VIRTUMONDE!!!! Yes, another person with this peice of poo

**peku006** · 2009-03-18, 18:56

Hi Pedromic

If you have a previous version of Combofix.exe, delete it ....

1 - Scan With ComboFix

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable Anti-virus

Please include the C:\ComboFix.txt in your next reply for further review.

Please reply with

the ComboFix log(C:\ComboFix.txt)

Thanks peku006

**Pedromic** · 2009-03-18, 19:53

Cheers

ComboFix 09-03-15.01 - Mark 2009-03-18 18:37:51.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2787 [GMT 0:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\himesuvo.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2009-02-18 to 2009-03-18 )))))))))))))))))))))))))))))))
.

2009-03-13 08:17 . 2009-03-13 08:17 <DIR> d-------- C:\_OTMoveIt
2009-03-13 08:09 . 2009-03-13 08:13 <DIR> d-------- C:\fixwareout
2009-03-13 06:44 . 2009-03-13 06:45 <DIR> d-------- C:\rsit
2009-03-11 20:13 . 2009-03-11 20:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-11 20:13 . 2009-03-11 20:13 <DIR> d-------- c:\documents and settings\Mark\Application Data\Malwarebytes
2009-03-11 20:13 . 2009-03-11 20:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-11 20:13 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-11 20:13 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-10 21:11 . 2009-03-10 22:19 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\~0
2009-02-21 12:16 . 2009-02-21 12:16 552 --a------ c:\windows\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 07:19 --------- d-----w c:\documents and settings\Mark\Application Data\uTorrent
2009-03-17 20:06 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-03-10 22:19 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-06 20:36 --------- d-----w c:\documents and settings\Mark\Application Data\Vso
2009-02-24 20:53 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-17 16:39 --------- d-----w c:\program files\VstPlugins
2009-02-16 20:15 --------- d-----w c:\program files\Common Files\reFX
2009-02-16 20:15 --------- d-----w c:\program files\Common Files\Digidesign
2009-01-24 11:10 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-22 19:07 --------- d-----w c:\program files\Java
2008-06-03 20:04 13 ---h--w c:\documents and settings\All Users\Application Data\ÝÃÄÎ›Ò3113›.sys
2008-03-08 13:36 47,360 ----a-w c:\documents and settings\Mark\Application Data\pcouffin.sys
2007-12-28 12:23 22,328 ----a-w c:\documents and settings\Mark\Application Data\PnkBstrK.sys
2007-08-28 06:13 7 ----a-w c:\documents and settings\Mark\license.bin
2007-07-23 18:21 8 ----a-w c:\program files\VData.ndb
2006-09-06 16:23 71 ----a-w c:\program files\Read Me.txt
2006-01-26 15:13 28,672 ----a-w c:\documents and settings\Mark\LicenceWM.exe
2005-10-30 19:51 176 ----a-w c:\program files\Latest Downloads.html
2008-09-28 10:00 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092820080929\index.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-03-10_ 9.34.15.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-04 09:25:14 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-11 20:07:03 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-04 09:25:14 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-11 20:07:03 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-11 20:07:03 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-10 09:15:53 60,828 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-18 17:30:27 60,828 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-10 09:15:53 400,794 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-18 17:30:27 400,794 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-18 18:43:33 16,384 ----atw c:\windows\TEMP\Perflib_Perfdata_5cc.dat
+ 2009-03-18 18:43:14 16,384 ----atw c:\windows\TEMP\Perflib_Perfdata_a8.dat
+ 2008-07-29 08:05:06 161,784 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2008-07-29 03:54:08 225,280 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 08:05:08 572,928 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:05:08 655,872 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 03:54:12 312,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcm90d.dll
+ 2008-07-29 08:05:08 875,520 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcp90d.dll
+ 2008-07-29 08:05:08 1,180,672 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcr90d.dll
+ 2008-07-29 08:05:12 5,937,144 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90d.dll
+ 2008-07-29 08:05:12 5,982,720 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90ud.dll
+ 2008-07-29 06:07:42 80,896 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90d.dll
+ 2008-07-29 06:07:42 80,896 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90ud.dll
+ 2008-07-29 08:05:08 3,768,312 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2008-07-29 08:05:10 3,783,672 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 06:07:42 59,904 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2008-07-29 06:07:42 59,904 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 08:05:06 38,912 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 08:05:06 39,936 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 08:05:08 66,560 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 08:05:08 56,832 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 08:05:06 65,024 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 08:05:08 65,024 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 08:05:06 66,048 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 08:05:08 64,512 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 08:05:08 46,592 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 08:05:08 46,080 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 08:05:08 62,976 ----a-w c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1382400]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-02-24 203928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="c:\program files\XpertVision\TBPanel.exe" [2006-08-02 2146304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2007-04-19 271936]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-11 307200]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-09-07 3100672]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"LogonStudio"="c:\program files\Stardock\Object Desktop\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"BootSkin Startup Jobs"="c:\program files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 270336]
"SysMetrix"="c:\program files\Stardock\Object Desktop\SysMetrix\SysMetrix.exe" [2006-02-25 2637824]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-02-20 1443072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-22 136600]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-18 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KeyScrambler"="c:\program files\KeyScrambler\getting_started.html" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-03-29 16:29 229376 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\MP3POW~1\CLMP3Enc.ACM
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=2 (0x2)
"sp_rssrv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=
"c:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe"=
"c:\\Program Files\\WinRAR\\WinRAR.exe"=

