Virtumonde.dll - can't get rid of it

Zander · May 16, 2008

Hello,
First off - thanks a million for helping out.

Spybot has found Virtumonde.dll on my computer and it was unable to remove three of the library files. In the description field it said to go to this forum for help. Here I am!

When it tried to remove the entries it came up with an error that it "failed to load c:]program files\spybot - search_destroy\DelZip179.dll"

I use internet explorer but have completely stopped using it until this problem is resolved. Therefore I'm using a second computer to post this info and this is also why I can't post a Kaspersky log.

I have provided the Trend Micro Hijack log

Can you please help me figure this out as fast as possible - this machine is critical to my business. Thanks!

************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:21 AM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\adskflex.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Gateway\EzTune\DTHtml.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Documents and Settings\User\Desktop\KnockOut.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\1stWORKS\hotCommCL\BIN\hotComm.exe
C:\Program Files\TradeStation 8.3 (Build 1631)\Program\ORPlat.exe
C:\PROGRA~1\TRADES~2.3(B\Program\ordllhst.exe
C:\PROGRA~1\TRADES~2.3(B\Program\whserver.exe
C:\PROGRA~1\TRADES~2.3(B\Program\orcal.exe
C:\PROGRA~1\TRADES~2.3(B\Program\orclprxy.exe
C:\Program Files\TradeStation 8.3 (Build 1631)\Program\TickShel.EXE
C:\PROGRA~1\TRADES~2.3(B\Program\orchart.exe
C:\PROGRA~1\TRADES~2.3(B\Program\tsrpts.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 168.143.163.89 hcurltest1
O1 - Hosts: 82.165.161.232 hcurltest2
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [JMB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AsusServiceProvider] "C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DT GWY] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -GWY
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BM434f52a0] Rundll32.exe "C:\WINDOWS\system32\wqyomtnc.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA6314] command /c del "C:\WINDOWS\system32\abndetdj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4097] cmd /c del "C:\WINDOWS\system32\abndetdj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7126] command /c del "C:\WINDOWS\system32\buhjapty.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2417] cmd /c del "C:\WINDOWS\system32\buhjapty.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7134] command /c del "C:\WINDOWS\system32\mnllcohi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3490] cmd /c del "C:\WINDOWS\system32\mnllcohi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3429] command /c del "C:\WINDOWS\system32\ossvupux.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC64] cmd /c del "C:\WINDOWS\system32\ossvupux.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9078] command /c del "C:\WINDOWS\system32\sdjetxon.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9096] cmd /c del "C:\WINDOWS\system32\sdjetxon.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: network.bat
O4 - Startup: Shortcut to KnockOut.lnk = C:\Documents and Settings\User\Desktop\KnockOut.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\utorrent.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173376378546
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe (file missing)
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/User/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif

--
End of file - 16726 bytes

Shaba · May 17, 2008

Hi Zander

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report

Zander · May 17, 2008

how to get combofix to work if I

I downloaded combo fix, disabled all firewall, antivirus and spyware. Combofix would still not work. I found through trial and error that stopping the attrib.exe process allowed the combofix to start, however I accidently pressed the wrong key when it asked if I agreed to the terms.

It deleted itself and I put it back and tried starting it again, however it now just stops at a blue screen and doesn't go any further.

I found a file it creates called 'bug.txt' but deleting this didn't help either.

Please advise!

Shaba · May 17, 2008

Hi

Please try to run in next in safe mode

Zander · May 17, 2008

ran in safe mode and

I ran it in safe mode, and this time it worked, however it said it needed to reboot the machine, which it did and when I logged back in a combofix window appeared which displayed a "Please Wait..." screen and wouldn't go any further.

any advice?

Zander · May 17, 2008

it stopped because

ok - sorry, I forgot about your instructions on what to do if it takes longer than 20 minutes.

I stopped the process called sed.cfexe and it continued for a bit, then stopped when the process called FindStr showed up. I stopped that process and it didn't go any further.

What should I do with the open window?

Shaba · May 17, 2008

Hi

Try to run combofix in safe mode and when it asks to reboot, reboot back to safe mode and when it's finished boot to normal mode.

Zander · May 17, 2008

safe mode reboot worked

thanks - that worked. I've posted the logfile from combofix and hijack this - created in safe mode.

