Virtumonde and more

[joe436]

Fresh logs

========== PROCESSES ==========
========== FILES ==========
DllUnregisterServer procedure not found in C:\WINDOWS\system32\drvtoj.dll
C:\WINDOWS\system32\drvtoj.dll NOT unregistered.
C:\WINDOWS\system32\drvtoj.dll moved successfully.
C:\WINDOWS\system32\kofiraha.dll.tmp moved successfully.
C:\WINDOWS\system32\vefegonu.dll.tmp moved successfully.
C:\WINDOWS\system32\yeluriya.dll.tmp moved successfully.
C:\WINDOWS\system32\ytrrdiny.exe moved successfully.
========== COMMANDS ==========

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01192009_221436


Logfile of random's system information tool 1.05 (written by random/random)
Run by joe436 at 2009-01-19 22:23:53
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 34 GB (7%) free of 477 GB
Total RAM: 1534 MB (77% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:10 PM, on 1/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2b\RpcAgentSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\joe436\Desktop\RSIT.exe
C:\Documents and Settings\joe436\Desktop\joe436.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [Yrm] "C:\Program Files\??curity\r?gsvr32.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Cfgqthpm] "C:\Program Files\Common Files\T?sks\??xplore.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pcclub.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1142283192750
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2b\RpcAgentSrv.exe

--
End of file - 7701 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-27 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-27 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F156768E-81EF-470C-9057-481BA8380DBA}]
gFlash Class - C:\PROGRA~1\FlashGet\getflash.dll [2006-09-12 126976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{E0E899AB-F487-11D5-8D29-0050BA6940E3} - FlashGet Bar - C:\PROGRA~1\FlashGet\fgiebar.dll [2005-06-07 86016]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-10-07 13574144]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-27 136600]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2007-04-16 577536]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2003-10-31 32768]
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe [2005-04-25 589824]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-12-11 286720]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-10-07 86016]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-05-08 54840]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"DiscWizardMonitor.exe"=C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe [2007-04-19 1169744]
"AcronisTimounterMonitor"=C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe [2007-04-19 1945688]
"Acronis Scheduler2 Service"=C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe [2007-04-19 149024]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Yrm"=C:\Program Files\??curity\r?gsvr32.exe []
"PhotoShow Deluxe Media Manager"=C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe [2005-02-25 212992]
"Cfgqthpm"=C:\Program Files\Common Files\T?sks\??xplore.exe []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Documents and Settings\joe436\Start Menu\Programs\Startup
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PSEXESVC]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Ventrilo\Ventrilo.exe"="C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\Program Files\Electronic Arts\EADM\Core.exe"="C:\Program Files\Electronic Arts\EADM\Core.exe:*:Disabled:EA Download Manager"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Disabled:hposid01.exe"
