Yet another Virtumonde atrocity...

**raiyneofgailin** · 2009-01-14, 20:16

ComboFix 09-01-08.01 - llong 2009-01-14 9:43:22.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382.179 [GMT -7:00]
Running from: c:\documents and settings\llong\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\llong\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\llong\Application Data\LimeWire
c:\documents and settings\llong\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\llong\Application Data\LimeWire\createtimes.cache
c:\documents and settings\llong\Application Data\LimeWire\downloads.dat
c:\documents and settings\llong\Application Data\LimeWire\fileurns.bak
c:\documents and settings\llong\Application Data\LimeWire\fileurns.cache
c:\documents and settings\llong\Application Data\LimeWire\filters.props
c:\documents and settings\llong\Application Data\LimeWire\gnutella.net
c:\documents and settings\llong\Application Data\LimeWire\installation.props
c:\documents and settings\llong\Application Data\LimeWire\library.dat
c:\documents and settings\llong\Application Data\LimeWire\limewire.props
c:\documents and settings\llong\Application Data\LimeWire\mojito.props
c:\documents and settings\llong\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\llong\Application Data\LimeWire\promotion\promodb.lck
c:\documents and settings\llong\Application Data\LimeWire\promotion\promodb.log
c:\documents and settings\llong\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\llong\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\llong\Application Data\LimeWire\questions.props
c:\documents and settings\llong\Application Data\LimeWire\responses.cache
c:\documents and settings\llong\Application Data\LimeWire\simpp.xml
c:\documents and settings\llong\Application Data\LimeWire\spam.dat
c:\documents and settings\llong\Application Data\LimeWire\tables.props
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme.lwtp
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\01_star.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\02_star.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\03_star.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\04_star.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\05_star.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\chat.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\dir_closed.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\dir_open.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\forward_dn.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\forward_up.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\kill.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\kill_on.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\lime.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\pause_dn.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\pause_up.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\play_dn.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\play_up.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\question.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\rewind_dn.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\rewind_up.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\stop_dn.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\stop_up.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\theme.txt
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\version.txt
c:\documents and settings\llong\Application Data\LimeWire\themes\limewire_theme\warning.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\llong\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\llong\Application Data\LimeWire\version.xml
c:\documents and settings\llong\Application Data\LimeWire\versions.props
c:\documents and settings\llong\Application Data\LimeWire\xml\data\audio.sxml2
c:\documents and settings\llong\Application Data\Twain
c:\program files\Webtools