_________
ComboFix 08-05-15.3 - User 2008-05-17 12:48:00.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1740 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
.
---- Previous Run -------
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bacMnnmp.ini
C:\WINDOWS\system32\bacMnnmp.ini2
C:\WINDOWS\system32\bisykmrk.exe
C:\WINDOWS\system32\dddjfnsb.ini
C:\WINDOWS\system32\ediuvoof.ini
C:\WINDOWS\system32\fdmcqrhl.exe
C:\WINDOWS\system32\ghkihwbw.ini
C:\WINDOWS\system32\jowisugx.exe
C:\WINDOWS\system32\loruvyxx.ini
C:\WINDOWS\system32\loruvyxx.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nequyqgc.ini
C:\WINDOWS\system32\noxtejds.ini
C:\WINDOWS\system32\NWHilnnn.ini
C:\WINDOWS\system32\NWHilnnn.ini2
C:\WINDOWS\system32\oxfsewbo.exe
C:\WINDOWS\system32\prrXycdd.ini
C:\WINDOWS\system32\prrXycdd.ini2
C:\WINDOWS\system32\qkgbglgc.ini
C:\WINDOWS\system32\TwGjPqru.ini
C:\WINDOWS\system32\TwGjPqru.ini2
C:\WINDOWS\system32\vooyohat.exe
C:\WINDOWS\system32\XbKmTtwa.ini
C:\WINDOWS\system32\XbKmTtwa.ini2
C:\WINDOWS\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-17 12:42 . 2008-05-17 12:42 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-17 12:14 . 2008-05-17 12:14 125,952 --a------ C:\WINDOWS\system32\jycuauie.dll
2008-05-17 12:13 . 2008-05-17 12:13 371,712 --a------ C:\WINDOWS\system32\awtTmKbX.dll
2008-05-17 12:08 . 2008-05-17 12:38 354 ---hs---- C:\WINDOWS\system32\dddjfnsb.ini
2008-05-17 10:32 . 2008-05-17 10:32 134,144 --a------ C:\WINDOWS\system32\rnupvjbb.dll
2008-05-17 10:26 . 2008-05-17 10:26 116,224 --a------ C:\WINDOWS\system32\bsnfjddd.dll
2008-05-17 10:23 . 2008-05-17 10:23 371,712 --a------ C:\WINDOWS\system32\urqPjGwT.dll
2008-05-17 10:23 . 2008-05-17 10:23 125,952 --a------ C:\WINDOWS\system32\vidcaxcg.dll
2008-05-17 09:17 . 2008-05-17 09:17 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-17 09:17 . 2008-05-17 12:55 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-16 17:05 . 2008-05-16 17:05 135,680 --a------ C:\WINDOWS\system32\hdauvuyy.dll
2008-05-16 16:56 . 2008-05-16 16:56 116,736 --a------ C:\WINDOWS\system32\wbwhikhg.dll
2008-05-16 16:53 . 2008-05-16 16:53 125,952 --a------ C:\WINDOWS\system32\ncbestfw.dll
2008-05-16 16:32 . 2008-05-16 16:32 370,688 --a------ C:\WINDOWS\system32\xxyvurol.dll_old
2008-05-16 14:09 . 2008-05-16 14:09 116,736 --a------ C:\WINDOWS\system32\cgqyuqen.dll
2008-05-16 14:09 . 2008-05-16 14:09 164 --a------ C:\install.dat
2008-05-16 14:06 . 2008-05-16 14:06 135,680 --a------ C:\WINDOWS\system32\rpvvnudr.dll
2008-05-16 14:03 . 2008-05-16 14:03 125,952 --a------ C:\WINDOWS\system32\drrybqup.dll
2008-05-15 22:42 . 2008-05-15 22:42 116,736 --a------ C:\WINDOWS\system32\cglgbgkq.dll
2008-05-15 22:33 . 2008-05-15 22:33 133,120 --a------ C:\WINDOWS\system32\leppuric.dll
2008-05-15 22:30 . 2008-05-15 22:30 125,952 --a------ C:\WINDOWS\system32\wqyomtnc.dll
2008-05-15 19:55 . 2008-05-15 19:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-15 19:55 . 2008-05-15 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-15 02:16 . 2008-05-15 02:16 <DIR> d-------- C:\WINDOWS\system32\Quarantine
2008-05-14 21:09 . 2006-08-24 12:40 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-05-14 21:09 . 2006-07-10 17:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2008-05-14 21:08 . 2008-05-15 02:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-14 19:39 . 2008-05-14 21:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-14 09:05 . 2008-05-17 12:38 109,807 --a------ C:\WINDOWS\BM434f52a0.xml
2008-05-13 21:00 . 2008-05-13 21:00 57,856 --a------ C:\WINDOWS\system32\xxyxUoOh.dll
2008-05-13 20:56 . 2008-05-13 20:56 57,856 --a------ C:\WINDOWS\system32\yayXrsqq.dll
2008-05-07 20:45 . 2008-05-07 20:46 8 --a------ C:\WINDOWS\sess_54d502b19f6d90898b7b6a83ac0b83cc
2008-05-07 20:45 . 2008-05-07 20:45 8 --a------ C:\WINDOWS\sess_4aafb38039561bd8bbbb76faec7a2ed9
2008-05-07 20:42 . 2008-05-07 20:42 8 --a------ C:\WINDOWS\sess_83f7cad487d69ca260363d4fef25ecc3
2008-05-07 20:40 . 2008-05-07 20:40 <DIR> d-------- C:\Program Files\PsychicSalesLetter
2008-05-05 13:15 . 2006-02-06 08:54 24,064 -ra------ C:\WINDOWS\system32\PostProc.dll
2008-05-05 13:14 . 2001-09-11 15:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-05-05 13:14 . 2005-05-04 09:20 53,248 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-05-05 13:14 . 2005-09-26 16:20 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-05-05 13:14 . 2002-04-17 15:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-05-05 13:13 . 2008-05-05 13:13 19,744 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-05-04 21:30 . 2008-05-04 21:30 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-04 21:30 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-02 13:13 . 2008-05-02 13:13 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-05-01 11:28 . 2008-05-01 11:28 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-01 11:26 . 2008-05-01 11:26 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-01 11:26 . 2008-05-01 11:27 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\SWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\PWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\MWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\DWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\CWRKArea.wrk
2008-04-29 18:26 . 2008-05-01 18:37 <DIR> d-------- C:\Program Files\QuickTax Tracker
2008-04-26 11:17 . 2008-04-26 11:22 <DIR> d-------- C:\Program Files\TradeStation 8.3 (Build 1631)
2008-04-17 12:52 . 2008-04-17 12:52 <DIR> d-------- C:\Program Files\Free Desktop Clock

