unable to remove virtumonde infection

**spanio** · 2009-05-11, 11:23

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:20:41 AM, on 5/11/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Mike\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mike\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.2.50:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8e0e651f-50c6-49ba-9f39-943b1cddbde1} - C:\Windows\system32\tadupele.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {69936232-80b2-5d0a-fef4-927ed56d538a} - {a835d65d-e729-4fef-a0d5-2b0823263996} - C:\Windows\system32\gngcje.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: (no name) - {bf58be34-47c6-4b8b-84e3-f401fae73864} - (no file)
O2 - BHO: (no name) - {bfd12117-ea21-48c1-ae5f-ba3ead6e238e} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - (no file)
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [CPMb713b0db] Rundll32.exe "c:\windows\system32\lehevusa.dll",a
O4 - HKLM\..\Run: [b4208347] rundll32.exe "C:\Windows\system32\yejedotu.dll",b
O4 - HKLM\..\Run: [kigobekoha] Rundll32.exe "C:\Windows\system32\nuhakiko.dll",s
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Post Image to Blog - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Transload Image to ImageShack - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5004
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar...ackToolbar.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\pufivaha.dll c:\windows\system32\gakikedo.dll c:\windows\system32\lehevusa.dll,C:\Windows\system32\tadupele.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lehevusa.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lehevusa.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: dlbk_device - - C:\Windows\system32\dlbkcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9609551915fca) (gupdate1c9609551915fca) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10097 bytes

**Shaba** · 2009-05-11, 16:41

Hi spanio

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

**spanio** · 2009-05-11, 23:20

ComboFix 09-05-11.01 - Mike 05/11/2009 16:44.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.893.442 [GMT -4:00]
Running from: c:\users\Mike\Desktop\ComboFix.exe
AV: AVG 7.5.557 *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\betinuni.dll
c:\windows\system32\config\systemprofile\reader_s.exe
c:\windows\system32\dadeyisi.exe
c:\windows\system32\fosuzopu.exe
c:\windows\system32\garowori.exe
c:\windows\system32\gngcje.dll
c:\windows\system32\kulubibi.dll
c:\windows\system32\lajogilo.dll
c:\windows\system32\lenoruta.exe
c:\windows\system32\lewiyidi.exe
c:\windows\system32\paxjak.dll
c:\windows\system32\rozodobu.dll
c:\windows\system32\sagatazo.dll
c:\windows\system32\sajuhidu.dll
c:\windows\system32\sonewibu.dll
c:\windows\system32\unxrbh.dll
c:\windows\system32\utodejey.ini
c:\windows\system32\vajoneyo.exe
c:\windows\system32\wolupifa.dll
c:\windows\system32\wzngcp.dll
c:\windows\system32\xwrxlo.dll
c:\windows\system32\zamimule.exe
c:\windows\system32\zgbkxj.dll
c:\windows\system32\zilolowa.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-11 to 2009-05-11 )))))))))))))))))))))))))))))))
.

2009-05-11 09:19 . 2009-05-11 09:19 -------- d-----w c:\program files\Trend Micro
2009-05-11 09:18 . 2009-05-11 09:18 -------- d-----w c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 02:56 . 2009-01-07 02:56 61440 --sha-w c:\windows\system32\majiriho.exe
2009-04-04 08:33 . 2009-01-04 08:33 61440 --sha-w c:\windows\system32\notabage.exe
2009-04-03 06:12 . 2009-01-03 06:12 61440 --sha-w c:\windows\system32\fumugatu.exe
2009-04-02 15:50 . 2008-06-20 05:04 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-26 23:48 . 2009-03-26 23:46 -------- d-----w c:\program files\SpeedFan
2009-03-15 06:29 . 1601-01-01 00:12 80896 ------w c:\windows\system32\mirekosa.dll
2009-01-22 04:51 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2009-02-08 05:15 . 2007-07-23 05:22 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-02-08 05:15 . 2007-07-23 05:22 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-02-08 05:15 . 2007-07-23 05:22 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-02-08 05:15 . 2007-07-23 05:22 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-02-08 05:15 . 2007-07-23 05:22 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
1999-07-07 00:00 . 1999-07-07 00:00 6 --sh--r c:\windows\@@desktop.dat
2009-01-23 23:17 . 2009-01-23 23:17 2713 --sh--w c:\windows\System32\miriwoli.exe
2007-01-29 19:33 . 2007-01-29 19:32 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-04 4363504]
"Google Update"="c:\users\Mike\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-05 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-20 815104]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-06-02 219136]

