virtumonde and smit on bjorning's

**bjorning** · 2009-01-22, 18:04

ComboFix 09-01-21.04 - JJ 2009-01-22 8:43:55.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.249 [GMT -8:00]
Running from: c:\documents and settings\JJ.HOME\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\qWadfMoq.ini
c:\windows\SYSTEM32\qWadfMoq.ini2
c:\windows\system32\tqojrttt.ini
c:\windows\system32\tshxtbqo.ini

.
((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))
.

2009-01-22 08:28 . 2009-01-22 08:28 <DIR> d--hs---- C:\FOUND.006
2009-01-20 19:02 . 2009-01-20 19:02 <DIR> d--hs---- C:\FOUND.005
2009-01-15 11:08 . 2009-01-15 11:08 <DIR> d--hs---- C:\FOUND.004
2009-01-14 00:14 . 2009-01-13 22:18 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-01-13 23:59 . 2009-01-13 23:59 <DIR> d-------- c:\program files\Trend Micro
2009-01-13 23:21 . 2009-01-22 08:49 1,104 --a------ c:\windows\ordzblzj
2009-01-13 11:35 . 2009-01-13 11:35 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-12 11:00 . 2009-01-12 11:00 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2009-01-12 11:00 . 2009-01-12 11:00 <DIR> d-------- c:\documents and settings\JJ.HOME\Application Data\AVGTOOLBAR
2009-01-12 11:00 . 2009-01-12 11:00 97,928 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2009-01-12 11:00 . 2009-01-12 11:00 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-01-12 10:59 . 2009-01-12 10:59 <DIR> d-------- c:\program files\AVG
2009-01-12 10:59 . 2009-01-12 10:59 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-01-12 01:02 . 2009-01-12 01:02 <DIR> d-------- c:\program files\2K Games
2009-01-12 00:46 . 2009-01-12 00:46 <DIR> d--hs---- C:\FOUND.003
2009-01-03 17:28 . 2009-01-03 17:28 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-30 00:02 . 2008-12-30 00:02 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 00:18 33,688 ----a-w c:\documents and settings\JJ.HOME\Application Data\GDIPFONTCACHEV1.DAT
2008-12-14 00:16 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-13 06:40 3,593,216 ------w c:\windows\SYSTEM32\dllcache\mshtml.dll
2008-12-05 06:25 --------- d-----w c:\program files\Common Files\AOL
2008-12-05 06:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Viewpoint
2008-12-05 06:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\AOL OCP
2008-12-05 06:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\AOL
2008-12-04 05:29 --------- d-----w c:\program files\desktopsites
2008-12-04 02:42 --------- d-----w c:\program files\Logitech
2008-10-24 11:21 455,296 ------w c:\windows\SYSTEM32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\SYSTEM32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\SYSTEM32\dllcache\gdi32.dll
2007-11-13 23:49 32 ----a-r c:\documents and settings\All Users\hash.dat
2000-06-21 00:37 271 --sh--w c:\program files\desktop.ini
2000-06-21 00:37 23,357 ---h--w c:\program files\folder.htt
2008-09-11 01:34 32,768 --sha-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091020080911\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-18_13.19.11.84 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-12 1261336]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Hawking Wireless Utility.lnk - c:\program files\Hawking\HWU8DD\HWU8DD.exe [2007-12-03 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpng"= c:\program files\t@b\0.952\686\tabdec.dll
"vidc.mvjp"= c:\program files\t@b\0.952\686\tabdec.dll
"vidc.444p"= c:\program files\t@b\0.952\686\tabdec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^JJ.HOME^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\JJ.HOME\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a------ 2008-09-22 01:27 133104 c:\documents and settings\JJ.HOME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
--a------ 2007-08-23 05:58 1891416 c:\garmin\gStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2008-08-14 17:11 565008 c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2008-08-14 17:15 2407184 c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\RAPIMGR.EXE"= c:\program files\Microsoft ActiveSync\RAPIMGR.EXE:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"c:\\Documents and Settings\\JJ.HOME\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\JJ.HOME\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"57506:TCP"= 57506:TCP:Pando P2P TCP Listening Port
"57506:UDP"= 57506:UDP:Pando P2P UDP Listening Port