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-17 19:39 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-05-17 19:39 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-05-17 16:24 --------- d-----w C:\Program Files\Webroot
2008-05-17 16:24 --------- d-----w C:\Documents and Settings\User\Application Data\Webroot
2008-05-16 21:10 1,518 ----a-w C:\WINDOWS\win.tmp
2008-05-16 21:02 --------- d-----w C:\Program Files\TradeStation Archives
2008-05-16 14:47 --------- d-----w C:\Program Files\Trend Micro
2008-05-15 04:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-06 16:04 --------- d-----w C:\Program Files\eSignal Pro
2008-05-05 20:14 --------- d-----w C:\Program Files\Analog Devices
2008-05-05 05:40 --------- d-----w C:\Program Files\CASHFLOW
2008-05-02 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-05-02 20:13 --------- d-----w C:\Program Files\TechSmith
2008-05-02 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-04-07 13:09 --------- d-----w C:\Program Files\iTunes
2008-04-07 13:08 --------- d-----w C:\Program Files\iPod
2008-04-07 13:06 --------- d-----w C:\Program Files\QuickTime
2008-04-03 20:28 --------- d-----w C:\Documents and Settings\User\Application Data\dvdcss
2008-03-31 02:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 02:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-31 01:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-29 00:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 00:41 --------- d-----w C:\Program Files\EA Sports
2008-03-19 23:00 --------- d-----w C:\Documents and Settings\User\Application Data\1clickPro
2006-12-13 20:15 2,233 ----a-w C:\Documents and Settings\User\Application Data\SAS7_000.DAT
2006-11-17 01:01 162 ---h--w C:\Program Files\Common Files\client.lcs
2006-11-17 00:59 226 ---h--w C:\Program Files\Common Files\server.lcs
2006-10-19 03:28 461 ----a-w C:\Program Files\INSTALL.LOG
2004-10-01 22:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2006-11-13 21:03 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05A46B99-2DB8-4D39-8B46-7E37174EB02F}]
2008-05-17 10:23 371712 --a------ C:\WINDOWS\system32\urqPjGwT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{099038AC-1FC7-4619-849D-45DEE1D155CE}]
C:\WINDOWS\system32\xxyvurol.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2611CFD4-4DAE-48CB-A234-323AE57749F9}]
C:\WINDOWS\system32\nnnliHWN.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3DA4C41A-AE0E-45FD-9A29-DC76FA5C9C13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DAD26CA-7E56-4196-B903-D57C23A5C154}]
C:\WINDOWS\system32\pmnnMcab.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7620844-936C-4D0E-8AF9-BD661F8D2B78}]
C:\WINDOWS\system32\ddcyXrrp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A88B91F1-745B-425D-BFD5-79622FB871AD}]
2008-05-17 12:13 371712 --a------ C:\WINDOWS\system32\awtTmKbX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ce0f979b-e892-4170-83c8-c6304e89e7c7}]
2008-05-17 10:32 134144 --a------ C:\WINDOWS\system32\rnupvjbb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E243A8E7-6244-49E0-A361-22DBF30FD46C}]
2008-05-13 20:56 57856 --a------ C:\WINDOWS\system32\yayXrsqq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [2007-09-16 07:21 103760]