c:\users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-06-02 07:53 9216 ----a-w c:\windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{2F83DF1E-069E-48F8-879C-AF69022E57C7}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{032A6FE5-9CA9-4CFC-8819-51035E2F2A7F}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{4E9DC60F-C4F7-495B-B1BF-0C89496EF3FE}c:\\program files\\aim\\aim.exe"= UDP:c:\program files\aim\aim.exe:AOL Instant Messenger
"UDP Query User{EAB3D6F7-E771-4657-8CBF-5FB14F32B673}c:\\program files\\aim\\aim.exe"= TCP:c:\program files\aim\aim.exe:AOL Instant Messenger
"TCP Query User{939E854F-C899-4440-99DD-5093FF5F2BD3}c:\\program files\\azureus\\azureus.exe"= UDP:c:\program files\azureus\azureus.exe:Azureus
"UDP Query User{26041BB9-91E2-4207-ADE1-89948567D9EE}c:\\program files\\azureus\\azureus.exe"= TCP:c:\program files\azureus\azureus.exe:Azureus
"TCP Query User{79A359AC-EED6-4D52-9BC6-FB0FD57DE7BE}c:\\program files\\aim\\aim.exe"= UDP:c:\program files\aim\aim.exe:AOL Instant Messenger
"UDP Query User{26323A85-9DEB-4E01-AC7B-32889723B096}c:\\program files\\aim\\aim.exe"= TCP:c:\program files\aim\aim.exe:AOL Instant Messenger
"TCP Query User{B77EC035-7C60-4CB7-B044-C9FB45186E9F}c:\\program files\\azureus\\azureus.exe"= UDP:c:\program files\azureus\azureus.exe:Azureus
"UDP Query User{7861C93D-DA86-458F-BDB5-67EFCFB63217}c:\\program files\\azureus\\azureus.exe"= TCP:c:\program files\azureus\azureus.exe:Azureus
"{BEFB7768-2A2C-48EF-8720-B1E636FC30A1}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{CADED88A-E1BD-4878-BC06-EF01ADF6C1BE}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{5D7F5D3E-D243-4634-8F12-F90569599C4C}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{0A54EFC6-765E-40D1-A9BF-E9FB046BC813}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{6208F5B0-F239-4481-9B8E-B5E55E3F6AAC}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{A3E1A6BB-348F-4471-977E-3AC967138FC0}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{4647A8AF-2AC2-4427-8661-C2D1528A759E}c:\\program files\\aim\\aim pro\\aimpro.exe"= UDP:c:\program files\aim\aim pro\aimpro.exe:AIM Pro
"UDP Query User{8616AC86-A2CA-4555-BAA0-7FF5937D2A64}c:\\program files\\aim\\aim pro\\aimpro.exe"= TCP:c:\program files\aim\aim pro\aimpro.exe:AIM Pro
"{286D58B3-E80A-4023-BDFB-02518D42BAA5}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{7C33922E-67D6-49A1-AD2D-6C2524733C3A}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{F73BC19F-635F-4530-B749-67E52FEADAE3}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{90177B5C-7FEA-4547-B234-82C8DA0BE400}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"{414238EF-8DBD-48EC-A084-FBD35671A79B}"= UDP:c:\windows\System32\dlbkcoms.exe:Lexmark Communications System
"{A5816B18-B711-42EF-9D10-1893B2853EE4}"= TCP:c:\windows\System32\dlbkcoms.exe:Lexmark Communications System
"{31A4F0C2-B659-4914-AB1A-6D6EC9956A92}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\dlbkpswx.exe:Printer Status Window
"{97459F78-998A-455E-85DD-27FCE939675E}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\dlbkpswx.exe:Printer Status Window
"{BB7B98D3-AB01-4C2F-9664-B20F61779104}"= UDP:c:\program files\WiFiConnector\NintendoWFCReg.exe:Nintendo Wi-Fi USB Connector
"{89F06687-F92E-4AA6-8223-8DB963096B17}"= TCP:c:\program files\WiFiConnector\NintendoWFCReg.exe:Nintendo Wi-Fi USB Connector
"TCP Query User{6FC3B984-9D5F-49DE-905D-21F7565A49C6}c:\\program files\\yahoo!\\messenger\\yserver.exe"= UDP:c:\program files\yahoo!\messenger\yserver.exe:YServer Module
"UDP Query User{6F4BFC76-8A47-488D-BC9B-198C4801B51A}c:\\program files\\yahoo!\\messenger\\yserver.exe"= TCP:c:\program files\yahoo!\messenger\yserver.exe:YServer Module
