Virtumonde and run32dll issues

**ChrisWood** · 2010-03-06, 01:24

Greetings,

Unfortunately, I've tried a few "fixes" recommended by a friend, and i'll list those before my log. S&D keeps finding tons of issues, including Virtumonde, but they return upon each scan. My Microsoft Security Essentials was compromised and now can't reinstall, and Run32.dll was brought to my desktop, and then deleted along with some fake virus software that the infection installed. So, even in safe mode, I can't access add/remove programs because run32.dll can't be found. Also, there is a zawezamovu entry on my startup that won't delete and is running a run32.dll script I believe.

I've deleted Java
Performed a restore flush (upon bad advice, ugh)
Tried Last known good config (to no avail)
and Repaired my windows installation (to no avail)

Here is my log file, any help will be greatly appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:34 PM, on 3/5/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5e8be0dd-c278-4b36-91b7-1ff46ac3d755} - fabeduyu.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [zawezamovu] Rundll32.exe "zoluvuwo.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4098AE48-3F18-4678-B8BD-77D31E5F01CB}: NameServer = 217.23.14.75,4.2.2.1,167.206.251.129 167.206.251.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{644E93E5-D156-4FB8-B7A2-1BCB93FD0F6D}: NameServer = 217.23.14.75,4.2.2.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{4098AE48-3F18-4678-B8BD-77D31E5F01CB}: NameServer = 217.23.14.75,4.2.2.1,167.206.251.129 167.206.251.130
O17 - HKLM\System\CS4\Services\Tcpip\..\{4098AE48-3F18-4678-B8BD-77D31E5F01CB}: NameServer = 217.23.14.75,4.2.2.1,167.206.251.129 167.206.251.130
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: app_dll.dll,ketafopo.dll
O21 - SSODL: vuyuwesur - {d07201db-c091-45c8-b06f-bd9a33986bf6} - c:\windows\system32\vadawife.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {d07201db-c091-45c8-b06f-bd9a33986bf6} - c:\windows\system32\vadawife.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 6197 bytes

**ken545** · 2010-03-07, 21:54

Hello

Welcome to Safer Networking.

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Most times when you think your infected its best to do nothing except post in a malware removal forum. Sometimes following the advice of a friend will make things worse.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

**ChrisWood** · 2010-03-09, 03:32

Thanks for the response and help, here are my combofix and hjt logs

ComboFix 10-03-08.01 - Burnie Withins 03/08/2010 21:09:03.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.925 [GMT -5:00]
Running from: c:\documents and settings\Burnie Withins\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\BURNIE~1\LOCALS~1\Temp\tmp1.tmp
c:\documents and settings\All Users\Application Data\_VOIDkrl32mainweq.dll
c:\documents and settings\All Users\Application Data\_VOIDmainqt.dll
c:\documents and settings\Burnie Withins\Application Data\inst.exe
c:\documents and settings\Burnie Withins\Local Settings\Application Data\av.exe
c:\documents and settings\Burnie Withins\Local Settings\Temporary Internet Files\2MAYk30Jy.jpg
c:\documents and settings\Burnie Withins\Local Settings\Temporary Internet Files\8J5M1.jpg
c:\documents and settings\Burnie Withins\Local Settings\Temporary Internet Files\AxXNm7jJ.jpg
c:\documents and settings\Burnie Withins\Local Settings\Temporary Internet Files\j5pXA6yb.jpg
c:\documents and settings\Burnie Withins\rundll32 .exe
c:\documents and settings\Burnie Withins\rundll32.exe
C:\LOG1.tmp
c:\program files\Adobe\140078.old
c:\program files\Adobe\179937.old
c:\program files\Adobe\181046.old
c:\program files\Adobe\59895734.old
c:\program files\Adobe\acrotray .exe
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs .exe
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\_VOIDmeofxjwlms.dll
c:\windows\system32\_VOIDpyyyhlyrqj.dll
c:\windows\system32\_VOIDqhhjgkvymp.dat
c:\windows\system32\_VOIDqmnmpkkisk.dll
c:\windows\system32\6to4v32.dll
c:\windows\system32\app_dll.dll
c:\windows\system32\ati2mdxx .exe
c:\windows\system32\certstore.dat
c:\windows\system32\ctfmon .exe
c:\windows\system32\hesahubu.exe
c:\windows\system32\ketafopo.dll
c:\windows\system32\nc3k1x.dll
c:\windows\system32\rundll32 .exe
c:\windows\system32\seagate.sys
c:\windows\system32\sshnas21.dll
c:\windows\system32\twain_32.dll
c:\windows\system32\zoluvuwo.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service__VOIDd.sys
-------\Legacy__VOIDd.sys
-------\Service__VOIDuiqoufjpyf
-------\Legacy__VOIDuiqoufjpyf
-------\Legacy_6TO4
-------\Legacy_SEAGATE
-------\Service_6to4
-------\Service_seagate

((((((((((((((((((((((((( Files Created from 2010-02-09 to 2010-03-09 )))))))))))))))))))))))))))))))
.