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2005-04-20 10:44 894464]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 03:45 23120680]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-12-16 20:50 492808]
"PowerBar"="" []
"SkinClock"="C:\Program Files\Free Desktop Clock\DesktopClock.exe" [2006-10-01 16:50 334848]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-13 00:46 3375104]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Index Washer"="C:\Program Files\Webroot\Washer\WashIdx.exe" [2005-04-07 13:45 51200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 14:02 988701]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2005-12-27 18:01 1544099]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 10:33 243248]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 01:45 385024]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:30 249856]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 12:38 163840]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-09-22 00:55 57344]
"AsusServiceProvider"="C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe" [2006-08-03 02:25 591360]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2006-08-22 12:46 1422848]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 14:02 118784]
"DT GWY"="C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-09 18:45 81920]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 16:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 19:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 15:58 61440]
"CmPCIaudio"="CMICNFG3.CPL" []
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 03:07 843776]
"407c613c"="C:\WINDOWS\system32\bsnfjddd.dll" [2008-05-17 10:26 116224]
"BM434f52a0"="C:\WINDOWS\system32\jycuauie.dll" [2008-05-17 12:14 125952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-13 00:46 3375104]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-04 21:30:00 546816]
network.bat [2008-03-28 17:34:28 62]
Shortcut to KnockOut.lnk - C:\Documents and Settings\User\Desktop\KnockOut.exe [2002-12-16 20:22:42 83968]
æTorrent.lnk - C:\Program Files\uTorrent\utorrent.exe [2006-07-02 09:29:46 219952]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-07-09 12:05:16 25214]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-09-22 00:55:04 57344]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-04 21:43:54 11000]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34 471040]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-10-22 16:31:03 651264]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2006-10-22 16:03:40 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E243A8E7-6244-49E0-A361-22DBF30FD46C}"= C:\WINDOWS\system32\yayXrsqq.dll [2008-05-13 20:56 57856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayXrsqq]
yayXrsqq.dll 2008-05-13 20:56 57856 C:\WINDOWS\system32\yayXrsqq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo1"= CSvidcap.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\3dsviz.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\IBP 9\\IBP.exe"=
"C:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"=
"C:\\Program Files\\eSignal Pro\\winros.exe"=
"C:\\Program Files\\TradeStation 8.3 (Build 1419)\\Program\\ORPlat.exe"=
"C:\\Program Files\\TradeStation 8.3 (Build 1419)\\Program\\TickShel.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:*

isabled:bittorrent 6881
"6882:TCP"= 6882:TCP:*

isabled:bittorrent 6882
"6883:TCP"= 6883:TCP:*

isabled:bittorrent 6883
"6884:TCP"= 6884:TCP:*

isabled:bittorrent 6884
"6888:TCP"= 6888:TCP:*

isabled:6888 Utorrent

S2 Flexlm Service 1;Flexlm Service 1;C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe [2006-05-29 18:22]
S2 RaySat_3dsmax8Server;RaySat_3dsmax8 Server;C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe [2006-03-24 15:55]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2006-07-27 21:28]
S3 axskbus;axskbus;C:\WINDOWS\system32\DRIVERS\axskbus.sys []
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 13:50]
S3 IndieVolume;IndieVolume Service;C:\Program Files\IndieVolume\IndieVolume.sys []
S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []
S3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 04:54:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-16 21:03:16 C:\WINDOWS\Tasks\TradeStation Backup - Monthly.job"
- C:\Program Files\TradeStation 8.3 (Build 1631)\Program\TSBackupRestore.exeT/Backup C:\Program Files\TradeStation 8.3 (Build 1631)\Templates\Backup\Monthly.tsb7C:\Program Files\TradeStation 8.3 (Build 1631)\Program
"2007-04-28 01:22:17 C:\WINDOWS\Tasks\Update iTunes music library.job"
- C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\itunes library updater\iTLU.bat
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 12:55:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\yayXrsqq.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-05-17 13:02:02 - machine was rebooted [User]
ComboFix-quarantined-files.txt 2008-05-17 20:01:31

