Virtumonde help requested

**Jibit** · 2009-03-26, 16:50

I ran a few different spyware cleaners and was able to detect and delete this but it keeps coming back. The latest thing happening is my installation of Spybot locks up while trying to scan.

I disabled tea timers and made a registry backup with the Erunt program.

Below I have pasted the contents of the HJT 2.02 log

Thank you very much in advance for any help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:24 AM, on 3/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\system32\SgLogPlayer.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
C:\Program Files\Utimaco\SafeGuard Easy\FIPSMon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by DC
O2 - BHO: (no name) - {21974ae3-db0a-4424-98d4-e4cf21c54791} - C:\WINDOWS\system32\rekuheyo.dll (file missing)
O2 - BHO: {f12ea061-9f46-0548-b424-f7bd157e3edb} - {bde3e751-db7f-424b-8450-64f9160ae21f} - C:\WINDOWS\system32\omwkyg.dll
O4 - HKLM\..\Run: [SgeEcView] C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
O4 - HKLM\..\Run: [FIPSMON] "C:\Program Files\Utimaco\SafeGuard Easy\FIPSMon.exe" /SYSTRAY
O4 - HKLM\..\Run: [ritiliwuvu] Rundll32.exe "C:\WINDOWS\system32\guromome.dll",s
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - S-1-5-18 Startup: DefaultNewUser.lnk = C:\WINDOWS\DefaultNewUser.bat (User 'SYSTEM')
O4 - .DEFAULT Startup: DefaultNewUser.lnk = C:\WINDOWS\DefaultNewUser.bat (User 'Default user')
O4 - .DEFAULT User Startup: DefaultNewUser.lnk = C:\WINDOWS\DefaultNewUser.bat (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1221685647879
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab
O16 - DPF: {e79bc654-8fc6-4bb9-bfb8-8860779ae213} (Oracle JInitiator 1.1.8.24) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.DC.com
O17 - HKLM\Software\..\Telephony: DomainName = corporate.DC.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.DC.com
O20 - AppInit_DLLs: fillcb.dll C:\WINDOWS\system32\wumugaka.dll itxsug.dll qraumh.dll omwkyg.dll c:\windows\system32\hilozepi.dll
O20 - Winlogon Notify: NotLog - C:\WINDOWS\SYSTEM32\SGLogEx.dll
O20 - Winlogon Notify: SGLogNotification - C:\WINDOWS\SYSTEM32\SGLogNotification.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hilozepi.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hilozepi.dll (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SafeGuard Easy Client (SgeClient) - Unknown owner - C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
O23 - Service: SafeGuard Easy Control (SgeCtl) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
O23 - Service: SafeGuard SGLOG Player (SgLogPlayer) - Utimaco Safeware AG - C:\WINDOWS\system32\SgLogPlayer.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: SafeGuard Easy Workstation Server (WksCfgSrv) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

--
End of file - 8030 bytes

**Shaba** · 2009-03-27, 16:48

Hi Jibit

Is this a personal computer?

**Jibit** · 2009-03-27, 18:19

Thank you for your response Shaba.
Yes, this is my personal computer but I do have some company software loaded so that I can connect from home and do paperwork.

Thanks again for your help.

**Shaba** · 2009-03-27, 18:58

Thank you for information.

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

**Jibit** · 2009-03-28, 00:04

Thank you again Shaba.

I had a really hard time disabling Mcafee. I ended up stopping the Mcafee services and deleting the Mcafee program folder then removing the registry entries. The HJT log did not see any Mcafee running but I still received the error that it was running from Combofix.

Below are the Combofix and HJT logs.

ComboFix 09-03-26.03 - Dirk 2009-03-27 17:49:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3016.2651 [GMT -5:00]
Running from: c:\documents and settings\Dirk\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\funedebe.dll
c:\windows\system32\iniwonug.ini
c:\windows\system32\omwkyg.dll
c:\windows\system32\wotuzapi.dll
c:\windows\system32\zakisohi.dll

----- BITS: Possible infected sites -----

hxxp://dus.partnerpage.com
.
((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
.