2010-03-05 21:36 . 2004-08-04 12:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2010-03-05 21:36 . 2004-08-04 12:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2010-03-05 21:36 . 2004-08-04 12:00 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll
2010-03-05 21:34 . 2001-08-18 03:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2010-03-05 21:33 . 2004-08-04 12:00 8704 -c--a-w- c:\windows\system32\dllcache\fxsperf.dll
2010-03-05 21:32 . 2003-03-24 21:52 16384 -c--a-w- c:\windows\system32\dllcache\tcptsat.dll
2010-03-05 21:30 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-03-05 21:29 . 2004-08-04 12:00 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2010-03-05 21:29 . 2004-08-04 12:00 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2010-03-05 21:29 . 2004-08-04 12:00 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2010-03-05 21:29 . 2004-08-04 12:00 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2010-03-05 21:17 . 2004-08-04 12:00 97792 -c--a-w- c:\windows\system32\dllcache\chtmbx.dll
2010-03-05 21:17 . 2004-08-04 12:00 56320 -c--a-w- c:\windows\system32\dllcache\chtskdic.dll
2010-03-05 21:17 . 2004-08-04 12:00 480256 -c--a-w- c:\windows\system32\dllcache\cintsetp.exe
2010-03-05 21:17 . 2004-08-04 12:00 455168 -c--a-w- c:\windows\system32\dllcache\tintsetp.exe
2010-03-05 21:17 . 2004-08-04 12:00 44032 -c--a-w- c:\windows\system32\dllcache\tintlphr.exe
2010-03-05 21:17 . 2004-08-04 12:00 198656 -c--a-w- c:\windows\system32\dllcache\cintime.dll
2010-03-05 21:17 . 2004-08-04 12:00 173568 -c--a-w- c:\windows\system32\dllcache\chtskf.dll
2010-03-05 21:17 . 2004-08-04 12:00 10240 -c--a-w- c:\windows\system32\dllcache\tmigrate.dll
2010-03-05 21:17 . 2004-08-04 12:00 59392 -c--a-w- c:\windows\system32\dllcache\imscinst.exe
2010-03-05 21:17 . 2004-08-04 12:00 70144 -c--a-w- c:\windows\system32\dllcache\pintlphr.exe
2010-03-05 21:17 . 2004-08-04 12:00 67584 -c--a-w- c:\windows\system32\dllcache\pmigrate.dll
2010-03-05 21:16 . 2004-08-04 12:00 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2010-03-05 21:16 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-03-05 21:16 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-03-05 21:16 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-03-05 21:16 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-03-05 20:53 . 2010-03-05 20:53 -------- d-----w- c:\program files\ERUNT
2010-03-01 22:05 . 2010-03-01 22:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-03-01 22:03 . 2010-03-01 22:03 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-01 03:04 . 2010-03-01 03:04 -------- d-----w- c:\documents and settings\Burnie Withins\Application Data\Malwarebytes
2010-03-01 03:03 . 2010-03-01 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-01 03:03 . 2010-03-01 03:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-01 01:54 . 2010-03-01 01:54 -------- d-----w- c:\program files\Trend Micro
2010-03-01 00:01 . 2010-03-01 00:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-03-01 00:01 . 2010-03-01 00:01 8192 ----a-w- c:\windows\system32\drivers\tpjzjso.sys
2010-03-01 00:01 . 2010-03-01 00:01 -------- d-----w- c:\windows\_VOIDuiqoufjpyf
2010-02-20 19:11 . 2010-02-20 19:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-02-20 19:11 . 2010-02-20 19:11 -------- d-----w- c:\program files\AIM
2010-02-20 19:11 . 2010-02-20 19:11 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-02-20 06:55 . 2010-02-20 07:02 -------- d-----w- c:\documents and settings\Burnie Withins\Application Data\Singlesnet
2010-02-20 06:55 . 2010-02-20 06:55 -------- d-----w- c:\documents and settings\Burnie Withins\Local Settings\Application Data\Singlesnet.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-09 02:18 . 2010-03-09 02:18 55808 ----a-w- c:\documents and settings\Burnie Withins\rundll32.exe
2010-03-08 02:18 . 2008-04-18 01:21 99408 ----a-w- c:\documents and settings\Burnie Withins\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-05 21:44 . 2005-08-23 23:26 55808 ----a-w- c:\windows\system32\ati2mdxx.exe
2010-03-05 21:29 . 2008-04-09 00:16 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2010-03-01 04:20 . 2006-02-17 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-01 04:19 . 2009-09-17 15:55 -------- d-----w- c:\program files\Yahoo!
2010-03-01 04:16 . 2008-10-21 21:11 -------- d-----w- c:\program files\uTorrent
2010-03-01 00:02 . 2008-05-02 13:26 -------- d-----w- c:\documents and settings\Burnie Withins\Application Data\AdobeUM
2010-02-28 23:59 . 2010-02-28 23:59 55808 ----a-w- c:\windows\system32\OLDE.tmp
2010-02-27 15:17 . 2008-04-18 00:16 -------- d-----w- c:\program files\CCleaner
2010-02-24 14:16 . 2009-11-05 05:44 181632 ----a-w- c:\windows\system32\MpSigStub.exe
2010-02-20 19:10 . 2010-02-20 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-02-10 07:05 . 2008-04-13 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-22 21:08 . 2009-02-14 21:23 -------- d-----w- c:\program files\Microsoft Silverlight
1601-01-01 00:03 . 1601-01-01 00:03 47104 --sha-w- c:\windows\system32\dehaziku.dll
1601-01-01 00:03 . 1601-01-01 00:03 95232 --sha-w- c:\windows\system32\dimadadu.dll
1601-01-01 00:00 . 1601-01-01 00:00 65024 --sha-w- c:\windows\system32\fabeduyu.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\hevesopa.exe
1601-01-01 00:03 . 1601-01-01 00:03 95232 --sha-w- c:\windows\system32\muyapojo.dll
1601-01-01 00:03 . 1601-01-01 00:03 40960 --sha-w- c:\windows\system32\pinabapu.dll
1601-01-01 00:03 . 1601-01-01 00:03 47104 --sha-w- c:\windows\system32\rurisugo.dll
1601-01-01 00:03 . 1601-01-01 00:03 40960 --sha-w- c:\windows\system32\yabopifo.dll
.