"C:\WINDOWS\Network Diagnostic\xpnetdiag.exe"="C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Stardock Games\Sins of a Solar Empire\Sins of a Solar Empire.exe"="C:\Program Files\Stardock Games\Sins of a Solar Empire\Sins of a Solar Empire.exe:*:Disabled:Sins of a Solar Empire"
"C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2b\RpcAgentSrv.exe"="C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2b\RpcAgentSrv.exe:*:Disabled:SiSoftware Deployment Agent Service"
"C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2b\WNt500x86\RpcSandraSrv.exe"="C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2b\WNt500x86\RpcSandraSrv.exe:*:Disabled:SiSoftware Sandra Agent Service"
"C:\Program Files\THQ\Dawn of War - Soulstorm\Soulstorm.exe"="C:\Program Files\THQ\Dawn of War - Soulstorm\Soulstorm.exe:*:Disabled:Soulstorm"
"C:\Program Files\SEGA\Gas Powered Games\Space Siege\SpaceSiege.exe"="C:\Program Files\SEGA\Gas Powered Games\Space Siege\SpaceSiege.exe:*:Disabled:Space Siege"
"C:\WINDOWS\system32\spoolsv.exe"="C:\WINDOWS\system32\spoolsv.exe:*:Enabled:spoolsv"
"C:\WINDOWS\system32\drivers\CDAC11BA.EXE"="C:\WINDOWS\system32\drivers\CDAC11BA.EXE:*:Enabled:CDAC11BA"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\zunikulo.dll.tmp
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\vawinaso.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\putumipa.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\gutezugo.dll.tmp
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\gazitopu.dll.tmp
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\fuzanamu.dll.tmp
2009-01-17 09:51:24 ----D---- C:\_OTMoveIt
2009-01-17 09:49:54 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-01-17 09:49:14 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-01-17 02:45:55 ----SHD---- C:\RECYCLER
2009-01-16 23:44:33 ----A---- C:\WINDOWS\system32\MRT.exe
2009-01-16 23:44:27 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-16 23:13:40 ----A---- C:\ComboFix.txt
2009-01-16 23:04:25 ----A---- C:\WINDOWS\zip.exe
2009-01-16 23:04:25 ----A---- C:\WINDOWS\VFIND.exe
2009-01-16 23:04:25 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-01-16 23:04:25 ----A---- C:\WINDOWS\SWSC.exe
2009-01-16 23:04:25 ----A---- C:\WINDOWS\SWREG.exe
2009-01-16 23:04:25 ----A---- C:\WINDOWS\sed.exe
2009-01-16 23:04:25 ----A---- C:\WINDOWS\NIRCMD.exe
2009-01-16 23:04:25 ----A---- C:\WINDOWS\grep.exe
2009-01-16 23:04:25 ----A---- C:\WINDOWS\fdsv.exe
2009-01-16 23:04:21 ----D---- C:\Qoobox
2009-01-16 21:53:16 ----D---- C:\Documents and Settings\joe436\Application Data\Malwarebytes
2009-01-16 21:53:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-16 21:53:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-13 21:48:42 ----D---- C:\rsit
2009-01-09 01:17:42 ----D---- C:\WINDOWS\temp
2009-01-03 10:38:13 ----A---- C:\WINDOWS\system32\ebfc92bc-.txt
2008-12-27 20:21:36 ----D---- C:\Documents and Settings\joe436\Application Data\W Photo Studio Viewer
2008-12-27 12:36:55 ----D---- C:\Converted Audio Files
2008-12-27 12:35:23 ----D---- C:\Program Files\Acoustica MP3 To Wave Converter PLUS
2008-12-27 00:08:23 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-25 11:27:53 ----D---- C:\Documents and Settings\joe436\Application Data\Red Alert 3
2008-12-25 10:55:14 ----A---- C:\WINDOWS\system32\d3dx10_38.dll
2008-12-25 10:55:14 ----A---- C:\WINDOWS\system32\D3DCompiler_38.dll
2008-12-25 10:55:13 ----A---- C:\WINDOWS\system32\D3DX9_38.dll
2008-12-25 10:55:04 ----D---- C:\WINDOWS\Logs