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-01-12 97928]
R3 ZD1211U(Hawking);Hawking Hi-Gain Wireless-G USB Dish Adapter(Hawking);c:\windows\SYSTEM32\DRIVERS\ZD1211U.sys [2007-12-03 278016]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-12 231704]
S0 ordzblzj;ordzblzj;c:\windows\SYSTEM32\DRIVERS\emvpjnpi.sys []
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\BRGSp50.sys [2007-11-29 20608]
S3 IrCOMM2k;Virtueller Infrarot-Kommunikationsanschluß;c:\windows\system32\DRIVERS\ircomm2k.sys --> c:\windows\system32\DRIVERS\ircomm2k.sys [?]
S3 qcmdmxp;HTC Proprietary USB Driver (PID 0B03);c:\windows\SYSTEM32\DRIVERS\qcmdmxp.sys [2008-06-28 92800]
S3 qcserxp;HTC Diagnostic Port (PID 0B03);c:\windows\SYSTEM32\DRIVERS\qcserxp.sys [2008-06-28 92800]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47dc34fe-432c-11dd-abf3-000347fa956b}]
\Shell\AutoRun\command - G:\jfvkcsy.bat
\Shell\explore\Command - G:\jfvkcsy.bat
\Shell\open\Command - G:\jfvkcsy.bat
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1220945662-682003330-1004.job
- c:\documents and settings\JJ.HOME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-22 01:27]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5F229F22-ED7C-4C56-ABB8-BEE914989939} - c:\windows\system32\qoMfdaWq.dll
BHO-{de455072-86b0-4473-874e-443d34c7bbe7} - c:\windows\system32\ioprpq.dll
HKLM-Run-23561149 - c:\windows\system32\oqbtxhst.dll
MSConfigStartUp-BitTorrent DNA - c:\program files\DNA\btdna.exe

.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - d:\progra~1\office\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E5B89B1F-4589-4957-BF8D-311D34136041} - hxxp://remotegoat.openmeadow.org/konect/appdata/AxKonectReg.cab
FF - ProfilePath - c:\documents and settings\JJ.HOME\Application Data\Mozilla\Firefox\Profiles\ntgrszwm.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\JJ.HOME\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\JJ.HOME\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 08:52:02
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(8088)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\wqbbkhfq.dll
c:\windows\system32\qoMfdaWq.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
c:\program files\A-SQUARED FREE\A2SERVICE.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\AVG\AVG8\AVGWDSVC.EXE
c:\program files\COMMON FILES\LOGISHRD\LVCOMSER\LVCOMSER.EXE
c:\program files\COMMON FILES\LOGISHRD\LVMVFM\LVPRCSRV.EXE
c:\program files\AVG\AVG8\AVGRSX.EXE
c:\program files\COMMON FILES\LOGISHRD\LVCOMSER\LVCOMSER.EXE
c:\program files\AVG\AVG8\AVGTRAY.EXE
c:\program files\MICROSOFT ACTIVESYNC\RAPIMGR.EXE
c:\windows\SoftwareDistribution\Download\Install\windows-kb890830-v2.6-delta.exe
c:\d9f1443112c8e264f675\mrtstub.exe
c:\windows\system32\MRT.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-22 9:03:07 - machine was rebooted [JJ]
ComboFix-quarantined-files.txt 2009-01-22 17:02:42
ComboFix2.txt 2009-01-18 21:21:58

Pre-Run: 6,460,506,112 bytes free
Post-Run: 6,701,711,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

211 --- E O F --- 2008-12-18 08:43:06

**bjorning** · 2009-01-22, 18:16

and for good measure here's a new hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:44 AM, on 1/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SNDVOL32.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: {71ee6f28-2e71-506a-7964-7dc58f581e4d} - {d4e185f8-5cd7-4697-a605-17e282f6ee17} - C:\WINDOWS\system32\yyleqo.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Hawking Wireless Utility.lnk = C:\Program Files\Hawking\HWU8DD\HWU8DD.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\office\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1196799009453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196799000187
O16 - DPF: {E5B89B1F-4589-4957-BF8D-311D34136041} (AxKonectReg Control) - http://remotegoat.openmeadow.org/kon...xKonectReg.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 6229 bytes

**Shaba** · 2009-01-22, 18:49

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
c:\windows\ordzblzj

Driver::
ordzblzj

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47dc34fe-432c-11dd-abf3-000347fa956b}]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57506:TCP"=-
"57506:UDP"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

**bjorning** · 2009-01-22, 20:38

cmbfx:

ComboFix 09-01-21.04 - JJ 2009-01-22 11:20:55.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.290 [GMT -8:00]
Running from: c:\documents and settings\JJ.HOME\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\JJ.HOME\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\ordzblzj
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ordzblzj
c:\windows\system32\cprbybxy.dll
c:\windows\system32\qfhkbbqw.ini
c:\windows\system32\qWadfMoq.ini
c:\windows\system32\qWadfMoq.ini2
c:\windows\system32\wqbbkhfq.dll
c:\windows\system32\yyleqo.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ORDZBLZJ
-------\Service_ordzblzj

((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))
.