2009-03-27 17:53 . 2009-03-27 17:53 53,248 --a------ c:\temp\catchme.dll
2009-03-27 13:46 . 2009-03-27 13:46 <DIR> d-------- c:\temp\smkits
2009-03-26 14:03 . 2009-03-26 14:14 <DIR> d-------- c:\temp\plugtmp-11
2009-03-26 10:22 . 2009-03-26 10:22 <DIR> d-------- c:\program files\Trend Micro
2009-03-26 10:21 . 2009-03-26 10:22 <DIR> d-------- c:\program files\ERUNT
2009-03-25 14:06 . 2009-03-26 10:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-25 14:06 . 2009-03-26 10:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-25 07:56 . 2009-03-25 14:20 <DIR> d-------- c:\temp\is-UJ8SN.tmp
2009-03-22 17:40 . 2009-03-22 17:40 <DIR> d-------- c:\documents and settings\Dirk\Application Data\Malwarebytes
2009-03-20 13:23 . 2009-03-20 13:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-20 13:23 . 2009-03-20 13:23 <DIR> d-------- c:\documents and settings\hoed\Application Data\Malwarebytes
2009-03-20 13:23 . 2009-03-20 13:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-20 13:23 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-20 13:23 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-20 13:01 . 2009-03-20 13:01 <DIR> d-------- C:\VundoFix Backups
2009-03-20 08:46 . 2009-03-27 17:13 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-20 08:23 . 2009-03-20 08:23 <DIR> d--hs---- c:\temp\Temporary Internet Files
2009-03-20 08:23 . 2009-03-20 08:23 <DIR> d--hs---- c:\temp\History
2009-03-20 08:23 . 2009-03-27 17:52 <DIR> d--hs---- c:\temp\Cookies
2009-03-20 07:21 . 2008-09-29 15:48 <DIR> d-------- c:\documents and settings\Dirk\WINDOWS
2009-03-20 07:21 . 2009-03-20 07:21 <DIR> d-------- c:\documents and settings\Dirk\Bluetooth Software
2009-03-20 07:21 . 2008-05-05 22:10 <DIR> d-------- c:\documents and settings\Dirk\Application Data\Symantec
2009-03-20 07:21 . 2008-05-05 22:08 <DIR> d-------- c:\documents and settings\Dirk\Application Data\Sonic
2009-03-20 07:21 . 2008-09-29 17:05 <DIR> d-------- c:\documents and settings\Dirk\Application Data\InterVideo
2009-03-20 07:21 . 2009-03-24 07:23 <DIR> d-------- c:\documents and settings\Dirk
2009-03-16 13:06 . 2009-03-16 13:06 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-03-16 13:03 . 2009-03-25 14:20 <DIR> d-------- c:\temp\AxPlayer
2009-03-16 13:02 . 2009-03-16 13:02 <DIR> d-------- c:\program files\Netflix
2009-03-13 14:08 . 2009-03-13 14:08 <DIR> d-------- c:\temp\plugtmp-10
2009-03-12 07:14 . 2009-03-13 07:15 <DIR> d-------- c:\temp\~nsu.tmp
2009-03-03 08:06 . 2009-01-09 14:19 1,089,593 --------- c:\windows\system32\dllcache\ntprint.cat
2009-03-02 08:42 . 2009-03-02 09:13 <DIR> d-------- c:\temp\plugtmp-9
2009-03-02 08:22 . 2009-03-02 08:22 <DIR> d-------- c:\temp\wrdc003c.~lk
2009-03-02 08:21 . 2009-03-24 11:40 <DIR> d-------- c:\temp\IXP001.TMP
2009-03-02 08:20 . 2009-03-24 11:40 <DIR> d-------- c:\temp\IXP000.TMP
2009-03-02 08:14 . 2009-03-27 16:36 <DIR> d-------- C:\QUARANTINE
2009-02-27 08:08 . 2009-02-27 08:08 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-02-27 08:08 . 2009-03-19 07:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-27 08:06 . 2009-02-27 08:06 <DIR> d-------- c:\program files\Rosetta Stone
2009-02-27 08:06 . 2009-03-27 14:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Rosetta Stone