======List of files/folders modified in the last 1 months======

2009-01-19 22:21:21 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-19 22:21:14 ----RASH---- C:\boot.ini
2009-01-19 22:21:14 ----D---- C:\WINDOWS\pss
2009-01-19 22:21:14 ----A---- C:\WINDOWS\win.ini
2009-01-19 22:21:14 ----A---- C:\WINDOWS\system.ini
2009-01-19 22:20:16 ----D---- C:\WINDOWS\Prefetch
2009-01-19 22:15:06 ----D---- C:\Program Files\Mozilla Firefox
2009-01-19 22:14:36 ----D---- C:\WINDOWS\system32
2009-01-18 14:51:17 ----SHD---- C:\WINDOWS\Installer
2009-01-18 14:51:17 ----HD---- C:\Config.Msi
2009-01-18 14:51:17 ----D---- C:\Program Files\Adobe
2009-01-18 14:51:17 ----D---- C:\Documents and Settings\joe436\Application Data\Adobe
2009-01-17 20:26:18 ----HD---- C:\WINDOWS\inf
2009-01-17 20:26:17 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-17 09:51:26 ----SD---- C:\WINDOWS\Tasks
2009-01-17 09:49:54 ----D---- C:\Program Files\Common Files
2009-01-17 09:49:02 ----D---- C:\Program Files\Common Files\Adobe
2009-01-17 09:42:16 ----RD---- C:\Program Files
2009-01-17 09:35:26 ----A---- C:\WINDOWS\NeroDigital.ini
2009-01-16 23:47:40 ----D---- C:\WINDOWS
2009-01-16 23:44:28 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-01-16 23:44:28 ----D---- C:\WINDOWS\system32\drivers
2009-01-16 23:44:18 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-16 23:43:59 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-01-16 23:16:23 ----D---- C:\Documents and Settings\joe436\Application Data\Skype
2009-01-16 23:08:30 ----D---- C:\WINDOWS\system32\config
2009-01-16 23:08:10 ----D---- C:\WINDOWS\erdnt
2009-01-16 23:06:29 ----D---- C:\WINDOWS\AppPatch
2009-01-16 21:56:25 ----D---- C:\Documents and Settings\joe436\Application Data\skypePM
2009-01-15 02:03:18 ----D---- C:\Program Files\World of Warcraft
2009-01-09 17:37:42 ----AC---- C:\WINDOWS\wininit.ini
2009-01-09 02:33:29 ----SHD---- C:\System Volume Information
2009-01-09 02:33:29 ----D---- C:\WINDOWS\system32\Restore
2009-01-09 02:22:34 ----D---- C:\Program Files\Java
2009-01-06 03:20:55 ----A---- C:\WINDOWS\imsins.BAK
2009-01-06 03:20:46 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-06 03:17:54 ----D---- C:\WINDOWS\Help
2009-01-06 03:17:54 ----D---- C:\Program Files\Internet Explorer
2009-01-06 03:16:19 ----D---- C:\WINDOWS\system32\en-US
2009-01-06 03:15:42 ----D---- C:\WINDOWS\WBEM
2009-01-06 03:15:40 ----D---- C:\WINDOWS\Media
2009-01-06 03:15:36 ----HDC---- C:\WINDOWS\ie7
2009-01-04 03:37:58 ----A---- C:\VundoFix.txt
2009-01-02 04:31:01 ----SD---- C:\Documents and Settings\joe436\Application Data\Microsoft
2008-12-28 00:04:27 ----D---- C:\Downloads
2008-12-27 00:08:12 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-27 00:08:12 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-27 00:08:12 ----A---- C:\WINDOWS\system32\java.exe
2008-12-25 11:27:28 ----A---- C:\WINDOWS\system32\CmdLineExt.dll
2008-12-25 10:55:14 ----D---- C:\WINDOWS\system32\DirectX
2008-12-25 10:55:14 ----D---- C:\Program Files\Electronic Arts
2008-12-23 20:03:58 ----D---- C:\Program Files\FlashGet

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 prodrv06;StarForce Protection Environment Driver v6; C:\WINDOWS\System32\drivers\prodrv06.sys [2004-08-09 53920]
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-04-09 31548]
R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2006-04-26 165376]
R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2006-04-26 18048]
R2 tifsfilter;Acronis True Image FS Filter; C:\WINDOWS\system32\DRIVERS\tifsfilt.sys [2008-04-20 32768]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2007-04-25 4030144]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller; C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys [2006-06-22 242048]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys [2008-05-27 96896]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-10-07 6133856]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys []
S3 af9hlqqy;af9hlqqy; C:\WINDOWS\system32\drivers\af9hlqqy.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 CdaC15BA;CdaC15BA; \??\C:\WINDOWS\system32\drivers\CDAC15BA.SYS []
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 GcKernel;Microsoft SideWinder Value Add - Filter Driver; C:\WINDOWS\system32\DRIVERS\GcKernel.sys [2008-04-13 59136]
S3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver; C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys [2001-08-17 2688]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 RTL8023;Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver; C:\WINDOWS\system32\DRIVERS\Rtlnic51.sys [2004-06-08 69504]
S3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2005-03-03 74496]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\wg111v2.sys []
S3 SANDRA;SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2b\WNt500x86\Sandra.sys []
S3 SjyPkt;SjyPkt; \??\C:\WINDOWS\System32\Drivers\SjyPkt.sys []
S3 SkFpWin;SysKonnect FDDI PCI Adapter Driver; C:\WINDOWS\system32\DRIVERS\SkFpWin.SYS [2001-08-17 91294]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2008-04-13 12800]
S3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-13 121984]
S3 vaxscsi;vaxscsi; C:\WINDOWS\System32\Drivers\vaxscsi.sys [2006-07-08 223128]
S3 viagfx;viagfx; C:\WINDOWS\system32\DRIVERS\vtmini.sys []
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S3 xnacc;Microsoft Common Controller For Windows Driver Service; C:\WINDOWS\system32\DRIVERS\xnacc.sys [2006-06-01 509440]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe [2007-04-19 411168]
R2 C-DillaCdaC11BA;C-DillaCdaC11BA; C:\WINDOWS\system32\drivers\CDAC11BA.EXE [2007-09-11 39936]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-27 152984]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-10-07 163908]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2007-12-28 66872]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service; C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2b\RpcAgentSrv.exe [2008-04-17 98488]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

It seems much better
Thanks so much btw

[katana]

Information

No Antivirus

I can see no indication of any Antivirus software.