2009-01-22 11:27 . 2009-01-22 11:27 4 --a------ c:\windows\yqednvfi
2009-01-22 09:02 . 2009-01-22 09:03 25,088 --a------ c:\windows\SYSTEM32\DRIVERS\phqghume.sys
2009-01-22 08:28 . 2009-01-22 08:28 <DIR> d--hs---- C:\FOUND.006
2009-01-20 19:02 . 2009-01-20 19:02 <DIR> d--hs---- C:\FOUND.005
2009-01-15 11:08 . 2009-01-15 11:08 <DIR> d--hs---- C:\FOUND.004
2009-01-14 00:14 . 2009-01-13 22:18 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-01-13 23:59 . 2009-01-13 23:59 <DIR> d-------- c:\program files\Trend Micro
2009-01-13 23:21 . 2009-01-13 23:21 25,088 --a------ c:\windows\SYSTEM32\DRIVERS\emvpjnpi.sys
2009-01-13 11:35 . 2009-01-13 11:35 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-12 11:00 . 2009-01-12 11:00 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2009-01-12 11:00 . 2009-01-12 11:00 <DIR> d-------- c:\documents and settings\JJ.HOME\Application Data\AVGTOOLBAR
2009-01-12 11:00 . 2009-01-12 11:00 97,928 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2009-01-12 11:00 . 2009-01-12 11:00 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-01-12 10:59 . 2009-01-12 10:59 <DIR> d-------- c:\program files\AVG
2009-01-12 10:59 . 2009-01-12 10:59 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-01-12 01:02 . 2009-01-12 01:02 <DIR> d-------- c:\program files\2K Games
2009-01-12 00:46 . 2009-01-12 00:46 <DIR> d--hs---- C:\FOUND.003
2009-01-03 17:28 . 2009-01-03 17:28 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-30 00:02 . 2008-12-30 00:02 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 00:18 33,688 ----a-w c:\documents and settings\JJ.HOME\Application Data\GDIPFONTCACHEV1.DAT
2008-12-14 00:16 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-13 06:40 3,593,216 ------w c:\windows\SYSTEM32\dllcache\mshtml.dll
2008-12-05 06:25 --------- d-----w c:\program files\Common Files\AOL
2008-12-05 06:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Viewpoint
2008-12-05 06:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\AOL OCP
2008-12-05 06:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\AOL
2008-12-04 05:29 --------- d-----w c:\program files\desktopsites
2008-12-04 02:42 --------- d-----w c:\program files\Logitech
2008-10-24 11:21 455,296 ------w c:\windows\SYSTEM32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\SYSTEM32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\SYSTEM32\dllcache\gdi32.dll
2007-11-13 23:49 32 ----a-r c:\documents and settings\All Users\hash.dat
2000-06-21 00:37 271 --sh--w c:\program files\desktop.ini
2000-06-21 00:37 23,357 ---h--w c:\program files\folder.htt
2008-09-11 01:34 32,768 --sha-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091020080911\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-18_13.19.11.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-09 23:24:38 17,593,280 ----a-w c:\windows\SYSTEM32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Hawking Wireless Utility.lnk - c:\program files\Hawking\HWU8DD\HWU8DD.exe [2007-12-03 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpng"= c:\program files\t@b\0.952\686\tabdec.dll
"vidc.mvjp"= c:\program files\t@b\0.952\686\tabdec.dll
"vidc.444p"= c:\program files\t@b\0.952\686\tabdec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^JJ.HOME^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\JJ.HOME\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2009-01-12 10:59 1261336 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a------ 2008-09-22 01:27 133104 c:\documents and settings\JJ.HOME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
--a------ 2007-08-23 05:58 1891416 c:\garmin\gStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2008-08-14 17:11 565008 c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2008-08-14 17:15 2407184 c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\RAPIMGR.EXE"= c:\program files\Microsoft ActiveSync\RAPIMGR.EXE:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"c:\\Documents and Settings\\JJ.HOME\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\JJ.HOME\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-01-12 97928]
R3 ZD1211U(Hawking);Hawking Hi-Gain Wireless-G USB Dish Adapter(Hawking);c:\windows\SYSTEM32\DRIVERS\ZD1211U.sys [2007-12-03 278016]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-12 231704]
S0 aylnlfdx;aylnlfdx;c:\windows\SYSTEM32\DRIVERS\phqghume.sys [2009-01-22 25088]
S0 yqednvfi;yqednvfi;c:\windows\SYSTEM32\DRIVERS\kmqslcac.sys []
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\BRGSp50.sys [2007-11-29 20608]
S3 IrCOMM2k;Virtueller Infrarot-Kommunikationsanschluß;c:\windows\system32\DRIVERS\ircomm2k.sys --> c:\windows\system32\DRIVERS\ircomm2k.sys [?]
S3 qcmdmxp;HTC Proprietary USB Driver (PID 0B03);c:\windows\SYSTEM32\DRIVERS\qcmdmxp.sys [2008-06-28 92800]
S3 qcserxp;HTC Diagnostic Port (PID 0B03);c:\windows\SYSTEM32\DRIVERS\qcserxp.sys [2008-06-28 92800]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1220945662-682003330-1004.job
- c:\documents and settings\JJ.HOME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-22 01:27]
.
- - - - ORPHANS REMOVED - - - -