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-26 18:58 --------- d-----w c:\program files\Common Files\Roxio Shared
2009-03-24 13:12 --------- d-----w c:\program files\Common Files\Apple
2009-03-24 13:10 --------- d-----w c:\program files\Common Files\Adobe
2009-02-23 18:04 --------- d-----w c:\program files\Reference Assemblies
2009-02-23 18:04 --------- d-----w c:\program files\MSBuild
2009-02-09 20:00 --------- d-----w c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2008-10-28 00:10 32,768 --sha-w c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SgeEcView"="c:\program files\Utimaco\SafeGuard Easy\Ecview.exe" [2006-09-22 24576]
"FIPSMON"="c:\program files\Utimaco\SafeGuard Easy\FIPSMon.exe" [2006-09-22 258048]
"32a2a2af"="c:\windows\system32\gunowini.dll" [2009-03-27 79872]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
DefaultNewUser.lnk - c:\windows\DefaultNewUser.bat [2008-11-06 3459]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
wordpad.lnk - c:\program files\Windows NT\Accessories\wordpad.exe [2003-02-20 214528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Edit"= 2 (0x2)
"SpecifyDefaultButtons"= 1 (0x1)
"Btn_Encoding"= 2 (0x2)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 16:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 16:02 34080 c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NotLog]
2002-01-22 16:28 110592 c:\windows\system32\SGLogEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SGLogNotification]
2005-03-31 12:27 69632 c:\windows\system32\SGLogNotification.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=omwkyg.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dirk^Start Menu^Programs^Startup^DefaultNewUser.lnk]
path=c:\documents and settings\Dirk\Start Menu\Programs\Startup\DefaultNewUser.lnk
backup=c:\windows\pss\DefaultNewUser.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EdWizard]
--a------ 2006-09-22 17:01 245760 c:\program files\Utimaco\SafeGuard Easy\EDWizard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FIPSMON]
--a------ 2006-09-22 17:01 258048 c:\program files\Utimaco\SafeGuard Easy\FipsMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-06-17 14:23 170520 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2008-06-17 14:24 150040 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2008-06-17 14:24 141848 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 16:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SgeEcView]
--a------ 2006-09-22 17:06 24576 c:\program files\Utimaco\SafeGuard Easy\ecview.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2008-07-03 16:10 1323008 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
--a------ 2008-03-24 10:15 68464 c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
--a------ 2008-06-06 19:21 181536 c:\windows\system32\TpShocks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\vpngui.exe"=
"c:\\WINDOWS\\system32\\SgLogPlayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"<NO NAME>"=

R0 AES-256;AES-256;c:\windows\system32\drivers\AES256.sys [2006-09-22 18464]
R0 SgeFlt;SgeFlt;c:\windows\system32\drivers\SGEFLT.sys [2006-09-22 61819]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2008-05-14 114728]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-05-14 19496]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-10-28 243856]
S0 xtad;xtad; [x]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-11-06 475136]
.
Contents of the 'Scheduled Tasks' folder

2009-03-27 c:\windows\Tasks\User_Feed_Synchronization-{4992AE5E-0E48-4B48-988C-7E6013419CDA}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
- - - - ORPHANS REMOVED - - - -

