2P files I downloaded recently "got me". Is there any reliable way to scan these files?

Thanks for your help and I will try and be more careful in the future!!

Jason

**Blade81** · 2008-12-14, 17:27

Is there any reliable way to scan these files?

No, but you can diminish the risk by avoiding dubious files. Illegal files like cracks etc are without an exception that kind of items.

I shall archive the topic now

Thread: Can't remove Virtumonde...driving...me...crazy!!

Thread Tools

Display

Can't remove Virtumonde...driving...me...crazy!!

Got impatient and reformatted...thanks, though

Tags for this Thread

Posting Permissions