Another virtumonde victim

M

magicdocmw

New member
Hi, I hope this post will help me with trying to rid my pc of the dreaded virtumonde crap. Here are some lists from my pc.

My hjt list;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56: VIRUS ALERT!, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDP\PSM\psmserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myembarq.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QXK Olive - {4EE62603-9BB7-462B-8A8D-E9F4BF11BE49} - C:\WINDOWS\boqnrwdmvdr.dll (file missing)
O2 - BHO: (no name) - {52D0D5A6-0E05-4949-B50D-8404EB31000E} - C:\WINDOWS\system32\vtUkheCu.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BCBEB0EB-744A-4F05-99A5-636B721C318E} - C:\WINDOWS\system32\rqRHbBTn.dll (file missing)
O2 - BHO: (no name) - {E4657029-9B66-4AAE-B4D6-31E4DBD9304E} - C:\WINDOWS\system32\hgGwTmlI.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [DelayLoad] C:\DOCUME~1\Mike\LOCALS~1\Temp\msprint.exe
O4 - HKLM\..\Run: [a82b31a3] rundll32.exe "C:\WINDOWS\system32\wbwfmdnl.dll",b
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: EMBARQ Help.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179027989847
O20 - Winlogon Notify: rqRHbBTn - rqRHbBTn.dll (file missing)
O21 - SSODL: vltdfabw - {324EE2C4-A315-4A89-87FF-4D2200029159} - C:\WINDOWS\vltdfabw.dll (file missing)
O21 - SSODL: vregfwlx - {E64ED9B9-CCE4-4B7C-A92D-9D8818C209FF} - C:\WINDOWS\vregfwlx.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Persistent Storage Manager Service (PsmServ) - Columbia Data Products, Inc. - C:\Program Files\CDP\PSM\psmserv.exe

--
End of file - 5571 bytes

And the CCleaner list:
ACDSee 32
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
AVG 7.5
Belarc Advisor 6.0
CCleaner (remove only)
CDP Persistent Storage Manager v2.4
EMBARQ Help
EMBARQ Help Online
EMBARQ Remote Control
HijackThis 2.0.2
HP Deskjet 3900 series
HP Extended Capabilities 5.0
HP Imaging Device Functions 5.0
HP Photosmart Essential
HP Solution Center & Imaging Support Tools 5.0
HP Update
Logitech SetPoint
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 6.0 Parser (KB933579)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 11
Yahoo! Messenger

Please help me. Is there anything else I need to provide you with?
Thanks
 
Hi magicdocmw

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
 
Virtumonde problem

Thank-you for helping me. Here are the new logs that you requested

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:46, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDP\PSM\psmserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myembarq.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QXK Olive - {4EE62603-9BB7-462B-8A8D-E9F4BF11BE49} - C:\WINDOWS\boqnrwdmvdr.dll (file missing)
O2 - BHO: (no name) - {52D0D5A6-0E05-4949-B50D-8404EB31000E} - C:\WINDOWS\system32\vtUkheCu.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BCBEB0EB-744A-4F05-99A5-636B721C318E} - C:\WINDOWS\system32\rqRHbBTn.dll (file missing)
O2 - BHO: (no name) - {E4657029-9B66-4AAE-B4D6-31E4DBD9304E} - C:\WINDOWS\system32\hgGwTmlI.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: EMBARQ Help.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179027989847
O20 - Winlogon Notify: rqRHbBTn - rqRHbBTn.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Persistent Storage Manager Service (PsmServ) - Columbia Data Products, Inc. - C:\Program Files\CDP\PSM\psmserv.exe