BHO-{21974ae3-db0a-4424-98d4-e4cf21c54791} - c:\windows\system32\rekuheyo.dll
BHO-{bde3e751-db7f-424b-8450-64f9160ae21f} - c:\windows\system32\omwkyg.dll
ShellIconOverlayIdentifiers-{ba930330-a721-11d3-a7b9-00500464ee16} - Sgedrse.Dll
ShellIconOverlayIdentifiers-{2030D939-54A7-4fea-9B06-49EA77EFC87F} - Sgedrse.Dll
HKLM-Run-ritiliwuvu - c:\windows\system32\guromome.dll
HKLM-Run-CPM31919133 - c:\windows\system32\majiriho.dll
Notify-AtiExtEvent - (no file)
MSConfigStartUp-ritiliwuvu - c:\windows\system32\guromome.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
DPF: {e79bc654-8fc6-4bb9-bfb8-8860779ae213}
FF - ProfilePath - c:\documents and settings\Dirk\Application Data\Mozilla\Firefox\Profiles\vgtpgs9q.default\
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-27 17:53:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1236)
c:\windows\system32\CSGina.dll
c:\windows\system32\SGGINA.DLL
c:\windows\system32\SGEGINA.DLL
c:\program files\Utimaco\SafeGuard Easy\CMFCAPI.DLL
c:\program files\Utimaco\SafeGuard Easy\FLTAPI.dll
c:\windows\system32\SGEGINATHK.DLL
c:\program files\Utimaco\SafeGuard Easy\EcView.dll
c:\program files\Utimaco\SafeGuard Easy\SgeUtil.dll
c:\program files\Utimaco\SafeGuard Easy\SgUicl.dll
c:\program files\Utimaco\SafeGuard Easy\CMessage.dll
c:\program files\Utimaco\SafeGuard Easy\SgWin32.dll
c:\program files\Utimaco\SafeGuard Easy\SCClass.dll
c:\program files\Utimaco\SafeGuard Easy\SGUICLRES.DLL
c:\program files\Utimaco\SafeGuard Easy\SGUICL.MSG
c:\program files\Utimaco\SafeGuard Easy\SGE_ERR0409.DLL
c:\program files\Utimaco\SafeGuard Easy\SGE_MSG0409.DLL
c:\program files\Utimaco\SafeGuard Easy\encviewer.ocx
c:\program files\Utimaco\SafeGuard Easy\sgea40.dll
c:\program files\Utimaco\SafeGuard Easy\CfgApi.dll
c:\program files\Utimaco\SafeGuard Easy\SGEDRV.dll
c:\program files\Utimaco\SafeGuard Easy\SGE_INFO0409.DLL
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\Utimaco\SafeGuard Easy\DComSec.dll
c:\program files\Utimaco\SafeGuard Easy\SecClassFactoryPS.dll
c:\program files\Utimaco\SafeGuard Easy\wkscfgsrvps.dll
c:\windows\system32\GetUserSid.dll
c:\windows\system32\LogMsgApp.Dll
c:\windows\system32\LogData.dll
c:\windows\system32\SGLogEx.dll
c:\windows\system32\SGLogNotification.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Utimaco\SafeGuard Easy\SgeClient.exe
c:\program files\Utimaco\SafeGuard Easy\SgeCtl.exe
c:\windows\system32\SgLogPlayer.exe
c:\windows\system32\TPHDEXLG.exe
c:\program files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-03-27 17:54:07 - machine was rebooted [Dirk]
ComboFix-quarantined-files.txt 2009-03-27 22:54:04

Pre-Run: 130,374,221,824 bytes free
Post-Run: 130,285,727,744 bytes free

244 --- E O F --- 2009-03-03 18:00:39

------------------------------------------------------------
Newest HJT log
------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:18 PM, on 3/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\system32\SgLogPlayer.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
C:\Program Files\Utimaco\SafeGuard Easy\FIPSMon.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [SgeEcView] C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
O4 - HKLM\..\Run: [FIPSMON] "C:\Program Files\Utimaco\SafeGuard Easy\FIPSMon.exe" /SYSTRAY
O4 - HKLM\..\Run: [32a2a2af] rundll32.exe "C:\WINDOWS\system32\gunowini.dll",b
O4 - S-1-5-18 Startup: DefaultNewUser.lnk = C:\WINDOWS\DefaultNewUser.bat (User 'SYSTEM')
O4 - .DEFAULT Startup: DefaultNewUser.lnk = C:\WINDOWS\DefaultNewUser.bat (User 'Default user')
O4 - .DEFAULT User Startup: DefaultNewUser.lnk = C:\WINDOWS\DefaultNewUser.bat (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1221685647879
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab
O16 - DPF: {e79bc654-8fc6-4bb9-bfb8-8860779ae213} (Oracle JInitiator 1.1.8.24) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.DC.com
O17 - HKLM\Software\..\Telephony: DomainName = corporate.DC.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.DC.com
O20 - AppInit_DLLs: omwkyg.dll
O20 - Winlogon Notify: NotLog - C:\WINDOWS\SYSTEM32\SGLogEx.dll
O20 - Winlogon Notify: SGLogNotification - C:\WINDOWS\SYSTEM32\SGLogNotification.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: SafeGuard Easy Client (SgeClient) - Unknown owner - C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
O23 - Service: SafeGuard Easy Control (SgeCtl) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
O23 - Service: SafeGuard SGLOG Player (SgLogPlayer) - Utimaco Safeware AG - C:\WINDOWS\system32\SgLogPlayer.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: SafeGuard Easy Workstation Server (WksCfgSrv) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