BHO-{d4e185f8-5cd7-4697-a605-17e282f6ee17} - c:\windows\system32\yyleqo.dll
BHO-{FD794143-FCB0-4314-8AE0-C6703736F5DB} - c:\windows\system32\qoMfdaWq.dll

.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - d:\progra~1\office\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E5B89B1F-4589-4957-BF8D-311D34136041} - hxxp://remotegoat.openmeadow.org/konect/appdata/AxKonectReg.cab
FF - ProfilePath - c:\documents and settings\JJ.HOME\Application Data\Mozilla\Firefox\Profiles\ntgrszwm.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 11:29:51
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\AVG\AVG8\AVGWDSVC.EXE
c:\program files\COMMON FILES\LOGISHRD\LVCOMSER\LVCOMSER.EXE
c:\program files\COMMON FILES\LOGISHRD\LVMVFM\LVPRCSRV.EXE
c:\program files\AVG\AVG8\AVGRSX.EXE
c:\program files\COMMON FILES\LOGISHRD\LVCOMSER\LVCOMSER.EXE
c:\windows\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2009-01-22 11:34:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-22 19:34:46
ComboFix3.txt 2009-01-18 21:21:58
ComboFix2.txt 2009-01-22 17:03:26

Pre-Run: 6,686,867,456 bytes free
Post-Run: 6,673,367,040 bytes free

194 --- E O F --- 2008-12-18 08:43:06

**bjorning** · 2009-01-22, 20:41

I also uninstalled some non- s&d protective-ware

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:44 AM, on 1/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Hawking Wireless Utility.lnk = C:\Program Files\Hawking\HWU8DD\HWU8DD.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\office\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1196799009453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196799000187
O16 - DPF: {E5B89B1F-4589-4957-BF8D-311D34136041} (AxKonectReg Control) - http://remotegoat.openmeadow.org/kon...xKonectReg.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 5481 bytes

**Shaba** · 2009-01-22, 20:43

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
c:\windows\yqednvfi
c:\windows\SYSTEM32\DRIVERS\phqghume.sys

Driver::
yqednvfi
aylnlfdx

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

**bjorning** · 2009-01-22, 21:07

ComboFix 09-01-21.04 - JJ 2009-01-22 11:55:05.4 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.289 [GMT -8:00]
Running from: c:\documents and settings\JJ.HOME\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\JJ.HOME\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\DRIVERS\phqghume.sys
c:\windows\yqednvfi
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\DRIVERS\phqghume.sys
c:\windows\yqednvfi

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_YQEDNVFI
-------\Service_aylnlfdx
-------\Service_yqednvfi

((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))
.