Pre-Run: 42,053,185,536 bytes free
Post-Run: 42,034,343,936 bytes free

294 --- E O F --- 2008-05-17 19:44:31

********************
HIJACK THIS LOG
********************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:32 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {05A46B99-2DB8-4D39-8B46-7E37174EB02F} - C:\WINDOWS\system32\urqPjGwT.dll
O2 - BHO: (no name) - {099038AC-1FC7-4619-849D-45DEE1D155CE} - C:\WINDOWS\system32\xxyvurol.dll (file missing)
O2 - BHO: (no name) - {2611CFD4-4DAE-48CB-A234-323AE57749F9} - C:\WINDOWS\system32\nnnliHWN.dll (file missing)
O2 - BHO: (no name) - {3DA4C41A-AE0E-45FD-9A29-DC76FA5C9C13} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {6DAD26CA-7E56-4196-B903-D57C23A5C154} - C:\WINDOWS\system32\pmnnMcab.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A7620844-936C-4D0E-8AF9-BD661F8D2B78} - C:\WINDOWS\system32\ddcyXrrp.dll (file missing)
O2 - BHO: (no name) - {A88B91F1-745B-425D-BFD5-79622FB871AD} - C:\WINDOWS\system32\awtTmKbX.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: {7c7e98e4-036c-8c38-0714-298eb979f0ec} - {ce0f979b-e892-4170-83c8-c6304e89e7c7} - C:\WINDOWS\system32\rnupvjbb.dll
O2 - BHO: (no name) - {E243A8E7-6244-49E0-A361-22DBF30FD46C} - C:\WINDOWS\system32\yayXrsqq.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [JMB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AsusServiceProvider] "C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DT GWY] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -GWY
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [407c613c] rundll32.exe "C:\WINDOWS\system32\bsnfjddd.dll",b
O4 - HKLM\..\Run: [BM434f52a0] Rundll32.exe "C:\WINDOWS\system32\jycuauie.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "User"
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: network.bat
O4 - Startup: Shortcut to KnockOut.lnk = C:\Documents and Settings\User\Desktop\KnockOut.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\utorrent.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173376378546
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: yayXrsqq - C:\WINDOWS\SYSTEM32\yayXrsqq.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe (file missing)
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/User/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif

--
End of file - 13402 bytes

Shaba · May 17, 2008

Hi

That's great

If instructions fail in normal, please try them in safe mode.

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
C:\WINDOWS\system32\jycuauie.dll
C:\WINDOWS\system32\awtTmKbX.dll
C:\WINDOWS\system32\dddjfnsb.ini
C:\WINDOWS\system32\rnupvjbb.dll
C:\WINDOWS\system32\bsnfjddd.dll
C:\WINDOWS\system32\urqPjGwT.dll
C:\WINDOWS\system32\vidcaxcg.dll
C:\WINDOWS\system32\hdauvuyy.dll
C:\WINDOWS\system32\wbwhikhg.dll
C:\WINDOWS\system32\ncbestfw.dll
C:\WINDOWS\system32\xxyvurol.dll_old
C:\WINDOWS\system32\cgqyuqen.dll
C:\WINDOWS\system32\rpvvnudr.dll
C:\WINDOWS\system32\drrybqup.dll
C:\WINDOWS\system32\cglgbgkq.dll
C:\WINDOWS\system32\leppuric.dll
C:\WINDOWS\system32\wqyomtnc.dll
C:\WINDOWS\BM434f52a0.xml
C:\WINDOWS\system32\xxyxUoOh.dll
C:\WINDOWS\system32\yayXrsqq.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05A46B99-2DB8-4D39-8B46-7E37174EB02F}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{099038AC-1FC7-4619-849D-45DEE1D155CE}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2611CFD4-4DAE-48CB-A234-323AE57749F9}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3DA4C41A-AE0E-45FD-9A29-DC76FA5C9C13}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DAD26CA-7E56-4196-B903-D57C23A5C154}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7620844-936C-4D0E-8AF9-BD661F8D2B78}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A88B91F1-745B-425D-BFD5-79622FB871AD}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ce0f979b-e892-4170-83c8-c6304e89e7c7}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E243A8E7-6244-49E0-A361-22DBF30FD46C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"407c613c"=-
"BM434f52a0"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E243A8E7-6244-49E0-A361-22DBF30FD46C}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayXrsqq]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Zander · May 17, 2008

ok, so far so good

Thanks... I had to run it in Safe Mode, but it worked :laugh:

I've posted results of the ComboFix.txt and HijackThis below:

***************************

ComboFix 08-05-15.3 - User 2008-05-17 13:35:58.5 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1733 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM434f52a0.xml
C:\WINDOWS\system32\awtTmKbX.dll
C:\WINDOWS\system32\bsnfjddd.dll
C:\WINDOWS\system32\cglgbgkq.dll
C:\WINDOWS\system32\cgqyuqen.dll
C:\WINDOWS\system32\dddjfnsb.ini
C:\WINDOWS\system32\drrybqup.dll
C:\WINDOWS\system32\hdauvuyy.dll
C:\WINDOWS\system32\jycuauie.dll
C:\WINDOWS\system32\leppuric.dll
C:\WINDOWS\system32\ncbestfw.dll
C:\WINDOWS\system32\rnupvjbb.dll
C:\WINDOWS\system32\rpvvnudr.dll
C:\WINDOWS\system32\urqPjGwT.dll
C:\WINDOWS\system32\vidcaxcg.dll
C:\WINDOWS\system32\wbwhikhg.dll
C:\WINDOWS\system32\wqyomtnc.dll
C:\WINDOWS\system32\xxyvurol.dll_old
C:\WINDOWS\system32\xxyxUoOh.dll
C:\WINDOWS\system32\yayXrsqq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Guest\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\BM434f52a0.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awtTmKbX.dll
C:\WINDOWS\system32\bsnfjddd.dll
C:\WINDOWS\system32\cglgbgkq.dll
C:\WINDOWS\system32\cgqyuqen.dll
C:\WINDOWS\system32\dddjfnsb.ini
C:\WINDOWS\system32\drrybqup.dll
C:\WINDOWS\system32\hdauvuyy.dll
C:\WINDOWS\system32\IjlVDcfe.ini
C:\WINDOWS\system32\IjlVDcfe.ini2
C:\WINDOWS\system32\jycuauie.dll
C:\WINDOWS\system32\leppuric.dll
C:\WINDOWS\system32\ncbestfw.dll
C:\WINDOWS\system32\rnupvjbb.dll
C:\WINDOWS\system32\rpvvnudr.dll
C:\WINDOWS\system32\urqPjGwT.dll
C:\WINDOWS\system32\vidcaxcg.dll
C:\WINDOWS\system32\wbwhikhg.dll
C:\WINDOWS\system32\wqyomtnc.dll
C:\WINDOWS\system32\xxyvurol.dll_old
C:\WINDOWS\system32\xxyxUoOh.dll
C:\WINDOWS\system32\yayXrsqq.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-17 13:19 . 2008-05-17 13:19 371,712 --a------ C:\WINDOWS\system32\efcDVljI.dll
2008-05-17 09:17 . 2008-05-17 09:17 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-17 09:17 . 2008-05-17 13:44 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-16 14:09 . 2008-05-16 14:09 164 --a------ C:\install.dat
2008-05-15 19:55 . 2008-05-15 19:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-15 19:55 . 2008-05-15 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-15 02:16 . 2008-05-15 02:16 <DIR> d-------- C:\WINDOWS\system32\Quarantine
2008-05-14 21:09 . 2006-08-24 12:40 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-05-14 21:09 . 2006-07-10 17:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2008-05-14 21:08 . 2008-05-15 02:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-14 19:39 . 2008-05-14 21:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-07 20:45 . 2008-05-07 20:46 8 --a------ C:\WINDOWS\sess_54d502b19f6d90898b7b6a83ac0b83cc
2008-05-07 20:45 . 2008-05-07 20:45 8 --a------ C:\WINDOWS\sess_4aafb38039561bd8bbbb76faec7a2ed9
2008-05-07 20:42 . 2008-05-07 20:42 8 --a------ C:\WINDOWS\sess_83f7cad487d69ca260363d4fef25ecc3
2008-05-07 20:40 . 2008-05-07 20:40 <DIR> d-------- C:\Program Files\PsychicSalesLetter
2008-05-05 13:15 . 2006-02-06 08:54 24,064 -ra------ C:\WINDOWS\system32\PostProc.dll
2008-05-05 13:14 . 2001-09-11 15:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-05-05 13:14 . 2005-05-04 09:20 53,248 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-05-05 13:14 . 2005-09-26 16:20 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-05-05 13:14 . 2002-04-17 15:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-05-05 13:13 . 2008-05-05 13:13 19,744 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-05-04 21:30 . 2008-05-04 21:30 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-04 21:30 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-02 13:13 . 2008-05-02 13:13 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-05-01 11:28 . 2008-05-01 11:28 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-01 11:26 . 2008-05-01 11:26 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-01 11:26 . 2008-05-01 11:27 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\SWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\PWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\MWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\DWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\CWRKArea.wrk
2008-04-29 18:26 . 2008-05-01 18:37 <DIR> d-------- C:\Program Files\QuickTax Tracker
2008-04-26 11:17 . 2008-04-26 11:22 <DIR> d-------- C:\Program Files\TradeStation 8.3 (Build 1631)
2008-04-17 12:52 . 2008-04-17 12:52 <DIR> d-------- C:\Program Files\Free Desktop Clock