Code:

<pre>
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Hewlett-Packard\HP Quick Launch Buttons\qlbctrl .exe
c:\program files\HPQ\HP Wireless Assistant\hp wireless assistant .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\windows\ime\IMJP8_1\imjpmig .exe
c:\windows\ime\IMKR6_1\imekrmig .exe
c:\windows\system32\IME\PINTLGNT\imscinst .exe
c:\windows\system32\IME\TINTLGNT\tintsetp .exe
</pre>

------- Sigcheck -------

[-] 2004-08-04 12:00 . FDA33EAC263D97CC9BC0815A3A93796D . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e8be0dd-c278-4b36-91b7-1ff46ac3d755}]
1601-01-01 00:00 65024 --sha-w- c:\windows\system32\fabeduyu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2010-03-09 55808]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2010-03-09 55808]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2010-03-09 55808]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [2010-03-09 55808]
"zawezamovu"="zoluvuwo.dll" [N/A]

c:\documents and settings\Burnie Withins\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_Reader]
2010-03-09 02:18 55808 ----a-w- c:\program files\Internet Explorer\wmpscfgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2009-10-05 19:10 3634024 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
c:\program files\AIM6\aim6.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamserviceDeluxe2]
2007-08-10 18:38 81920 ----a-w- c:\program files\Hercules\Deluxe Optical Glass\CamService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
2005-10-23 04:00 385024 ----a-w- c:\program files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
c:\program files\Yahoo!\Messenger\YahooMessenger.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
c:\program files\Microsoft Security Essentials\msseces.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Singlesnet]
c:\program files\Singlesnet\Singlesnet\Singlesnet.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zawezamovu"=Rundll32.exe "zoluvuwo.dll",s
"Adobe_Reader"=c:\program files\internet explorer\wmpscfgs.exe
"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"IMEKRMIG6.1"=c:\windows\ime\imkr6_1\IMEKRMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Hercules\\Deluxe Optical Glass\\Station2.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3306:TCP"= 3306:TCP:MySQL Server