Use an AntiVirus Software - It is very important that you have anti-virus software running on your machine.
This alone can save you a lot of trouble with malware in the future.
Free AV list ( Home users only)
Avira AntiVir
Avast

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week.
If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Antivirus is a MUST



There still appears to be some infection present, let's have another couple of scans
----------------------------------------------------------- -----------------------------------------------------------

Step 1


Custom CFScript

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  
  Code:

  File::
  C:\WINDOWS\system32\zunikulo.dll.tmp
  C:\WINDOWS\system32\vawinaso.dll
  C:\WINDOWS\system32\putumipa.dll
  C:\WINDOWS\system32\gutezugo.dll.tmp
  C:\WINDOWS\system32\gazitopu.dll.tmp
  C:\WINDOWS\system32\fuzanamu.dll.tmp
  C:\WINDOWS\system32\ebfc92bc-.txt
  C:\WINDOWS\wininit.ini
  C:\VundoFix.txt
  C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
  Folder::
  Driver::
  af9hlqqy
  Registry::
  [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
  "C:\WINDOWS\system32\drivers\CDAC11BA.EXE"=-
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  "Adobe Reader Speed Launcher"=-
  "SunJavaUpdateSched"=-
  
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  "Yrm"=-
  "Cfgqthpm"=-
  
  ADS::

• Save this as CFScript.txt and place it on your desktop.
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper




----------------------------------------------------------- -----------------------------------------------------------
Step 2



Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan << LINK

• Click the Scan Now button
• Follow the prompts to install the Active X if necessary
• Go and make a cup of tea/coffee/beverage of your choice and watch some TV
• When the scan is finished, a report will be generated
• Next to Scan Details click the small export to notepad button and save the report to your desktop.
• Please post the report in your reply.

----------------------------------------------------------- -----------------------------------------------------------
Step 3

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

• Combofix Log
• Active Scan Log
• How are things running now ?

[joe436]

I used the curstom script for the fix. It reastarted the log came up, I went to work. When I came back I had lost internet. please help!

I load up services.msc and it appears that my internet service has been disabled or is being preped to delete. Also my windows firewall is no longer coming up to what says "can not start service due to error 10050 encounted dead socket"

[joe436]

Let me try to explane better i was used the CFScript.txt u made me.

I left the room. when i came back the log screen was up. I closed it and saw in the conner i had the icon of little to no internet, and my firewall is off.

when i try to start the firewall its says the service is off would u like to start it?
I click yes and it gives an error msg.

so i then ran services.msc and lots of services are stoped almost all internet ones not working and when i try to start them "can not start service due to error 10050 encounted dead socket"

I cant find the log to save my life i even open all logs made in the last 30 days and i can't find any ComboFix logs

Sorry for the 2ed post i did the first post on my cell phone then i remembered an old hard drive i had around and am using that.

any help you can give is good

[katana]

Please run Combofix again (just double click it)

[joe436]

heres the logfile i sill done have internet on that hard drive I useing a old one with win 98 sp2 to use the internet. I cant use both hardives at the same time, so i cant do Active Scan :(

thanks again

ComboFix 09-01-19.05 - joe436 2009-01-21 1:19:05.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1172 [GMT -8:00]
Running from: c:\documents and settings\joe436\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
.