R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2008-02-20 472320]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2007-08-18 33792]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2007-06-04 113896]
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys --> \SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [?]
S3 FileObjInfo;STFileDriver;\??\c:\documents and settings\All Users\Application Data\Spyware Terminator\FileObjInfo.sys --> c:\documents and settings\All Users\Application Data\Spyware Terminator\FileObjInfo.sys [?]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-04-19 6656]
S3 ntportio;ntportio;\??\c:\docume~1\Mark\LOCALS~1\Temp\Rar$EX05.704\Sony ericsson\USB-Smart SEMC Tool v8.4 cracked\ntportio.sys --> c:\docume~1\Mark\LOCALS~1\Temp\Rar$EX05.704\Sony ericsson\USB-Smart SEMC Tool v8.4 cracked\ntportio.sys [?]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2007-10-04 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2007-10-04 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2007-10-04 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s125mgmt.sys [2007-10-04 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\drivers\s125obex.sys [2007-10-04 98696]
S3 TESTCAP;Mobicam, Video Capture Device;c:\windows\system32\drivers\mobicam.sys [2007-06-14 230144]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection c:\program files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tiscali.co.uk/whsmith
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.tiscali.co.uk/whsmith
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {3626A7E7-2929-4A32-832C-484C03506AB7} = 193.36.79.100,193.36.79.101
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\dlqkydxd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT707481&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\dlqkydxd.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-18 18:44:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-362288127-2146875587-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-839522115-362288127-2146875587-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-839522115-362288127-2146875587-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{209C3574-FE51-9A07-3908-E7C8397584A1}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaogpnnpblnadakdfa"=hex:6a,61,64,69,6d,6e,69,61,68,6b,6a,6f,67,61,67,6d,6a,62,
62,6c,00,00
"haiffjakebogafdj"=hex:6a,61,62,69,6b,63,6b,61,6d,65,67,63,6a,69,6c,6f,6d,6b,
6d,6f,00,00
"abcgpknkbgpikjgoknhdihjkohdhhpabhj"=hex:61,61,00,00
"mabgoljkmgeioodabedenagkcd"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-839522115-362288127-2146875587-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4D823A6B-AFD1-F676-8BA8-0203307B03BE}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iahjpjkgpkikgpdknl"=hex:6b,61,63,63,63,6a,64,67,67,61,6d,65,64,65,6d,62,62,6b,
64,6e,65,63,00,02
"hajkjkplicooafoi"=hex:6b,61,63,63,63,6a,64,67,67,61,6d,65,64,65,6d,62,62,6b,
64,6e,65,63,00,02