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 20:31 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-05-17 20:17 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-05-17 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-17 16:24 --------- d-----w C:\Program Files\Webroot
2008-05-17 16:24 --------- d-----w C:\Documents and Settings\User\Application Data\Webroot
2008-05-16 21:10 1,518 ----a-w C:\WINDOWS\win.tmp
2008-05-16 21:02 --------- d-----w C:\Program Files\TradeStation Archives
2008-05-16 14:47 --------- d-----w C:\Program Files\Trend Micro
2008-05-15 04:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-06 16:04 --------- d-----w C:\Program Files\eSignal Pro
2008-05-05 20:14 --------- d-----w C:\Program Files\Analog Devices
2008-05-05 05:40 --------- d-----w C:\Program Files\CASHFLOW
2008-05-02 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-05-02 20:13 --------- d-----w C:\Program Files\TechSmith
2008-05-02 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-04-07 13:09 --------- d-----w C:\Program Files\iTunes
2008-04-07 13:08 --------- d-----w C:\Program Files\iPod
2008-04-07 13:06 --------- d-----w C:\Program Files\QuickTime
2008-04-03 20:28 --------- d-----w C:\Documents and Settings\User\Application Data\dvdcss
2008-03-31 02:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 02:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-31 01:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-29 00:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 00:41 --------- d-----w C:\Program Files\EA Sports
2008-03-19 23:00 --------- d-----w C:\Documents and Settings\User\Application Data\1clickPro
2006-12-13 20:15 2,233 ----a-w C:\Documents and Settings\User\Application Data\SAS7_000.DAT
2006-11-17 01:01 162 ---h--w C:\Program Files\Common Files\client.lcs
2006-11-17 00:59 226 ---h--w C:\Program Files\Common Files\server.lcs
2006-10-19 03:28 461 ----a-w C:\Program Files\INSTALL.LOG
2004-10-01 22:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2006-11-13 21:03 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-17_13.00.41.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 19:54:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-17 20:44:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21815876-69E6-402A-9C03-032CD06F1AFC}]
2008-05-17 13:19 371712 --a------ C:\WINDOWS\system32\efcDVljI.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [2007-09-16 07:21 103760]

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2005-04-20 10:44 894464]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 03:45 23120680]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-12-16 20:50 492808]
"PowerBar"="" []
"SkinClock"="C:\Program Files\Free Desktop Clock\DesktopClock.exe" [2006-10-01 16:50 334848]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-13 00:46 3375104]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Index Washer"="C:\Program Files\Webroot\Washer\WashIdx.exe" [2005-04-07 13:45 51200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 14:02 988701]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2005-12-27 18:01 1544099]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 10:33 243248]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 01:45 385024]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:30 249856]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 12:38 163840]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-09-22 00:55 57344]
"AsusServiceProvider"="C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe" [2006-08-03 02:25 591360]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2006-08-22 12:46 1422848]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 14:02 118784]
"DT GWY"="C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-09 18:45 81920]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 16:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 19:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 15:58 61440]
"CmPCIaudio"="CMICNFG3.CPL" []
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 03:07 843776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-13 00:46 3375104]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-04 21:30:00 546816]
network.bat [2008-03-28 17:34:28 62]
Shortcut to KnockOut.lnk - C:\Documents and Settings\User\Desktop\KnockOut.exe [2002-12-16 20:22:42 83968]
æTorrent.lnk - C:\Program Files\uTorrent\utorrent.exe [2006-07-02 09:29:46 219952]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-07-09 12:05:16 25214]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-09-22 00:55:04 57344]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-04 21:43:54 11000]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34 471040]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-10-22 16:31:03 651264]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2006-10-22 16:03:40 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo1"= CSvidcap.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\3dsviz.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\IBP 9\\IBP.exe"=
"C:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"=
"C:\\Program Files\\eSignal Pro\\winros.exe"=
"C:\\Program Files\\TradeStation 8.3 (Build 1419)\\Program\\ORPlat.exe"=
"C:\\Program Files\\TradeStation 8.3 (Build 1419)\\Program\\TickShel.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:*

isabled:bittorrent 6881
"6882:TCP"= 6882:TCP:*

isabled:bittorrent 6882
"6883:TCP"= 6883:TCP:*

isabled:bittorrent 6883
"6884:TCP"= 6884:TCP:*

isabled:bittorrent 6884
"6888:TCP"= 6888:TCP:*

isabled:6888 Utorrent

S2 Flexlm Service 1;Flexlm Service 1;C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe [2006-05-29 18:22]
S2 RaySat_3dsmax8Server;RaySat_3dsmax8 Server;C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe [2006-03-24 15:55]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2006-07-27 21:28]
S3 axskbus;axskbus;C:\WINDOWS\system32\DRIVERS\axskbus.sys []
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 13:50]
S3 IndieVolume;IndieVolume Service;C:\Program Files\IndieVolume\IndieVolume.sys []
S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []
S3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 04:54:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-16 21:03:16 C:\WINDOWS\Tasks\TradeStation Backup - Monthly.job"
- C:\Program Files\TradeStation 8.3 (Build 1631)\Program\TSBackupRestore.exeT/Backup C:\Program Files\TradeStation 8.3 (Build 1631)\Templates\Backup\Monthly.tsb7C:\Program Files\TradeStation 8.3 (Build 1631)\Program
"2007-04-28 01:22:17 C:\WINDOWS\Tasks\Update iTunes music library.job"
- C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\itunes library updater\iTLU.bat
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 13:44:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-17 13:50:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-17 20:50:00
ComboFix2.txt 2008-05-17 20:02:02