--
End of file - 6357 bytes

**Shaba** · 2009-03-28, 11:16

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
c:\windows\system32\gunowini.dll

Driver::
xtad

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"32a2a2af"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

**Jibit** · 2009-03-28, 18:46

Thanks again. I have posted the new logs below.

ComboFix 09-03-26.03 - Dirk 2009-03-28 12:34:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3016.2630 [GMT -5:00]
Running from: c:\documents and settings\Dirk\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dirk\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\gunowini.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gunowini.dll
c:\windows\system32\iniwonug.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_xtad

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-28 12:38 . 2009-03-28 12:38 53,248 --a------ c:\temp\catchme.dll
2009-03-27 13:46 . 2009-03-27 13:46 <DIR> d-------- c:\temp\smkits
2009-03-26 14:03 . 2009-03-26 14:14 <DIR> d-------- c:\temp\plugtmp-11
2009-03-26 10:22 . 2009-03-26 10:22 <DIR> d-------- c:\program files\Trend Micro
2009-03-26 10:21 . 2009-03-26 10:22 <DIR> d-------- c:\program files\ERUNT
2009-03-25 14:06 . 2009-03-26 10:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-25 14:06 . 2009-03-26 10:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-25 07:56 . 2009-03-25 14:20 <DIR> d-------- c:\temp\is-UJ8SN.tmp
2009-03-22 17:40 . 2009-03-22 17:40 <DIR> d-------- c:\documents and settings\Dirk\Application Data\Malwarebytes
2009-03-20 13:23 . 2009-03-20 13:23 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-20 13:23 . 2009-03-20 13:23 <DIR> d-------- c:\documents and settings\hoed\Application Data\Malwarebytes
2009-03-20 13:23 . 2009-03-20 13:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-20 13:23 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-20 13:23 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-20 13:01 . 2009-03-20 13:01 <DIR> d-------- C:\VundoFix Backups
2009-03-20 08:46 . 2009-03-27 17:13 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-20 08:23 . 2009-03-20 08:23 <DIR> d--hs---- c:\temp\Temporary Internet Files
2009-03-20 08:23 . 2009-03-20 08:23 <DIR> d--hs---- c:\temp\History
2009-03-20 08:23 . 2009-03-27 17:52 <DIR> d--hs---- c:\temp\Cookies
2009-03-20 07:21 . 2008-09-29 15:48 <DIR> d-------- c:\documents and settings\Dirk\WINDOWS
2009-03-20 07:21 . 2009-03-20 07:21 <DIR> d-------- c:\documents and settings\Dirk\Bluetooth Software
2009-03-20 07:21 . 2008-05-05 22:10 <DIR> d-------- c:\documents and settings\Dirk\Application Data\Symantec
2009-03-20 07:21 . 2008-05-05 22:08 <DIR> d-------- c:\documents and settings\Dirk\Application Data\Sonic
2009-03-20 07:21 . 2008-09-29 17:05 <DIR> d-------- c:\documents and settings\Dirk\Application Data\InterVideo
2009-03-20 07:21 . 2009-03-24 07:23 <DIR> d-------- c:\documents and settings\Dirk
2009-03-16 13:06 . 2009-03-16 13:06 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-03-16 13:03 . 2009-03-25 14:20 <DIR> d-------- c:\temp\AxPlayer
2009-03-16 13:02 . 2009-03-16 13:02 <DIR> d-------- c:\program files\Netflix
2009-03-13 14:08 . 2009-03-13 14:08 <DIR> d-------- c:\temp\plugtmp-10
2009-03-12 07:14 . 2009-03-13 07:15 <DIR> d-------- c:\temp\~nsu.tmp
2009-03-03 08:06 . 2009-01-09 14:19 1,089,593 --------- c:\windows\system32\dllcache\ntprint.cat
2009-03-02 08:42 . 2009-03-02 09:13 <DIR> d-------- c:\temp\plugtmp-9
2009-03-02 08:22 . 2009-03-02 08:22 <DIR> d-------- c:\temp\wrdc003c.~lk
2009-03-02 08:21 . 2009-03-24 11:40 <DIR> d-------- c:\temp\IXP001.TMP
2009-03-02 08:20 . 2009-03-24 11:40 <DIR> d-------- c:\temp\IXP000.TMP
2009-03-02 08:14 . 2009-03-27 16:36 <DIR> d-------- C:\QUARANTINE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-27 19:43 --------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-03-26 18:58 --------- d-----w c:\program files\Common Files\Roxio Shared
2009-03-24 13:12 --------- d-----w c:\program files\Common Files\Apple