"{1692E4A6-5310-4C03-8158-54B84EB2404C}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{DE681A16-B0F5-4283-91D0-7038BA804953}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{CC6E414D-2558-4471-863F-C41030960FA8}"= UDP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{C899424F-082F-4541-8315-4E7075BF9978}"= TCP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"TCP Query User{9B771F83-0A31-462D-BFDB-1E76DE9296C5}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{303542CC-0B37-4B9C-8143-948C90A09187}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"TCP Query User{E8709044-C54D-43D0-88D7-8000CCA54266}c:\\program files\\autodesk\\maya 8.5 personal learning edition\\bin\\maya.exe"= UDP:c:\program files\autodesk\maya 8.5 personal learning edition\bin\maya.exe:Maya
"UDP Query User{D208E34D-314C-4C5A-9B63-13D192DB1DD9}c:\\program files\\autodesk\\maya 8.5 personal learning edition\\bin\\maya.exe"= TCP:c:\program files\autodesk\maya 8.5 personal learning edition\bin\maya.exe:Maya
"{CEBD0295-6383-470E-ABE3-5389B5715DEA}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{36004305-F1CB-4A12-9E57-C4467A13002A}"= Disabled:TCP:c:\program files\Skype\Phone\Skype.exe:Skype
"{889574FE-492A-4DB8-B899-B7853F253EA0}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{AEB1BE09-646D-484E-868D-2442B8726432}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BF5658F7-DEFC-4C4F-85E8-F542FD1DD552}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{373D6681-EA30-47E5-9499-1C0B1E1806D7}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{C90EFAD2-BCD1-4A45-A490-E276F7ED06CD}"= TCP:c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{FD893D64-4599-4843-82F7-921428013B68}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{2DF63329-DCDF-49EC-827F-4448214FDD5B}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{127C4B7A-FE05-4141-B651-0AF565E5F3C5}c:\\users\\mike\\desktop\\aoe2conq_bk\\age2_x1.exe"= UDP:c:\users\mike\desktop\aoe2conq_bk\age2_x1.exe:age2_x1.exe
"UDP Query User{92E7D6D6-E3FA-4308-96BB-6F015094F520}c:\\users\\mike\\desktop\\aoe2conq_bk\\age2_x1.exe"= TCP:c:\users\mike\desktop\aoe2conq_bk\age2_x1.exe:age2_x1.exe
"TCP Query User{B2B0770E-A0EA-4853-AC94-A6EA8CA76C9D}c:\\windows\\system32\\dplaysvr.exe"= UDP:c:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"UDP Query User{F35BF26F-7724-4090-BA00-10CF0819E376}c:\\windows\\system32\\dplaysvr.exe"= TCP:c:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"{823B299F-1030-4FD1-ACB0-D70C3E84AB25}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9DF47B7F-52B3-4459-B15C-D1BDCD584DB6}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{1C9D16D3-EC20-4C72-B562-C3BF3B702AFF}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{2CE0D556-7147-4B42-A822-58D93AFD683D}"= UDP:c:\windows\explorer.exe:Explorer
"{4A6653B2-3F2A-4A74-AB22-C9E81E8F8B29}"= TCP:c:\windows\explorer.exe:Explorer
"{8A451943-7989-4A05-80E3-F2ADE7463FB0}"= UDP:c:\windows\System32\services.exe:services
"{689EF1B9-A270-4D77-888F-122399D288C7}"= TCP:c:\windows\System32\services.exe:services
"{3BA6760C-4FC8-44E3-A14E-B8B1362DCE31}"= UDP:c:\windows\System32\wermgr.exe:wermgr
"{6448A302-06B5-4E79-A187-37C4B1604C31}"= TCP:c:\windows\System32\wermgr.exe:wermgr
"{1507E88D-FCA6-46CD-B3CD-77CEC83C90B8}"= UDP:c:\windows\System32\lsass.exe:lsass
"{0D6C5A5C-058B-44C1-BF56-98E59F6F6C86}"= TCP:c:\windows\System32\lsass.exe:lsass
"{B98D37D1-1880-407B-86D0-B48AE9AD1D6E}"= UDP:c:\windows\System32\services.exe:services
"{C17B53C8-D709-45AB-A590-9D025AF39AEB}"= TCP:c:\windows\System32\services.exe:services
"{D0DB98B2-1CBA-41D6-A3B5-68F201DA5074}"= UDP:c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe:ymsgr_tray
"{0347CBD4-4823-4B7E-9F71-E898D433CC9B}"= TCP:c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe:ymsgr_tray
"{0058F56B-B4A2-4053-999F-E8EC67B61DB1}"= UDP:c:\windows\explorer.exe:Explorer
"{F2741A2F-4123-4C4E-B330-CD955B5931FF}"= TCP:c:\windows\explorer.exe:Explorer
"{B3995969-D339-46BB-8B11-01D2FB7E551B}"= UDP:c:\windows\System32\lsass.exe:lsass
"{51AA1023-7A7B-469E-8CF4-6B4121D0BBAA}"= TCP:c:\windows\System32\lsass.exe:lsass
"{E27DCF21-9623-4306-BF8A-F14BF3CBA586}"= UDP:c:\windows\System32\wininit.exe:wininit
"{06B16006-ADF7-4E0F-8CB6-5D85F00C4630}"= TCP:c:\windows\System32\wininit.exe:wininit
"{E42319A8-D5B7-4E18-B78A-3439D880DC1B}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{C4124F14-AFE8-4A7C-9174-F143DF328A27}"= TCP:c:\windows\System32\winlogon.exe:winlogon