R0 tpjzjso;tpjzjso;c:\windows\system32\drivers\tpjzjso.sys [2/28/2010 7:01 PM 8192]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/14/2009 5:43 PM 24652]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [7/15/2009 6:07 PM 33792]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [4/8/2008 7:36 PM 200192]
S3 camfilt2;camfilt2;c:\windows\system32\drivers\camfilt2.sys [5/19/2009 8:59 PM 94720]
S4 PHPGeekUtil;PHPGeekUtil;"c:\apache\APACHE.EXE" --ntservice --> c:\apache\APACHE.EXE [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-03-09 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]

2010-03-09 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-09 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {4098AE48-3F18-4678-B8BD-77D31E5F01CB} = 217.23.14.75,4.2.2.1,167.206.251.129 167.206.251.130
TCP: {644E93E5-D156-4FB8-B7A2-1BCB93FD0F6D} = 217.23.14.75,4.2.2.1
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{d07201db-c091-45c8-b06f-bd9a33986bf6} - c:\windows\system32\vadawife.dll
SSODL-vuyuwesur-{d07201db-c091-45c8-b06f-bd9a33986bf6} - c:\windows\system32\vadawife.dll
AddRemove-AntiVirus Plus - c:\documents and settings\Burnie Withins\Application Data\AntiVirus Plus\AntiVirus Plus.55530.dll
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-08 21:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\wuapi.dll.wusetup.152765.bak 430592 bytes executable
c:\windows\system32\wuauclt.exe.wusetup.157859.bak 111104 bytes executable
c:\windows\system32\wuaucpl.cpl.wusetup.159234.bak 162304 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.160984.bak 1134592 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3788)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\ati technologies\ati control panel\atiptaxx .exe
c:\program files\hewlett-packard\hp quick launch buttons\qlbctrl .exe
c:\program files\hpq\hp wireless assistant\hp wireless assistant .exe
c:\progra~1\hpq\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2010-03-08 21:22:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-09 02:22

Pre-Run: 13,442,949,120 bytes free
Post-Run: 13,338,046,464 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

Current=3 Default=3 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 4292C094A602E9615C8F7FB7B0D5F8CE

*****

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:28 PM, on 3/8/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\ati technologies\ati control panel\atiptaxx .exe
c:\program files\hewlett-packard\hp quick launch buttons\qlbctrl .exe
c:\program files\hpq\hp wireless assistant\hp wireless assistant .exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5e8be0dd-c278-4b36-91b7-1ff46ac3d755} - fabeduyu.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
O4 - HKLM\..\Run: [zawezamovu] Rundll32.exe "zoluvuwo.dll",s
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4098AE48-3F18-4678-B8BD-77D31E5F01CB}: NameServer = 217.23.14.75,4.2.2.1,167.206.251.129 167.206.251.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{644E93E5-D156-4FB8-B7A2-1BCB93FD0F6D}: NameServer = 217.23.14.75,4.2.2.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{4098AE48-3F18-4678-B8BD-77D31E5F01CB}: NameServer = 217.23.14.75,4.2.2.1,167.206.251.129 167.206.251.130
O17 - HKLM\System\CS4\Services\Tcpip\..\{4098AE48-3F18-4678-B8BD-77D31E5F01CB}: NameServer = 217.23.14.75,4.2.2.1,167.206.251.129 167.206.251.130
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 5861 bytes

**ken545** · 2010-03-09, 10:42

Hi,

Let me tell ya, this is one heavily infected computer, when were done you need to rethink your surfing habits or you may wind up using this computer for a doorstop. You have infections that have not been around for awhile and some new ones also.

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

c:\windows\system32\drivers\tpjzjso.sys

If the site is busy you can try this one

http://virusscan.jotti.org/en

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above http://forums.spybot.info/showthread.php?t=55979

Code:

http://forums.spybot.info/showthread.php?t=55979

Collect::
c:\windows\system32\dehaziku.dll
C:\windows\system32\dimadadu.dll
c:\windows\system32\fabeduyu.dll
c:\windows\system32\hevesopa.exe
c:\windows\system32\muyapojo.dll
c:\windows\system32\pinabapu.dll
c:\windows\system32\rurisugo.dll
c:\windows\system32\yabopifo.dll
c:\windows\system32\zoluvuwo.dll