--
End of file - 5390 bytes

And the ComboFix log
ComboFix 08-06-01.6 - Mike 2008-06-01 16:24:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.699 [GMT -7:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mike\Desktop\Privacy Protector.url
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bhpdnfec.ini
C:\WINDOWS\system32\IlmTwGgh.ini
C:\WINDOWS\system32\IlmTwGgh.ini2
C:\WINDOWS\system32\lndmfwbw.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\PXxENqss.ini2
C:\WINDOWS\system32\uCehkUtv.ini
C:\WINDOWS\system32\uCehkUtv.ini2
C:\WINDOWS\system32\wbwfmdnl.dll
C:\WINDOWS\xmpstean.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-05-31 12:02 . 2008-05-31 12:02 <DIR> d-------- C:\Program Files\CCleaner
2008-05-31 11:55 . 2008-05-31 11:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-26 16:16 . 2008-05-28 20:51 540 --a------ C:\WINDOWS\wininit.ini
2008-05-26 09:29 . 2008-05-26 09:29 8,192 --ahs---- C:\WINDOWS\Thumbs.db
2008-05-26 09:27 . 2008-05-26 09:27 5,632 --ahs---- C:\Thumbs.db
2008-05-19 20:36 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-05-18 12:01 . 2008-05-18 12:01 <DIR> d-------- C:\WINDOWS\Motive
2008-05-18 12:00 . 2008-05-18 15:54 <DIR> d-------- C:\Program Files\Virtual Assistant
2008-05-18 12:00 . 2008-05-18 12:00 <DIR> d-------- C:\Program Files\Motive
2008-05-18 11:54 . 2008-05-18 11:56 <DIR> d-------- C:\Program Files\EMBARQ
2008-05-18 11:54 . 2008-05-18 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-05-18 11:53 . 2008-05-18 11:54 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-05-18 08:45 . 2005-10-17 19:50 245,376 --a------ C:\WINDOWS\system32\drivers\rt2500usb.sys
2008-05-18 08:45 . 2003-10-13 15:30 94,208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2008-05-18 08:45 . 2003-09-25 23:28 31,930 --a------ C:\WINDOWS\system32\GTNDIS3.VXD
2008-05-18 08:45 . 2005-02-01 18:18 17,992 --a------ C:\WINDOWS\system32\drivers\bcm42rly.sys
2008-05-18 08:45 . 2005-02-01 18:18 17,992 --a------ C:\WINDOWS\system32\bcm42rly.sys
2008-05-18 08:45 . 2003-09-25 22:15 15,872 --a------ C:\WINDOWS\system32\GTNDIS5.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 18:38 --------- d-----w C:\Documents and Settings\Mike\Application Data\AVG7
2008-05-27 06:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-26 21:04 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-26 16:31 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-18 22:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 03:15 --------- d-----w C:\Program Files\HP
2008-03-26 04:14 691,545 ----a-w C:\WINDOWS\unins000.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4EE62603-9BB7-462B-8A8D-E9F4BF11BE49}]
C:\WINDOWS\boqnrwdmvdr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52D0D5A6-0E05-4949-B50D-8404EB31000E}]
C:\WINDOWS\system32\vtUkheCu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCBEB0EB-744A-4F05-99A5-636B721C318E}]
C:\WINDOWS\system32\rqRHbBTn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4657029-9B66-4AAE-B4D6-31E4DBD9304E}]
C:\WINDOWS\system32\hgGwTmlI.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 16:43 4670704]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 19:13 579584]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 15:46 28160 C:\WINDOWS\KHALMNPR.Exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Motive SmartBridge"="C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2006-04-21 15:41 438359]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 07:03 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EMBARQ Help.lnk - C:\Program Files\Virtual Assistant\bin\matcli.exe [2008-05-18 12:00:15 217088]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BCBEB0EB-744A-4F05-99A5-636B721C318E}"= C:\WINDOWS\system32\rqRHbBTn.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRHbBTn]
rqRHbBTn.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R0 psman5;Persistent Storage Manager;C:\WINDOWS\system32\DRIVERS\psman5.sys [2006-12-01 12:47]
R0 qmapi;QmApi;C:\WINDOWS\system32\Drivers\qmapi.sys [2006-12-01 12:47]
R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2008-03-31 22:42]
R2 otmbridge;Otm/Psm Bridge;C:\WINDOWS\system32\Drivers\otmbridge.sys [2006-12-01 12:46]
R2 PsmServ;Persistent Storage Manager Service;"C:\Program Files\CDP\PSM\psmserv.exe" [2006-12-01 12:47]
R3 3dfxvs;3dfxvs;C:\WINDOWS\system32\DRIVERS\3dfxvsm.sys [2001-10-03 11:47]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-09-22 14:44]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2008-03-31 22:42]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2008-03-31 22:42]
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []
S3 NC100;Network Everywhere Fast Ethernet Adapter(NC100 v2);C:\WINDOWS\system32\DRIVERS\NC100A.sys [2001-02-23 10:12]
S4 PsmShare;Persistent Storage Manager Share;"C:\Program Files\CDP\PSM\PsmShare.exe" [2006-12-01 12:47]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-31 07:05:00 C:\WINDOWS\Tasks\114f40a4-ff60-4783-92ee-1b0aff4a54eb.job"
- C:\Program Files\CDP\PSM\ss.exeI-N -L:C -g:15883535 -p:125 -f:1
"2008-06-01 23:32:15 C:\WINDOWS\Tasks\29c8d8ef-ba90-46d5-a772-7f565ac9ee25.job"
- C:\Program Files\CDP\PSM\ss.exeH-N -L:C -g:15883571 -p:125 -f:1
"2008-05-31 07:05:00 C:\WINDOWS\Tasks\77dd3940-2f5d-47e2-8c3b-b495f7ad8cc1.job"
- C:\Program Files\CDP\PSM\ss.exeJ-N -L:C -g:15883550 -p:125 -f:1
"2008-06-01 23:05:00 C:\WINDOWS\Tasks\cbe99a9f-7d9f-4d65-8633-4a71b1558eca.job"
- C:\Program Files\CDP\PSM\ss.exeJ-N -L:C -g:15883512 -p:125 -f:1
"2008-03-01 08:05:00 C:\WINDOWS\Tasks\f97467f9-5cea-4457-8cc9-864833ec5402.job"
- C:\Program Files\CDP\PSM\ss.exeK-N -L:C -g:15883561 -p:125 -f:1
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 16:33:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-06-01 16:37:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 23:37:38