2009-03-24 13:10 --------- d-----w c:\program files\Common Files\Adobe
2009-03-19 12:33 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-27 13:08 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-02-27 13:06 --------- d-----w c:\program files\Rosetta Stone
2009-02-23 18:04 --------- d-----w c:\program files\Reference Assemblies
2009-02-23 18:04 --------- d-----w c:\program files\MSBuild
2009-02-09 20:00 --------- d-----w c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2008-10-28 00:10 32,768 --sha-w c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-27_17.53.28.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-24 17:58:20 14,336 ----a-r c:\windows\Installer\{C7F3B40E-D70A-4E2C-B34B-E9023E564FBE}\IconTmpl.7277318F_1677_48E3_8D5C_3DB85D2A21BE.exe
+ 2009-03-27 22:59:10 14,336 ----a-r c:\windows\Installer\{C7F3B40E-D70A-4E2C-B34B-E9023E564FBE}\IconTmpl.7277318F_1677_48E3_8D5C_3DB85D2A21BE.exe
- 2009-03-27 22:49:18 71,462 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-27 22:56:21 71,462 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-27 22:49:18 441,692 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-27 22:56:21 441,692 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgeIconOvl]
@="{ba930330-a721-11d3-a7b9-00500464ee16}"
[HKEY_CLASSES_ROOT\CLSID\{ba930330-a721-11d3-a7b9-00500464ee16}]
Sgedrse.Dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SgeIconOvl2]
@="{2030D939-54A7-4fea-9B06-49EA77EFC87F}"
[HKEY_CLASSES_ROOT\CLSID\{2030D939-54A7-4fea-9B06-49EA77EFC87F}]
Sgedrse.Dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SgeEcView"="c:\program files\Utimaco\SafeGuard Easy\Ecview.exe" [2006-09-22 24576]
"FIPSMON"="c:\program files\Utimaco\SafeGuard Easy\FIPSMon.exe" [2006-09-22 258048]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
DefaultNewUser.lnk - c:\windows\DefaultNewUser.bat [2008-11-06 3459]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
wordpad.lnk - c:\program files\Windows NT\Accessories\wordpad.exe [2003-02-20 214528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Edit"= 2 (0x2)
"SpecifyDefaultButtons"= 1 (0x1)
"Btn_Encoding"= 2 (0x2)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 16:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 16:02 34080 c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NotLog]
2002-01-22 16:28 110592 c:\windows\system32\SGLogEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SGLogNotification]
2005-03-31 12:27 69632 c:\windows\system32\SGLogNotification.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=omwkyg.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dirk^Start Menu^Programs^Startup^DefaultNewUser.lnk]
path=c:\documents and settings\Dirk\Start Menu\Programs\Startup\DefaultNewUser.lnk
backup=c:\windows\pss\DefaultNewUser.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EdWizard]
--a------ 2006-09-22 17:01 245760 c:\program files\Utimaco\SafeGuard Easy\EDWizard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FIPSMON]
--a------ 2006-09-22 17:01 258048 c:\program files\Utimaco\SafeGuard Easy\FipsMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-06-17 14:23 170520 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2008-06-17 14:24 150040 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2008-06-17 14:24 141848 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 16:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SgeEcView]
--a------ 2006-09-22 17:06 24576 c:\program files\Utimaco\SafeGuard Easy\ecview.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2008-07-03 16:10 1323008 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
--a------ 2008-03-24 10:15 68464 c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
--a------ 2008-06-06 19:21 181536 c:\windows\system32\TpShocks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\vpngui.exe"=
"c:\\WINDOWS\\system32\\SgLogPlayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"<NO NAME>"=