Folder::
c:\windows\_VOIDuiqoufjpyf

RenV::
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Hewlett-Packard\HP Quick Launch Buttons\qlbctrl .exe
c:\program files\HPQ\HP Wireless Assistant\hp wireless assistant .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\windows\ime\IMJP8_1\imjpmig .exe
c:\windows\ime\IMKR6_1\imekrmig .exe
c:\windows\system32\IME\PINTLGNT\imscinst .exe
c:\windows\system32\IME\TINTLGNT\tintsetp .exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e8be0dd-c278-4b36-91b7-1ff46ac3d755}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zawezamovu"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zawezamovu"=-

AtJob::
c:\program files\internet explorer\wmpscfgs.exe

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**ChrisWood** · 2010-03-09, 23:10

Thanks for your time and help, I'm certainly going to learn a lesson from this. If at any point it becomes futile and re-installing windows is the only way, let me know, but I'd love to avoid that if possible. I'm posting my VirusTotal and HJT logs here, the combofix log is too big to include with them, but will try to post on it's own after and let you know if that isn't possible either because of it's size. Then maybe I can email it to you directly if possible.

Virustotal log:

File changer.sys received on 2010.03.07 22:52:26 (UTC)
Current status: finished

Result: 0/41 (0.00%)
Compact Print results Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.07 -
AhnLab-V3 5.0.0.2 2010.03.07 -
AntiVir 8.2.1.180 2010.03.05 -
Antiy-AVL 2.0.3.7 2010.03.05 -
Authentium 5.2.0.5 2010.03.06 -
Avast 4.8.1351.0 2010.03.07 -
Avast5 5.0.332.0 2010.03.07 -
AVG 9.0.0.787 2010.03.07 -
BitDefender 7.2 2010.03.07 -
CAT-QuickHeal 10.00 2010.03.06 -
ClamAV 0.96.0.0-git 2010.03.06 -
Comodo 4091 2010.02.28 -
DrWeb 5.0.1.12222 2010.03.07 -
eSafe 7.0.17.0 2010.03.04 -
eTrust-Vet 35.2.7342 2010.03.05 -
F-Prot 4.5.1.85 2010.03.06 -
F-Secure 9.0.15370.0 2010.03.07 -
Fortinet 4.0.14.0 2010.03.07 -
GData 19 2010.03.07 -
Ikarus T3.1.1.80.0 2010.03.07 -
Jiangmin 13.0.900 2010.03.07 -
K7AntiVirus 7.10.990 2010.03.04 -
Kaspersky 7.0.0.125 2010.03.07 -
McAfee 5912 2010.03.06 -
McAfee+Artemis 5912 2010.03.06 -
McAfee-GW-Edition 6.8.5 2010.03.07 -
Microsoft 1.5502 2010.03.07 -
NOD32 4922 2010.03.07 -
Norman 6.04.08 2010.03.07 -
nProtect 2009.1.8.0 2010.03.07 -
Panda 10.0.2.2 2010.03.07 -
PCTools 7.0.3.5 2010.03.04 -
Rising 22.37.06.04 2010.03.07 -
Sophos 4.51.0 2010.03.07 -
Sunbelt 5780 2010.03.07 -
Symantec 20091.2.0.41 2010.03.07 -
TheHacker 6.5.1.9.223 2010.03.07 -
TrendMicro 9.120.0.1004 2010.03.07 -
VBA32 3.12.12.2 2010.03.05 -
ViRobot 2010.3.5.2214 2010.03.05 -
VirusBuster 5.0.27.0 2010.03.06 -
Additional information
File size: 8192 bytes
MD5 : 2a5815ca6fff24b688c01f828b96819c
SHA1 : 1a15821d27fb003c63a7ee04022a8090830bede0
SHA256: f2a05918074dd2ef6a890df219bf91c9680eb77ca3565f586c7e1e7c3ff77d7b
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1705
timedatestamp.....: 0x480253B8 (Sun Apr 13 20:40:56 2008)
machinetype.......: 0x14C (Intel I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0x1202 0x1280 6.26 9ecb8f82ba5332e0d343a106f70d4b7a
.rdata 0x1580 0xD0 0x100 3.49 ad8316297ccec0579ec4e7bbe2d472ab
.data 0x1680 0x8 0x80 0.38 0c41a08c90a7d5e81bf065649ebabedc
INIT 0x1700 0x34A 0x380 5.15 4b3395530699bafc33478cb6f8439f6f
.rsrc 0x1A80 0x3E8 0x400 3.36 2797dac6de2afb0898056a36b91393e2
.reloc 0x1E80 0x10C 0x180 3.96 158c85cdce07329b20dc2131b7d4f1d9