[HKEY_USERS\S-1-5-21-839522115-362288127-2146875587-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{569719DA-E6F8-DB74-1470-90C6285FD13C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oakjbmnmgfncecmpgkhdmbilkpahim"=hex:6a,61,6c,6d,61,6e,64,70,65,61,67,63,64,6e,
67,6a,6a,62,65,62,00,00
"naeihffjdhnhngadacnpgddhbfof"=hex:6a,61,6b,6d,64,6e,64,62,69,6c,6e,70,6e,61,
6a,6f,6e,68,67,62,00,00
"abojjfadnpiakhljiadjcpbkjpdpihcblg"=hex:61,61,00,00
"malkmhoilfinicbdcdihonacbo"=hex:61,61,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\rundll32.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-18 18:49:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-18 18:49:24
ComboFix2.txt 2009-03-10 20:24:23
ComboFix3.txt 2009-03-10 09:35:48
ComboFix4.txt 2009-01-04 10:23:35

Pre-Run: 76,384,006,144 bytes free
Post-Run: 76,484,104,192 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=1 Sets=1,2,3,4
260 --- E O F --- 2009-02-27 18:02:21

**peku006** · 2009-03-18, 20:59

Hi Pedromic
Logs, looks good but let's run one online scan to be sure:

1 - F-Secure Online Scan

Please go to F-Secure website to perform an online scan. Click on Start scanning at the bottom of the page.
You may be prompted to install an ActiveX before you are able to accept the License Agreement. If prompted, please install it. After installing, the Accept button will be available.
Click on Accept to accept the License Agreement.
Click on Custom Scan.
- Under Virus Scan Options, select the Scan whole system option.
- Under Other Scan Options, select these options:
  - Scan all files
  - Scan whole system for rootkits
  - Scan whole system for spyware
  - Scan inside archives
  - Use advanced heuristics
Click Start.
It will start installing the scanner and virus definitions. Once the installation is done, it will start scanning automatically. This takes a while. Please be patient.
Click on I want decide item by item.
Under Actions, select None for all infections found.
Click Next.
Click on Show Report.
Please copy and paste this report in your next reply.
Click Finish.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with

1. the F-Secure online scanner report
2. a fresh HijackThis log

Thanks peku006

**Pedromic** · 2009-03-19, 08:11

Hi, here's my F-Secure report:

Scanning Report
Wednesday, March 18, 2009 21:50:53 - 07:07:50

Computer name: MARK-640D4B1C0B
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 3 malware found
Smalltroj.gen25 (virus)

* C:\PROGRAM FILES\STARDOCK\OBJECT DESKTOP\ICONPACKAGER\PATCH.EXE (Submitted)

Vundo.FBW (virus)

* C:\_OTMOVEIT\MOVEDFILES\03132009_081735\WINDOWS\SYSTEM32\ASOMAGIL.INI (Submitted)

W32/Horst.gen33 (virus)

* C:\PROGRAM FILES\ALCOHOL SOFT\ALCOHOL 120\STAR_SYN_CLIENT.DLL (Submitted)

Statistics
Scanned:

* Files: 61343
* System: 3695
* Not scanned: 7

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 3
* Submitted: 3

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Hydra: 3.8.9080, 2009-03-18
* F-Secure AVP: 7.0.171, 2009-03-18
* F-Secure Pegasus: 1.20.0, 1970-00-01
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

And HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:11:15, on 19/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Stardock\Object Desktop\SysMetrix\SysMetrix.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\DOCUME~1\Mark\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\Mark\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/whsmith
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/whsmith
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Gainward] "C:\Program Files\XpertVision\TBPanel.exe" /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\Stardock\Object Desktop\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\Stardock\Object Desktop\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1199138728812
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3626A7E7-2929-4A32-832C-484C03506AB7}: NameServer = 193.36.79.100,193.36.79.101
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 9111 bytes

**peku006** · 2009-03-19, 10:11

Hi Pedromic
Logs look good. How's the computer running now?

Thanks peku006

**peku006** · 2009-03-26, 07:31

Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.

Thread: VIRTUMONDE!!!! Yes, another person with this peice of poo

Thread Tools

Display

Posting Permissions