2009-01-22 09:02 . 2009-01-22 09:02 25,088 --a------ c:\windows\SYSTEM32\DRIVERS\kmqslcac.sys
2009-01-22 08:28 . 2009-01-22 08:28 <DIR> d--hs---- C:\FOUND.006
2009-01-20 19:02 . 2009-01-20 19:02 <DIR> d--hs---- C:\FOUND.005
2009-01-15 11:08 . 2009-01-15 11:08 <DIR> d--hs---- C:\FOUND.004
2009-01-14 00:14 . 2009-01-13 22:18 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-01-13 23:59 . 2009-01-13 23:59 <DIR> d-------- c:\program files\Trend Micro
2009-01-13 23:21 . 2009-01-13 23:21 25,088 --a------ c:\windows\SYSTEM32\DRIVERS\emvpjnpi.sys
2009-01-13 11:35 . 2009-01-13 11:35 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-12 11:00 . 2009-01-12 11:00 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2009-01-12 11:00 . 2009-01-12 11:00 <DIR> d-------- c:\documents and settings\JJ.HOME\Application Data\AVGTOOLBAR
2009-01-12 11:00 . 2009-01-12 11:00 97,928 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2009-01-12 11:00 . 2009-01-12 11:00 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-01-12 10:59 . 2009-01-12 10:59 <DIR> d-------- c:\program files\AVG
2009-01-12 10:59 . 2009-01-12 10:59 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-01-12 01:02 . 2009-01-12 01:02 <DIR> d-------- c:\program files\2K Games
2009-01-12 00:46 . 2009-01-12 00:46 <DIR> d--hs---- C:\FOUND.003
2009-01-03 17:28 . 2009-01-03 17:28 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-30 00:02 . 2008-12-30 00:02 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 00:18 33,688 ----a-w c:\documents and settings\JJ.HOME\Application Data\GDIPFONTCACHEV1.DAT
2008-12-14 00:16 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-13 06:40 3,593,216 ------w c:\windows\SYSTEM32\dllcache\mshtml.dll
2008-12-05 06:25 --------- d-----w c:\program files\Common Files\AOL
2008-12-05 06:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Viewpoint
2008-12-05 06:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\AOL OCP
2008-12-05 06:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\AOL
2008-12-04 05:29 --------- d-----w c:\program files\desktopsites
2008-12-04 02:42 --------- d-----w c:\program files\Logitech
2008-10-24 11:21 455,296 ------w c:\windows\SYSTEM32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\SYSTEM32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\SYSTEM32\dllcache\gdi32.dll
2007-11-13 23:49 32 ----a-r c:\documents and settings\All Users\hash.dat
2000-06-21 00:37 271 --sh--w c:\program files\desktop.ini
2000-06-21 00:37 23,357 ---h--w c:\program files\folder.htt
2008-09-11 01:34 32,768 --sha-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091020080911\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-18_13.19.11.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-09 23:24:38 17,593,280 ----a-w c:\windows\SYSTEM32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Hawking Wireless Utility.lnk - c:\program files\Hawking\HWU8DD\HWU8DD.exe [2007-12-03 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpng"= c:\program files\t@b\0.952\686\tabdec.dll
"vidc.mvjp"= c:\program files\t@b\0.952\686\tabdec.dll
"vidc.444p"= c:\program files\t@b\0.952\686\tabdec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^JJ.HOME^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\JJ.HOME\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2009-01-12 10:59 1261336 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a------ 2008-09-22 01:27 133104 c:\documents and settings\JJ.HOME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
--a------ 2007-08-23 05:58 1891416 c:\garmin\gStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2008-08-14 17:11 565008 c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2008-08-14 17:15 2407184 c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\RAPIMGR.EXE"= c:\program files\Microsoft ActiveSync\RAPIMGR.EXE:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"c:\\Documents and Settings\\JJ.HOME\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\JJ.HOME\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-01-12 97928]
R3 ZD1211U(Hawking);Hawking Hi-Gain Wireless-G USB Dish Adapter(Hawking);c:\windows\SYSTEM32\DRIVERS\ZD1211U.sys [2007-12-03 278016]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-12 231704]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\BRGSp50.sys [2007-11-29 20608]
S3 IrCOMM2k;Virtueller Infrarot-Kommunikationsanschluß;c:\windows\system32\DRIVERS\ircomm2k.sys --> c:\windows\system32\DRIVERS\ircomm2k.sys [?]
S3 qcmdmxp;HTC Proprietary USB Driver (PID 0B03);c:\windows\SYSTEM32\DRIVERS\qcmdmxp.sys [2008-06-28 92800]
S3 qcserxp;HTC Diagnostic Port (PID 0B03);c:\windows\SYSTEM32\DRIVERS\qcserxp.sys [2008-06-28 92800]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1220945662-682003330-1004.job
- c:\documents and settings\JJ.HOME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-22 01:27]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - d:\progra~1\office\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E5B89B1F-4589-4957-BF8D-311D34136041} - hxxp://remotegoat.openmeadow.org/konect/appdata/AxKonectReg.cab
FF - ProfilePath - c:\documents and settings\JJ.HOME\Application Data\Mozilla\Firefox\Profiles\ntgrszwm.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 12:00:59
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\AVG\AVG8\AVGWDSVC.EXE
c:\program files\COMMON FILES\LOGISHRD\LVCOMSER\LVCOMSER.EXE
c:\program files\COMMON FILES\LOGISHRD\LVMVFM\LVPRCSRV.EXE
c:\program files\AVG\AVG8\AVGRSX.EXE
c:\program files\COMMON FILES\LOGISHRD\LVCOMSER\LVCOMSER.EXE
c:\windows\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2009-01-22 12:04:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-22 20:04:48
ComboFix4.txt 2009-01-18 21:21:58
ComboFix3.txt 2009-01-22 17:03:26
ComboFix2.txt 2009-01-22 19:34:54