( 1 imports )

> ntoskrnl.exe: IofCompleteRequest, IoRegisterDeviceInterface, RtlInitUnicodeString, KeInitializeEvent, IoDeleteDevice, IoAttachDeviceToDeviceStack, IoCreateDevice, KeSetEvent, IoSetDeviceInterfaceState, ExFreePoolWithTag, RtlCompareMemory, memmove, ExAllocatePoolWithTag, IoCreateSymbolicLink, RtlFreeUnicodeString, RtlAnsiStringToUnicodeString, RtlInitString, sprintf, KeWaitForSingleObject, IofCallDriver, IoBuildDeviceIoControlRequest, PoCallDriver, PoStartNextPowerIrp, IoSetHardErrorOrVerifyDevice, IoDetachDevice, IoDeleteSymbolicLink, KeTickCount, KeBugCheckEx

( 0 exports )

TrID : File type identification
Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 192:wLUTuxUjTSFslR2vCCRezCxP9HNoq5X8aWSQa+Wx:9uSjTSFUIz/TtWaWSQa+Wx
sigcheck: publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: SCSI CD-ROM Driver
original name: scsicdrm.sys
internal name: scsicdrm.sys
file version.: 5.1.2600.5512 (xpsp.080413-2108)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEiD : -
packers (Kaspersky): PE_Patch
RDS : NSRL Reference Data Set
-

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:45:26 PM, on 3/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\hpq\hp wireless assistant\hp wireless assistant .exe
c:\program files\ati technologies\ati control panel\atiptaxx .exe
c:\program files\hewlett-packard\hp quick launch buttons\qlbctrl .exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4098AE48-3F18-4678-B8BD-77D31E5F01CB}: NameServer = 217.23.14.75,4.2.2.1,167.206.251.129 167.206.251.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{644E93E5-D156-4FB8-B7A2-1BCB93FD0F6D}: NameServer = 217.23.14.75,4.2.2.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{4098AE48-3F18-4678-B8BD-77D31E5F01CB}: NameServer = 217.23.14.75,4.2.2.1,167.206.251.129 167.206.251.130
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 5662 bytes

**ChrisWood** · 2010-03-09, 23:15

The log file for combofix is 419kb and much too big to post, is there a certain section or sections that I should post instead of entire file? Or would you like me to email it to you?

**ken545** · 2010-03-10, 00:49

Cris,

Its imperative that I see the Combofix log. The log is in C:\ComboFix.txt , reply to this topic and then look towards the bottom that says manage attachments and you can attach it to this thread. There will be two, make sure its the latest one

**ChrisWood** · 2010-03-10, 15:40

I had to zip the file as it still well exceeded the size limit for upload.

**ken545** · 2010-03-10, 15:59

Got it Chris, thank you.

The reason it was so large is because if you look at the original Combofix log Post 4 all those programs in the CODE BOX where infected and combofix fixed them all.

Please download ATF Cleaner by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

Please download Malwarebytes from Here or Here

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report and also a new HJT log please

Post both logs please and let me know how your system is running now ?

**ChrisWood** · 2010-03-10, 18:06

Malwarebytes found 7 objects and removed them, comp is running great at the moment.. Here are the logs

Thanks

Malwarebytes' Anti-Malware 1.44
Database version: 3848
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/10/2010 11:55:24 AM
mbam-log-2010-03-10 (11-55-24).txt

Scan type: Quick Scan
Objects scanned: 125585
Time elapsed: 4 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4098ae48-3f18-4678-b8bd-77d31e5f01cb}\NameServer (Trojan.DNSChanger) -> Data: 217.23.14.75,4.2.2.1,167.206.251.129 167.206.251.130 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{644e93e5-d156-4fb8-b7a2-1bcb93fd0f6d}\NameServer (Trojan.DNSChanger) -> Data: 217.23.14.75,4.2.2.1 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\app_dll.dll.139109.old (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\app_dll.dll.178953.old (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\app_dll.dll.180078.old (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\OLDE.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ati2mdxx.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

******

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:44 PM, on 3/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 5436 bytes

Thread: Virtumonde and run32dll issues

Thread Tools

Display

Virtumonde and run32dll issues

logs

New Logs

Combofix too large

combofix log zip

New Logs

Posting Permissions