R0 AES-256;AES-256;c:\windows\system32\drivers\AES256.sys [2006-09-22 18464]
R0 SgeFlt;SgeFlt;c:\windows\system32\drivers\SGEFLT.sys [2006-09-22 61819]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2008-05-14 114728]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-05-14 19496]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-10-28 243856]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-11-06 475136]
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\User_Feed_Synchronization-{4992AE5E-0E48-4B48-988C-7E6013419CDA}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
DPF: {e79bc654-8fc6-4bb9-bfb8-8860779ae213}
FF - ProfilePath - c:\documents and settings\Dirk\Application Data\Mozilla\Firefox\Profiles\vgtpgs9q.default\
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 12:38:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1236)
c:\windows\system32\CSGina.dll
c:\windows\system32\SGGINA.DLL
c:\windows\system32\SGEGINA.DLL
c:\program files\Utimaco\SafeGuard Easy\CMFCAPI.DLL
c:\program files\Utimaco\SafeGuard Easy\FLTAPI.dll
c:\windows\system32\SGEGINATHK.DLL
c:\program files\Utimaco\SafeGuard Easy\EcView.dll
c:\program files\Utimaco\SafeGuard Easy\SgeUtil.dll
c:\program files\Utimaco\SafeGuard Easy\SgUicl.dll
c:\program files\Utimaco\SafeGuard Easy\CMessage.dll
c:\program files\Utimaco\SafeGuard Easy\SgWin32.dll
c:\program files\Utimaco\SafeGuard Easy\SCClass.dll
c:\program files\Utimaco\SafeGuard Easy\SGUICLRES.DLL
c:\program files\Utimaco\SafeGuard Easy\SGUICL.MSG
c:\program files\Utimaco\SafeGuard Easy\SGE_ERR0409.DLL
c:\program files\Utimaco\SafeGuard Easy\SGE_MSG0409.DLL
c:\program files\Utimaco\SafeGuard Easy\encviewer.ocx
c:\program files\Utimaco\SafeGuard Easy\sgea40.dll
c:\program files\Utimaco\SafeGuard Easy\CfgApi.dll
c:\program files\Utimaco\SafeGuard Easy\SGEDRV.dll
c:\program files\Utimaco\SafeGuard Easy\SGE_INFO0409.DLL
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\Utimaco\SafeGuard Easy\DComSec.dll
c:\program files\Utimaco\SafeGuard Easy\SecClassFactoryPS.dll
c:\program files\Utimaco\SafeGuard Easy\wkscfgsrvps.dll
c:\windows\system32\GetUserSid.dll
c:\windows\system32\LogMsgApp.Dll
c:\windows\system32\LogData.dll
c:\windows\system32\SGLogEx.dll
c:\windows\system32\SGLogNotification.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Utimaco\SafeGuard Easy\SgeClient.exe
c:\program files\Utimaco\SafeGuard Easy\SgeCtl.exe
c:\windows\system32\SgLogPlayer.exe
c:\windows\system32\TPHDEXLG.exe
c:\program files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
.
**************************************************************************
.
Completion time: 2009-03-28 12:39:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-28 17:39:03
ComboFix2.txt 2009-03-27 22:54:07