Pre-Run: 6,628,343,808 bytes free
Post-Run: 6,609,305,600 bytes free

186 --- E O F --- 2008-12-18 08:43:06

**bjorning** · 2009-01-22, 21:09

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:55 PM, on 1/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hawking\HWU8DD\HWU8DD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Hawking Wireless Utility.lnk = C:\Program Files\Hawking\HWU8DD\HWU8DD.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\office\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1196799009453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196799000187
O16 - DPF: {E5B89B1F-4589-4957-BF8D-311D34136041} (AxKonectReg Control) - http://remotegoat.openmeadow.org/kon...xKonectReg.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 5525 bytes

**Shaba** · 2009-01-22, 21:14

Still two bad drivers but not active anymore.

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
c:\windows\SYSTEM32\DRIVERS\kmqslcac.sys
c:\windows\SYSTEM32\DRIVERS\emvpjnpi.sys

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

**bjorning** · 2009-01-23, 05:31

ComboFix 09-01-21.04 - JJ 2009-01-22 20:24:18.5 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.296 [GMT -8:00]
Running from: c:\documents and settings\JJ.HOME\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\JJ.HOME\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\DRIVERS\emvpjnpi.sys
c:\windows\SYSTEM32\DRIVERS\kmqslcac.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\DRIVERS\emvpjnpi.sys
c:\windows\SYSTEM32\DRIVERS\kmqslcac.sys

.
((((((((((((((((((((((((( Files Created from 2008-12-23 to 2009-01-23 )))))))))))))))))))))))))))))))
.