2009-01-17 09:51 . 2009-01-19 22:17 <DIR> d-------- C:\_OTMoveIt
2009-01-17 09:49 . 2009-01-17 09:49 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-16 21:53 . 2009-01-16 21:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-16 21:53 . 2009-01-16 21:53 <DIR> d-------- c:\documents and settings\joe436\Application Data\Malwarebytes
2009-01-16 21:53 . 2009-01-16 21:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-16 21:53 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 21:53 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-13 21:48 . 2009-01-13 21:49 <DIR> d-------- C:\rsit
2008-12-27 20:21 . 2008-12-27 20:35 <DIR> d-------- c:\documents and settings\joe436\Application Data\W Photo Studio Viewer
2008-12-27 12:36 . 2008-12-28 00:03 <DIR> d-------- C:\Converted Audio Files
2008-12-27 12:35 . 2008-12-27 12:36 <DIR> d-------- c:\program files\Acoustica MP3 To Wave Converter PLUS
2008-12-27 00:08 . 2008-12-27 00:08 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-27 00:08 . 2008-12-27 00:08 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-25 11:27 . 2008-12-26 21:53 <DIR> d-------- c:\documents and settings\joe436\Application Data\Red Alert 3
2008-12-25 10:55 . 2008-12-25 10:55 <DIR> d-------- c:\windows\Logs
2008-12-25 10:55 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-12-25 10:55 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-12-25 10:55 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-20 06:30 --------- d-----w c:\program files\World of Warcraft
2009-01-17 17:49 --------- d-----w c:\program files\Common Files\Adobe
2009-01-17 07:43 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-17 07:16 --------- d-----w c:\documents and settings\joe436\Application Data\Skype
2009-01-17 05:56 --------- d-----w c:\documents and settings\joe436\Application Data\skypePM
2009-01-09 10:22 --------- d-----w c:\program files\Java
2008-12-25 18:55 --------- d-----w c:\program files\Electronic Arts
2008-12-24 04:03 --------- d-----w c:\program files\FlashGet
2008-12-20 03:58 --------- d-----w c:\program files\THQ
2008-12-20 03:57 --------- d-----w c:\program files\Stardock Games
2008-12-20 03:54 --------- d-----w c:\program files\MediaMobsters
2008-12-20 03:50 --------- d-----w c:\program files\EA GAMES
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-09 00:27 --------- d-----w c:\program files\HP
2008-11-30 23:00 --------- d-----w c:\program files\Common Files\HP
2008-11-30 22:52 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-03-31 08:52 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-01-31 06:32 184 -c--a-w c:\documents and settings\joe436\serial.bat
2007-12-29 02:55 22,328 -c--a-w c:\documents and settings\joe436\Application Data\PnkBstrK.sys
2007-07-16 23:53 48 -c--a-w c:\documents and settings\joe436\readme.bat
2007-05-14 02:17 848 -csha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2009-01-20_12.53.40.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-21 09:25:49 16,384 ----atw c:\windows\temp\Perflib_Perfdata_11c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 212992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-04-25 589824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 1169744]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 1945688]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 149024]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

c:\documents and settings\joe436\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-07-17 547840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"VIDC.ZMBV"= zmbv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2b\\RpcAgentSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2b\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"c:\\Program Files\\SEGA\\Gas Powered Games\\Space Siege\\SpaceSiege.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\drivers\\CDAC11BA.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;c:\windows\system32\drivers\m4cxw2k3.sys [2005-03-10 242048]
R4 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2b\RpcAgentSrv.exe [2008-04-20 98488]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys --> c:\windows\system32\DRIVERS\wg111v2.sys [?]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]
S3 SkFpWin;SysKonnect FDDI PCI Adapter Driver;c:\windows\system32\drivers\SkFpWin.SYS [2006-12-31 91294]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E80E0706-D0C0-DF53-B7E4-CC62C00195D0}]
c:\windows\system32\rundl32.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\joe436\Application Data\Mozilla\Firefox\Profiles\b85tq2c1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-21 01:25:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2721899785-1327697716-2894633667-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:67,13,48,f9,22,19,a1,3d,fa,2f,9e,da,e4,82,7c,b9,cd,54,16,13,57,08,2b,
0d,71,51,46,be,52,ef,eb,89,5b,5a,29,1e,46,00,db,2c,5b,94,61,1a,3b,ee,23,5a,\
"??"=hex:76,0b,61,51,15,bc,e0,5d,9b,6e,3f,25,d5,49,52,3e

[HKEY_USERS\S-1-5-21-2721899785-1327697716-2894633667-1006\Software\SecuROM\License information*]
"datasecu"=hex:aa,94,fc,0a,36,ec,a5,06,3f,0d,4f,9d,9b,af,eb,7f,3e,03,d1,be,66,
57,5d,50,3f,11,f6,81,d4,fd,06,38,c2,2a,8f,9f,65,56,99,d0,db,a5,4a,df,89,aa,\
"rkeysecu"=hex:0c,01,85,43,d9,94,1a,d5,71,29,87,48,26,17,d9,45
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(968)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-21 1:28:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-21 09:28:52
ComboFix2.txt 2009-01-20 20:55:00
ComboFix3.txt 2009-01-17 07:13:40
ComboFix4.txt 2009-01-09 09:17:40

Pre-Run: 35,306,913,792 bytes free
Post-Run: 35,296,759,808 bytes free

171 --- E O F --- 2008-12-18 09:08:09

[katana]

Sorry for the delay, I've been at the hospital all day

Combofix creates a System Restore point before it runs, please use the restore point created prior to the internet problems.