R2 dlbk_device;dlbk_device;c:\windows\system32\dlbkcoms.exe -service --> c:\windows\system32\dlbkcoms.exe -service [?]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [6/20/2008 1:04 AM 1153368]
S2 gupdate1c9609551915fca;Google Update Service (gupdate1c9609551915fca);c:\program files\Google\Update\GoogleUpdate.exe [12/17/2008 6:17 PM 133104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\InstallSeagateManager.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11c6171b-09fb-11dc-8252-0019b94de4e6}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{296a93dc-7c3f-11dc-b353-0019b94de4e6}]
\shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31e03820-2221-11dc-ad3a-0019b94de4e6}]
\shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f5ade0a-60f9-11dc-a46f-0019b94de4e6}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf31b1c9-b994-11db-a038-0019b94de4e6}]
\shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d99b488a-8192-11dc-9f0b-0019b94de4e6}]
\shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5e07763-5936-11dd-8fe9-0019b94de4e6}]
\shell\AutoRun\command - g:\.\RapidBlogManager.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{efd1a499-d3d6-11dd-87f3-0019b94de4e6}]
\shell\AutoRun\command - F:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-13 21:14]

2009-05-11 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-17 22:17]

2009-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-323994875-1196474897-3389283881-1001.job
- c:\users\Mike\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-05 00:03]

2009-05-11 c:\windows\Tasks\User_Feed_Synchronization-{2403F762-A5E6-4537-B6B9-13AFC95EC1BA}.job
- c:\windows\system32\msfeedssync.exe [2008-09-23 07:33]
.
- - - - ORPHANS REMOVED - - - -

BHO-{8e0e651f-50c6-49ba-9f39-943b1cddbde1} - c:\windows\system32\tadupele.dll
BHO-{a835d65d-e729-4fef-a0d5-2b0823263996} - c:\windows\system32\gngcje.dll
BHO-{bf58be34-47c6-4b8b-84e3-f401fae73864} - (no file)
BHO-{bfd12117-ea21-48c1-ae5f-ba3ead6e238e} - (no file)
HKCU-Run-Aim6 - (no file)
HKLM-Run-CPMb713b0db - c:\windows\system32\lehevusa.dll
HKLM-Run-b4208347 - c:\windows\system32\yejedotu.dll
HKLM-Run-kigobekoha - c:\windows\system32\nuhakiko.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = 10.10.2.50:8080
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Note this (Google Notebook)
IE: Note this item (Google Notebook)
IE: Post Image to Blog - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5003
IE: Tag This Image - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5002
IE: Transload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5004
IE: Upload All Images to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5000
IE: Upload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5001
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-11 16:57
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3008)
c:\program files\SmartFTP Client\SmartHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\BCMWLTRY.EXE
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\windows\System32\dlbkcoms.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\VSSVC.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\System32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-05-11 17:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-11 21:10

Pre-Run: 7,894,147,072 bytes free
Post-Run: 9,399,463,936 bytes free

280 --- E O F --- 2009-05-11 21:01

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:11:48 PM, on 5/11/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Mike\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\Explorer.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.2.50:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - (no file)
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Users\Mike\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Post Image to Blog - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Transload Image to ImageShack - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5004
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar...ackToolbar.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: dlbk_device - - C:\Windows\system32\dlbkcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9609551915fca) (gupdate1c9609551915fca) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8399 bytes