2009-01-22 08:28 . 2009-01-22 08:28 <DIR> d--hs---- C:\FOUND.006
2009-01-20 19:02 . 2009-01-20 19:02 <DIR> d--hs---- C:\FOUND.005
2009-01-15 11:08 . 2009-01-15 11:08 <DIR> d--hs---- C:\FOUND.004
2009-01-14 00:14 . 2009-01-13 22:18 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-01-13 23:59 . 2009-01-13 23:59 <DIR> d-------- c:\program files\Trend Micro
2009-01-13 11:35 . 2009-01-13 11:35 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-12 11:00 . 2009-01-12 11:00 <DIR> d-------- c:\windows\SYSTEM32\DRIVERS\Avg
2009-01-12 11:00 . 2009-01-12 11:00 <DIR> d-------- c:\documents and settings\JJ.HOME\Application Data\AVGTOOLBAR
2009-01-12 11:00 . 2009-01-12 11:00 97,928 --a------ c:\windows\SYSTEM32\DRIVERS\avgldx86.sys
2009-01-12 11:00 . 2009-01-12 11:00 10,520 --a------ c:\windows\SYSTEM32\avgrsstx.dll
2009-01-12 10:59 . 2009-01-12 10:59 <DIR> d-------- c:\program files\AVG
2009-01-12 10:59 . 2009-01-12 10:59 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-01-12 01:02 . 2009-01-12 01:02 <DIR> d-------- c:\program files\2K Games
2009-01-12 00:46 . 2009-01-12 00:46 <DIR> d--hs---- C:\FOUND.003
2009-01-03 17:28 . 2009-01-03 17:28 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-30 00:02 . 2008-12-30 00:02 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 00:18 33,688 ----a-w c:\documents and settings\JJ.HOME\Application Data\GDIPFONTCACHEV1.DAT
2008-12-14 00:16 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-13 06:40 3,593,216 ------w c:\windows\SYSTEM32\dllcache\mshtml.dll
2008-12-05 06:25 --------- d-----w c:\program files\Common Files\AOL
2008-12-05 06:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Viewpoint
2008-12-05 06:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\AOL OCP
2008-12-05 06:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\AOL
2008-12-04 05:29 --------- d-----w c:\program files\desktopsites
2008-12-04 02:42 --------- d-----w c:\program files\Logitech
2008-10-24 11:21 455,296 ------w c:\windows\SYSTEM32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\SYSTEM32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\SYSTEM32\dllcache\gdi32.dll
2007-11-13 23:49 32 ----a-r c:\documents and settings\All Users\hash.dat
2000-06-21 00:37 271 --sh--w c:\program files\desktop.ini
2000-06-21 00:37 23,357 ---h--w c:\program files\folder.htt
2008-09-11 01:34 32,768 --sha-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091020080911\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-18_13.19.11.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-09 23:24:38 17,593,280 ----a-w c:\windows\SYSTEM32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Hawking Wireless Utility.lnk - c:\program files\Hawking\HWU8DD\HWU8DD.exe [2007-12-03 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpng"= c:\program files\t@b\0.952\686\tabdec.dll
"vidc.mvjp"= c:\program files\t@b\0.952\686\tabdec.dll
"vidc.444p"= c:\program files\t@b\0.952\686\tabdec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^JJ.HOME^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\JJ.HOME\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2009-01-12 10:59 1261336 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a------ 2008-09-22 01:27 133104 c:\documents and settings\JJ.HOME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
--a------ 2007-08-23 05:58 1891416 c:\garmin\gStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2008-08-14 17:11 565008 c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2008-08-14 17:15 2407184 c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\RAPIMGR.EXE"= c:\program files\Microsoft ActiveSync\RAPIMGR.EXE:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"c:\\Documents and Settings\\JJ.HOME\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\JJ.HOME\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2009-01-12 97928]
R3 ZD1211U(Hawking);Hawking Hi-Gain Wireless-G USB Dish Adapter(Hawking);c:\windows\SYSTEM32\DRIVERS\ZD1211U.sys [2007-12-03 278016]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-12 231704]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\BRGSp50.sys [2007-11-29 20608]
S3 IrCOMM2k;Virtueller Infrarot-Kommunikationsanschluß;c:\windows\system32\DRIVERS\ircomm2k.sys --> c:\windows\system32\DRIVERS\ircomm2k.sys [?]
S3 qcmdmxp;HTC Proprietary USB Driver (PID 0B03);c:\windows\SYSTEM32\DRIVERS\qcmdmxp.sys [2008-06-28 92800]
S3 qcserxp;HTC Diagnostic Port (PID 0B03);c:\windows\SYSTEM32\DRIVERS\qcserxp.sys [2008-06-28 92800]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1220945662-682003330-1004.job
- c:\documents and settings\JJ.HOME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-22 01:27]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - d:\progra~1\office\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E5B89B1F-4589-4957-BF8D-311D34136041} - hxxp://remotegoat.openmeadow.org/konect/appdata/AxKonectReg.cab
FF - ProfilePath - c:\documents and settings\JJ.HOME\Application Data\Mozilla\Firefox\Profiles\ntgrszwm.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 20:27:50
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-22 20:30:00
ComboFix-quarantined-files.txt 2009-01-23 04:29:58
ComboFix4.txt 2009-01-22 17:03:26
ComboFix3.txt 2009-01-22 19:34:54
ComboFix5.txt 2009-01-23 04:23:08
ComboFix2.txt 2009-01-22 20:04:58

Pre-Run: 6,564,544,512 bytes free
Post-Run: 6,546,325,504 bytes free

167 --- E O F --- 2008-12-18 08:43:06

Thread: virtumonde and smit on bjorning's

Thread Tools

Display

Posting Permissions