Pre-Run: 6,132,424,704 bytes free
Post-Run: 6,497,656,832 bytes free

144 --- E O F --- 2008-05-20 03:36:58
 
Hi

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: QXK Olive - {4EE62603-9BB7-462B-8A8D-E9F4BF11BE49} - C:\WINDOWS\boqnrwdmvdr.dll (file missing)
O2 - BHO: (no name) - {52D0D5A6-0E05-4949-B50D-8404EB31000E} - C:\WINDOWS\system32\vtUkheCu.dll (file missing)
O2 - BHO: (no name) - {BCBEB0EB-744A-4F05-99A5-636B721C318E} - C:\WINDOWS\system32\rqRHbBTn.dll (file missing)
O2 - BHO: (no name) - {E4657029-9B66-4AAE-B4D6-31E4DBD9304E} - C:\WINDOWS\system32\hgGwTmlI.dll (file missing)
O20 - Winlogon Notify: rqRHbBTn - rqRHbBTn.dll (file missing)

Close all windows including browser and press fix checked.

Reboot.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)
    Kas-SaveReport-1.gif
  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)
    Kas-Savetxt.gif
  • Now click on the Save as Text button
  • Savethe file to your desktop.
  • Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only! Keep ALL other programs closed during the scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
 
Virtumonde victim

Hi, are we getting closer to having this taking care of? Here are some new logs as you requested;

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, June 03, 2008 00:30
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/06/2008
Kaspersky Anti-Virus database records: 824795
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 34649
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:08:13

Infected Object Name / Virus Name / Last Action
C:\150b2513692b901f4620e47107f3\%temp%dd_msxml_retMSI.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2e29d9b3befca1bf69acbe2f06cd1cf0_b61b9606-7c7b-44de-86f7-487e3d933ca7 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\34074c31b2e612d425c9091dce38583e_b61b9606-7c7b-44de-86f7-487e3d933ca7 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\76b6ebbc656f58df7d012e71a6e32402_b61b9606-7c7b-44de-86f7-487e3d933ca7 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\934fd927ef2c37a72ca911520c639832_b61b9606-7c7b-44de-86f7-487e3d933ca7 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9e421d0e7cae320ca3b6935539d3081f_b61b9606-7c7b-44de-86f7-487e3d933ca7 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d80fc138d49c1307b456dafae7955d93_b61b9606-7c7b-44de-86f7-487e3d933ca7 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e8ff03ac52e7b42f05274c4641b3cf00_b61b9606-7c7b-44de-86f7-487e3d933ca7 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f7754872ebe3e32b946a395d8f4feec4_b61b9606-7c7b-44de-86f7-487e3d933ca7 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike\ntuser.dat Object is locked skipped
C:\Documents and Settings\Mike\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Persistent Storage Manager State\diff.psm Object is locked skipped
C:\Persistent Storage Manager State\header.psm Object is locked skipped
C:\Persistent Storage Manager State\index.psm Object is locked skipped
C:\Program Files\Virtual Assistant\log\mpbtn.log Object is locked skipped
C:\Program Files\Virtual Assistant\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\Virtual Assistant\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\Virtual Assistant\SmartBridge\SmartBridge.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wbwfmdnl.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.vlu skipped
C:\QooBox\Quarantine\C\WINDOWS\xmpstean.exe.vir Infected: Trojan.Win32.Vapsup.fsn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP315\A0024351.exe Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP315\A0024352.exe Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP362\A0027716.dll Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP362\A0027717.exe Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP362\A0027718.exe Infected: Trojan.Win32.Vapsup.fsn skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP362\A0027729.dll Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP362\A0027731.dll Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP362\A0028709.exe Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP363\A0028723.dll Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP363\A0028728.dll Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP363\A0028734.exe Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP363\A0028735.exe Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP363\A0028736.exe Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP363\A0028739.dll Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP363\A0028769.dll Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP363\A0028771.exe Infected: Trojan.Win32.Vapsup.fsn skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP363\A0028772.exe Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP363\A0028773.dll Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP363\A0028776.dll Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP365\A0028808.dll Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP366\A0028835.dll Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP366\A0028914.dll Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP366\A0029893.dll Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP367\A0029905.exe Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP369\A0029976.dll Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP370\A0029978.dll Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP370\A0029979.exe Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP370\A0029980.dll Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP372\A0031007.exe Infected: Trojan.Win32.Vapsup.fsn skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP372\A0031008.dll Object is locked skipped
C:\System Volume Information\_restore{70D9031F-0B66-4556-919C-57BEB4DFA0EC}\RP373\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

and the HighJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:32, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDP\PSM\psmserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Virtual Assistant\bin\mpbtn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myembarq.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: EMBARQ Help.lnk = C:\Program Files\Virtual Assistant\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179027989847
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Persistent Storage Manager Service (PsmServ) - Columbia Data Products, Inc. - C:\Program Files\CDP\PSM\psmserv.exe

--
End of file - 4829 bytes

Again, ty for your help
 
Hi

Yes, we are :)

Empty this folder:

C:\QooBox\Quarantine

Empty Recycle Bin.

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?
 
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.
 
You must log in or register to reply here.
Back
Top