.
((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ c:\program files\x73_lut.dat
2100-02-08 16:03 . 2001-05-11 11:39 53,248 --a------ c:\program files\ACMonitor_X73.exe
2009-01-02 14:53 . 2009-01-02 14:53 <DIR> d-------- c:\program files\Trend Micro
2008-12-30 09:05 . 2008-12-30 09:05 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-30 09:05 . 2008-12-30 09:05 1,409 --a------ c:\windows\QTFont.for
2008-12-23 15:35 . 2008-12-23 15:35 76,040 --a------ c:\windows\SYSTEM32\DRIVERS\avgtdix.sys
2008-12-23 15:35 . 2008-12-23 15:35 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2008-12-23 15:34 . 2008-12-23 15:34 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2008-12-23 15:34 . 2008-12-23 15:34 <DIR> d-------- c:\documents and settings\llong\Application Data\AVGTOOLBAR
2008-12-23 15:34 . 2008-12-23 15:34 97,928 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2008-12-23 13:33 . 2008-12-23 13:33 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-23 13:33 . 2008-12-23 13:33 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-23 13:33 . 2008-12-23 13:33 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-23 13:33 . 2008-12-23 13:33 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-23 12:23 . 2008-12-23 12:23 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-23 11:19 . 2008-12-23 11:19 <DIR> d--hs---- C:\FOUND.000
2008-12-23 09:13 . 2008-12-23 09:13 <DIR> d-------- c:\program files\AVG
2008-12-23 09:13 . 2008-12-23 09:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-22 16:29 . 2008-12-22 16:28 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2008-12-22 16:29 . 2008-12-22 16:28 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl
2008-12-22 16:27 . 2008-12-22 16:27 <DIR> d-------- c:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-12-18 16:55 39,832 ----a-w c:\documents and settings\llong\Application Data\GDIPFONTCACHEV1.DAT
2006-03-04 17:38 113 ----a-w c:\documents and settings\llong\Application Data\fusioncache.dat
2002-03-11 23:04 806,944 ------w c:\program files\user.pca
2002-03-11 23:04 2,162,720 ------w c:\program files\system.pca
2001-07-26 23:58 47 ----a-w c:\program files\ACMonitor_X73.ini
2001-07-05 19:46 8,116 ----a-w c:\program files\OSLO3071b2.USB
2001-05-08 23:36 114,688 ----a-w c:\program files\lxarscan.dll
2001-04-23 21:22 1,437 ----a-w c:\program files\gtx73.ini
2000-06-16 19:26 271 --sh--w c:\program files\desktop.ini
2000-06-16 19:26 23,357 ---h--w c:\program files\folder.htt
2001-08-19 22:36 77,824 ----a-w c:\program files\internet explorer\plugins\IEHelper.dll
2005-07-14 21:20 8 --sh--w c:\windows\DRM\pdrm.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-08_17.01.21.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-10 02:29:50 16,384 ----a-w c:\windows\TEMP\Perflib_Perfdata_5bc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eBot.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eBot.lnk
backup=c:\windows\pss\eBot.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^llong^Start Menu^Programs^Startup^Virtual Bouncer.lnk]
path=c:\documents and settings\llong\Start Menu\Programs\Startup\Virtual Bouncer.lnk
backup=c:\windows\pss\Virtual Bouncer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-12-23 15:33 1261336 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:56 15360 c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-02-12 13:38 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2003-12-19 15:52 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-22 16:28 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
--a------ 2001-08-23 12:00 3072 c:\windows\SYSTEM32\systray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RDSessMgr"=3 (0x3)
"mnmsrvc"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"MMTray"=
"hpsysdrv"=c:\windows\SYSTEM32\hpsysdrv.exe
"Delay"=c:\windows\delayrun.exe
"MotiveMonitor"=c:\program files\Motive\motmon.exe
"WorksFUD"=c:\program files\Microsoft Works\wkfud.exe
"mgavrtclexe"=c:\windows\MCBin\AV\Rt\mgavrtcl.exe
"DJRegFix"=regedit /s c:\hp\djregfix.reg
"HPLogiFinder"=\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
"LexmarkPrinTray"=PrinTray.exe
"Lexmark X73 Button Monitor"=c:\progra~1\LEXMAR~1\ACMonitor_X73.exe
"Lexmark X73 Button Manager"=c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe
"LexStart"=Lexstart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2008-12-23 97928]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2008-12-23 76040]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-22 24652]
S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\Drivers\ubVeo532.sys --> c:\windows\system32\Drivers\ubVeo532.sys [?]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-23 875288]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-23 231704]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\c2ec5b36-1a6b-4e73-a7d8-e9e70107710c]
c:\windows\system32\huuxpz.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-08 c:\windows\Tasks\Maintenance-Defragment programs.job
- c:\windows\DEFRAG.EXE []

2009-01-14 c:\windows\Tasks\PCHealth Scheduler for Data Collection.job
- c:\windows\PCHEALTH\SUPPORT\PCHSCHD.EXE []

2009-01-01 c:\windows\Tasks\Maintenance-Disk cleanup.job
- c:\windows\CLEANMGR.EXE []
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = about:blank
mLocal Page = c:\windows\SYSTEM\blank.htm
mStart Page = hxxp://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
mWindow Title = Burke Net Inc.
mSearch Bar = hxxp://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:6711
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\micros~1\Office10\EXCEL.EXE/3000
IE: {{3CB10829-C0BC-468a-AE91-E88AC48CB345} - c:\program files\PokerNow.net\PokerNownet.exe

O16 -: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\llong\Application Data\Mozilla\Firefox\Profiles\8yor3ehh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 09:48:12
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(560)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-01-14 9:52:01
ComboFix-quarantined-files.txt 2009-01-14 16:52:00
ComboFix2.txt 2009-01-09 00:04:58

Pre-Run: 7,702,020,096 bytes free
Post-Run: 7,689,830,400 bytes free

262

*****************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:34 PM, on 1/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\raiyneofgailin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/...//my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\LLONG\Application Data\Mozilla\Profiles\default\1gez0o44.slt\prefs.js)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: PokerNow.net - {3CB10829-C0BC-468a-AE91-E88AC48CB345} - C:\Program Files\PokerNow.net\PokerNownet.exe (file missing)
O9 - Extra 'Tools' menuitem: PokerNow.net - {3CB10829-C0BC-468a-AE91-E88AC48CB345} - C:\Program Files\PokerNow.net\PokerNownet.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Graffiti - http://download2.games.yahoo.com/gam...s/y/grt5_x.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1137730996369
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://worldkids.net/girl/girl9.gif

--
End of file - 5425 bytes

**Shaba** · 2009-01-14, 20:32

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select ''Run as administrator'' to perform this scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here

**Shaba** · 2009-01-19, 10:42

Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.

Thread: Yet another Virtumonde atrocity...

Thread Tools

Display

Tags for this Thread

Posting Permissions