**Shaba** · 2009-05-12, 06:04

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

**spanio** · 2009-05-12, 13:23

AC3 Decoder
AC3Filter (remove only)
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Illustrator CS2
Adobe InDesign CS2
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Reader 7.0.9
Adobe Setup
Adobe Stock Photos 1.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
AIM Ad Hack
AIM Pro
AOL Instant Messenger
ATI Catalyst Control Center Ex
ATI PCI Express (3GIO) Filter Driver
AVG 7.5
Azureus
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Dell AIO Printer A920
Dell Wireless WLAN Card
DellSupport
Digital Line Detect
Direct Show Ogg Vorbis Filter (remove only)
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Documentation & Support Launcher
ERUNT 1.1j
ffdshow (remove only)
FileZilla Client 3.1.1.1
GoldWave v5.20
Google Earth
Google SketchUp 6
Google SketchUp 6
Google Update Helper
Google Updater
HijackThis 2.0.2
HouseCall 6.6
ImageShack Toolbar for Internet Explorer
Inkscape 0.45
IrfanView (remove only)
Java 2 Runtime Environment, SE v1.4.2_13
Java(TM) 6 Update 11
Java(TM) SE Runtime Environment 6
Kodak EZ200 DIGITAL CAMERA Installation
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Matroska Pack - Lazy Man's MKV 0.9.9
Maya 8.5 Personal Learning Edition Documentation (en_US)
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Office Small Business Edition 2003
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Modem Diagnostic Tool
Move Networks Media Player for Internet Explorer
Mozilla Firefox (2.0.0.20)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Netflix Movie Viewer
NetWaiting
NetZeroInstallers
openCanvas4.5.09e Plus
PayPal Plug-In
QuickSet
QuickTime
Real Alternative 1.52
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
SigmaTel Audio
Skype™ Beta 4.0
SmartFTP Client
Sonic Activation Module
SpeedFan (remove only)
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Terragen
TomTom HOME 2.5.2.60
URL Assistant
User's Guides
VC_MergeModuleToMSI
VideoLAN VLC media player 0.8.6b
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
WinRAR archiver
Xvid 1.1.2 final uninstall
Yahoo! Messenger
Yahoo! Toolbar
YASA 3GP Video Converter v3.9 (build 0063)

**Shaba** · 2009-05-12, 14:01

As per forum rules, all p2p programs has to be removed.

Uninstall Azureus and post back a fresh uninstall list afterwards, please.

**spanio** · 2009-05-12, 14:39

Sorry about that. Forgot I had that.

AC3 Decoder
AC3Filter (remove only)
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Illustrator CS2
Adobe InDesign CS2
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Reader 7.0.9
Adobe Setup
Adobe Stock Photos 1.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
AIM Ad Hack
AIM Pro
AOL Instant Messenger
ATI Catalyst Control Center Ex
ATI PCI Express (3GIO) Filter Driver
AVG 7.5
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Dell AIO Printer A920
Dell Wireless WLAN Card
DellSupport
Digital Line Detect
Direct Show Ogg Vorbis Filter (remove only)
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Documentation & Support Launcher
ERUNT 1.1j
ffdshow (remove only)
FileZilla Client 3.1.1.1
GoldWave v5.20
Google Earth
Google SketchUp 6
Google SketchUp 6
Google Update Helper
Google Updater
HijackThis 2.0.2
HouseCall 6.6
ImageShack Toolbar for Internet Explorer
Inkscape 0.45
IrfanView (remove only)
Java 2 Runtime Environment, SE v1.4.2_13
Java(TM) 6 Update 11
Java(TM) SE Runtime Environment 6
Kodak EZ200 DIGITAL CAMERA Installation
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Matroska Pack - Lazy Man's MKV 0.9.9
Maya 8.5 Personal Learning Edition Documentation (en_US)
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Office Small Business Edition 2003
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Modem Diagnostic Tool
Move Networks Media Player for Internet Explorer
Mozilla Firefox (2.0.0.20)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Netflix Movie Viewer
NetWaiting
NetZeroInstallers
openCanvas4.5.09e Plus
PayPal Plug-In
QuickSet
QuickTime
Real Alternative 1.52
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
SigmaTel Audio
Skype™ Beta 4.0
SmartFTP Client
Sonic Activation Module
SpeedFan (remove only)
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Terragen
TomTom HOME 2.5.2.60
URL Assistant
User's Guides
VC_MergeModuleToMSI
VideoLAN VLC media player 0.8.6b
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
WinRAR archiver
Xvid 1.1.2 final uninstall
Yahoo! Messenger
Yahoo! Toolbar
YASA 3GP Video Converter v3.9 (build 0063)

**Shaba** · 2009-05-12, 16:28

Have you earlier uninstalled Symantec?

**spanio** · 2009-05-12, 21:48

That doesn't sound familiar, so I don't believe so.

**Shaba** · 2009-05-12, 21:50

Name can also be Norton

Thread: unable to remove virtumonde infection

Thread Tools

Display

unable to remove virtumonde infection

Posting Permissions