Pre-Run: 130,292,641,792 bytes free
Post-Run: 130,277,425,152 bytes free

249 --- E O F --- 2009-03-03 18:00:39

------------------------------------------------------------
Newest HJT log
------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:00 PM, on 3/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\system32\SgLogPlayer.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
C:\Program Files\Utimaco\SafeGuard Easy\FIPSMon.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [SgeEcView] C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
O4 - HKLM\..\Run: [FIPSMON] "C:\Program Files\Utimaco\SafeGuard Easy\FIPSMon.exe" /SYSTRAY
O4 - S-1-5-18 Startup: DefaultNewUser.lnk = C:\WINDOWS\DefaultNewUser.bat (User 'SYSTEM')
O4 - .DEFAULT Startup: DefaultNewUser.lnk = C:\WINDOWS\DefaultNewUser.bat (User 'Default user')
O4 - .DEFAULT User Startup: DefaultNewUser.lnk = C:\WINDOWS\DefaultNewUser.bat (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1221685647879
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab
O16 - DPF: {e79bc654-8fc6-4bb9-bfb8-8860779ae213} (Oracle JInitiator 1.1.8.24) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.DC.com
O17 - HKLM\Software\..\Telephony: DomainName = corporate.DC.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.DC.com
O20 - AppInit_DLLs: omwkyg.dll
O20 - Winlogon Notify: NotLog - C:\WINDOWS\SYSTEM32\SGLogEx.dll
O20 - Winlogon Notify: SGLogNotification - C:\WINDOWS\SYSTEM32\SGLogNotification.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: SafeGuard Easy Client (SgeClient) - Unknown owner - C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
O23 - Service: SafeGuard Easy Control (SgeCtl) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
O23 - Service: SafeGuard SGLOG Player (SgLogPlayer) - Utimaco Safeware AG - C:\WINDOWS\system32\SgLogPlayer.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: SafeGuard Easy Workstation Server (WksCfgSrv) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

--
End of file - 6211 bytes

**Shaba** · 2009-03-28, 18:58

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select ''Run as administrator'' to perform this scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here

**Jibit** · 2009-03-28, 20:22

Thanks again. I have pasted the results below with the newest HJT log.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, March 28, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, March 28, 2009 17:59:24
Records in database: 1981585
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 69350
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:38:15

No malware has been detected. The scan area is clean.

The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:01 PM, on 3/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\system32\SgLogPlayer.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
C:\Program Files\Utimaco\SafeGuard Easy\FIPSMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [SgeEcView] C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
O4 - HKLM\..\Run: [FIPSMON] "C:\Program Files\Utimaco\SafeGuard Easy\FIPSMon.exe" /SYSTRAY
O4 - S-1-5-18 Startup: DefaultNewUser.lnk = C:\WINDOWS\DefaultNewUser.bat (User 'SYSTEM')
O4 - .DEFAULT Startup: DefaultNewUser.lnk = C:\WINDOWS\DefaultNewUser.bat (User 'Default user')
O4 - .DEFAULT User Startup: DefaultNewUser.lnk = C:\WINDOWS\DefaultNewUser.bat (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1221685647879
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab
O16 - DPF: {e79bc654-8fc6-4bb9-bfb8-8860779ae213} (Oracle JInitiator 1.1.8.24) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.DC.com
O17 - HKLM\Software\..\Telephony: DomainName = corporate.DC.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.DC.com
O20 - AppInit_DLLs: omwkyg.dll
O20 - Winlogon Notify: NotLog - C:\WINDOWS\SYSTEM32\SGLogEx.dll
O20 - Winlogon Notify: SGLogNotification - C:\WINDOWS\SYSTEM32\SGLogNotification.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: SafeGuard Easy Client (SgeClient) - Unknown owner - C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
O23 - Service: SafeGuard Easy Control (SgeCtl) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
O23 - Service: SafeGuard SGLOG Player (SgLogPlayer) - Utimaco Safeware AG - C:\WINDOWS\system32\SgLogPlayer.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: SafeGuard Easy Workstation Server (WksCfgSrv) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

--
End of file - 6221 bytes

**Shaba** · 2009-03-28, 20:29

That looks good

Please reinstall McAfee and fix these entries:

O16 - DPF: {e79bc654-8fc6-4bb9-bfb8-8860779ae213} (Oracle JInitiator 1.1.8.24) -
O20 - AppInit_DLLs: omwkyg.dll

Reboot, post back a fresh hijackthis log and tell me if you have any issues left?

Thread: Virtumonde help requested

Thread Tools

Display

Virtumonde help requested

Posting Permissions