When you have internet connection again, please run the Active Scan.
Let's see if that throws any light on what is causing the problems.

[joe436]

hope you are ok.

After 4.5 hours

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-01-22 02:31:47
PROTECTIONS: 0
MALWARE: 13
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00040538 adware/zango Adware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287}
00534916 Spyware/Virtumonde Spyware No 1 Yes No C:\_OTMoveIt\MovedFiles\01172009_095124\windows\system32\hedadefo.dll
00534916 Spyware/Virtumonde Spyware No 1 Yes No C:\_OTMoveIt\MovedFiles\01172009_095124\windows\system32\fesufima.dll
00534916 Spyware/Virtumonde Spyware No 1 Yes No C:\_OTMoveIt\MovedFiles\01172009_095124\windows\system32\buhepine.dll
00534916 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{5ED082C7-DB03-4C99-A167-DFE5A92FCA6F}\RP4\A0000099.dll
00534916 Spyware/Virtumonde Spyware No 1 Yes No C:\_OTMoveIt\MovedFiles\01172009_095124\windows\system32\kopavawi.dll
00534916 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\gutezugo.dll.tmp.vir
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{5ED082C7-DB03-4C99-A167-DFE5A92FCA6F}\RP15\A0002697.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{5ED082C7-DB03-4C99-A167-DFE5A92FCA6F}\RP8\A0002306.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{5ED082C7-DB03-4C99-A167-DFE5A92FCA6F}\RP15\A0002783.EXE
02220591 Generic Trojan Virus/Trojan No 0 Yes No C:\Program Files\EA GAMES\The Battle for Middle-earth (tm)\LotR BfME 1.03 NoDVD.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{5ED082C7-DB03-4C99-A167-DFE5A92FCA6F}\RP15\A0002773.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{5ED082C7-DB03-4C99-A167-DFE5A92FCA6F}\RP15\A0002686.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{5ED082C7-DB03-4C99-A167-DFE5A92FCA6F}\RP8\A0002296.sys
02896285 Dialer.KYT HackTools No 0 Yes No C:\WINDOWS\system32\drvtoj.dll
02896344 Adware/OuterInfo Adware No 0 Yes No C:\System Volume Information\_restore{5ED082C7-DB03-4C99-A167-DFE5A92FCA6F}\RP7\A0002247.exe
02896351 Trj/Downloader.SHE Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{5ED082C7-DB03-4C99-A167-DFE5A92FCA6F}\RP7\A0002246.exe
02912157 W32/Spamta.gen.worm Virus/Worm No 0 Yes No C:\WINDOWS\system32\ytrrdiny.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\joe436\Desktop\ComboFix.exe
03918954 Trj/Lineage.BZE Virus/Trojan No 1 Yes No C:\Documents and Settings\joe436\My Documents\MoFunZone.com--dynasty_warriors_4_hyper_10_trainer.zip[asx-dw4.exe]
03918954 Trj/Lineage.BZE Virus/Trojan No 1 Yes No C:\Documents and Settings\joe436\Desktop\asx-dw4.exe
03923402 Generic Trojan Virus/Trojan No 0 Yes No C:\Program Files\Microsoft Games\Mechwarrior Mercenaries\shellmt.dll
04733997 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{5ED082C7-DB03-4C99-A167-DFE5A92FCA6F}\RP16\A0002927.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
Yes C:\Documents and Settings\joe436\Desktop\OTMoveIt3.exe
Yes C:\Documents and Settings\joe436\My Documents\Downloads\35 Hentai Games\10 Hentai Games\Pro.Lesring.Ring.Out.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

[katana]

hope you are ok.

I'm fine thanks, it's just a knee problem.

I'm glad you have the internet back, but that doesn't show why there were any problems ???


Do you know anything about these files/games ?
C:\Documents and Settings\joe436\My Documents\Downloads\35 Hentai Games\10 Hentai Games\Pro.Lesring.Ring.Out.exe
C:\Documents and Settings\joe436\My Documents\MoFunZone.com--dynasty_warriors_4_hyper_10_trainer.zip
C:\Program Files\EA GAMES\The Battle for Middle-earth (tm)\LotR BfME 1.03 NoDVD.exe
C:\Program Files\Microsoft Games\Mechwarrior Mercenaries\shellmt.dll
----------------------------------------------------------- -----------------------------------------------------------

Step 1


Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\Documents and Settings\joe436\My Documents\Downloads\35 Hentai Games\10 Hentai Games\Pro.Lesring.Ring.Out.exe
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\Documents and Settings\joe436\Desktop\asx-dw4.exe
C:\Documents and Settings\joe436\My Documents\MoFunZone.com--dynasty_warriors_4_hyper_10_trainer.zip
C:\Program Files\EA GAMES\The Battle for Middle-earth (tm)\LotR BfME 1.03 NoDVD.exe
C:\Program Files\Microsoft Games\Mechwarrior Mercenaries\shellmt.dll

If Virustotal is too busy please try Jotti

----------------------------------------------------------- -----------------------------------------------------------
Step 2



OTMoveIt

• Double-click OTMoveIt3.exe to run it.
• Copy the lines in the codebox below. ( Make sure you include :Processes )

Code:

:Processes
:Reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287}]
:Files
C:\WINDOWS\system32\drvtoj.dll
C:\WINDOWS\system32\ytrrdiny.exe
:Commands

• Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

• - Close ALL open windows (especially Internet Explorer!)-
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


----------------------------------------------------------- -----------------------------------------------------------
Step 3

Download and Run ComboFix
Please delete the copy of ComboFix that you have and download an updated copy from one of the links below

• Please visit this webpage for instructions on using ComboFix:
  http://www.bleepingcomputer.com/comb...o-use-combofix
  
  ComboFix.exe 1
  ComboFix.exe 2
  ComboFix.exe 3
  
• You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper

----------------------------------------------------------- -----------------------------------------------------------
Step 4

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

• Virus Total results
• OTMI Log
• Combofix log
• How are things running now ?

[joe436]

hi,
Virustotal is cool I will use that a lot now when i check a file

Most of these are files i needed to beat CD-checks on software I own, but my old CD dive would install but not read for CD-checks. that company went under was sued to death

Pro.Lesring.Ring.Out.exe
File has already been analysed:
MD5: 5aaa73c448fde5e918fd052885e3f68e
First received: 01.04.2007 13:31:55 (CET)
Date: 09.11.2008 13:09:33 (CET) [>133D]
Results: 4/36
Permalink: analisis/8e7d65b7a1932364e322f562d82e816c

asx-dw4.exe
File has already been analysed:
MD5: 086c5ddc5924e3a98545931a0f56aa66
First received: 12.29.2007 14:06:27 (CET)
Date: 11.30.2008 23:41:45 (CET) [>53D]
Results: 16/37
Permalink: analisis/a1f1191b55715b96a6f0192cfba773d2


MoFunZone.com--dynasty_warriors_4_hyper_10_trainer.zip
File has already been analysed:
MD5: 3db2d99145848c6bf5a16244b1e952dc
First received: 07.19.2008 03:29:33 (CET)
Date: 07.19.2008 03:29:33 (CET) [>188D]
Results: 10/33
Permalink: analisis/2e4777a8cd7da2cccad6f8ee30a61a4a


LotR BfME 1.03 NoDVD.exe
File has already been analysed:
MD5: 359dd9522d74629317d2e537e936cad6
First received: 07.22.2007 11:03:19 (CET)
Date: 01.20.2009 02:14:13 (CET) [>3D]
Results: 30/39
Permalink: analisis/6ea285f81a01cbeae193b4c2e265432e


shellmt.dll
File has already been analysed:
MD5: 9ef7133de9946711f3619197d539ec34
First received: 05.01.2007 22:56:09 (CET)
Date: 12.09.2008 09:48:47 (CET) [>44D]
Results: 12/38
Permalink: analisis/5350e3d1b4145c7519cb1fee81f446cb

========== PROCESSES ==========
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287}\\ deleted successfully.
========== FILES ==========
DllUnregisterServer procedure not found in C:\WINDOWS\system32\drvtoj.dll
C:\WINDOWS\system32\drvtoj.dll NOT unregistered.
C:\WINDOWS\system32\drvtoj.dll moved successfully.
C:\WINDOWS\system32\ytrrdiny.exe moved successfully.
========== COMMANDS ==========

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01222009_215916