Pre-Run: 42,086,260,736 bytes free
Post-Run: 42,066,751,488 bytes free

263 --- E O F --- 2008-05-17 19:44:31

**************************************
HIJACK THIS
**************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:05 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {21815876-69E6-402A-9C03-032CD06F1AFC} - C:\WINDOWS\system32\efcDVljI.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [JMB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AsusServiceProvider] "C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DT GWY] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -GWY
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "User"
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: network.bat
O4 - Startup: Shortcut to KnockOut.lnk = C:\Documents and Settings\User\Desktop\KnockOut.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\utorrent.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173376378546
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe (file missing)
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/User/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif

--
End of file - 12297 bytes

Shaba · May 18, 2008

Hi

Something still left:

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
C:\WINDOWS\system32\efcDVljI.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21815876-69E6-402A-9C03-032CD06F1AFC}]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Zander · May 18, 2008

completed in safe mode again

I've posted the results below - hopefully this will do it? I had to run it in Safe Mode again, does this matter, and will I have to eventually get combofix to run in Normal mode?

Thanks Shaba

*******************
COMBOFIX LOG
*******************
ComboFix 08-05-15.3 - User 2008-05-18 8:06:25.6 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1730 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\efcDVljI.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\efcDVljI.dll
C:\WINDOWS\system32\hdfyobjk.ini
C:\WINDOWS\system32\IjlVDcfe.ini
C:\WINDOWS\system32\IjlVDcfe.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-17 18:06 . 2008-05-17 18:06 134,144 --a------ C:\WINDOWS\system32\hwnpyval.dll
2008-05-17 18:06 . 2008-05-17 18:06 116,224 --a------ C:\WINDOWS\system32\kjboyfdh.dll
2008-05-17 18:06 . 2008-05-17 18:06 6,694 --a------ C:\WINDOWS\system32\mrgwwqfh.dll
2008-05-17 18:06 . 2008-05-17 18:06 6,692 --a------ C:\WINDOWS\system32\qtyyhqkt.exe
2008-05-17 09:17 . 2008-05-17 09:17 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-17 09:17 . 2008-05-18 08:12 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-16 14:09 . 2008-05-16 14:09 164 --a------ C:\install.dat
2008-05-15 19:55 . 2008-05-15 19:55 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-15 19:55 . 2008-05-15 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-15 02:16 . 2008-05-15 02:16 <DIR> d-------- C:\WINDOWS\system32\Quarantine
2008-05-14 21:09 . 2006-08-24 12:40 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-05-14 21:09 . 2006-07-10 17:38 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2008-05-14 21:08 . 2008-05-15 02:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-14 19:39 . 2008-05-14 21:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-07 20:45 . 2008-05-07 20:46 8 --a------ C:\WINDOWS\sess_54d502b19f6d90898b7b6a83ac0b83cc
2008-05-07 20:45 . 2008-05-07 20:45 8 --a------ C:\WINDOWS\sess_4aafb38039561bd8bbbb76faec7a2ed9
2008-05-07 20:42 . 2008-05-07 20:42 8 --a------ C:\WINDOWS\sess_83f7cad487d69ca260363d4fef25ecc3
2008-05-07 20:40 . 2008-05-07 20:40 <DIR> d-------- C:\Program Files\PsychicSalesLetter
2008-05-05 13:15 . 2006-02-06 08:54 24,064 -ra------ C:\WINDOWS\system32\PostProc.dll
2008-05-05 13:14 . 2001-09-11 15:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-05-05 13:14 . 2005-05-04 09:20 53,248 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-05-05 13:14 . 2005-09-26 16:20 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-05-05 13:14 . 2002-04-17 15:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-05-05 13:13 . 2008-05-05 13:13 19,744 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-05-04 21:30 . 2008-05-04 21:30 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-04 21:30 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-02 13:13 . 2008-05-02 13:13 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-05-01 11:28 . 2008-05-01 11:28 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-01 11:26 . 2008-05-01 11:26 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-01 11:26 . 2008-05-01 11:27 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\SWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\PWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\MWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\DWRKArea.wrk
2008-05-01 07:45 . 2008-05-01 07:45 1,536 --a------ C:\CWRKArea.wrk
2008-04-29 18:26 . 2008-05-01 18:37 <DIR> d-------- C:\Program Files\QuickTax Tracker
2008-04-26 11:17 . 2008-04-26 11:22 <DIR> d-------- C:\Program Files\TradeStation 8.3 (Build 1631)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 14:57 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-05-18 14:56 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-05-17 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-17 16:24 --------- d-----w C:\Program Files\Webroot
2008-05-17 16:24 --------- d-----w C:\Documents and Settings\User\Application Data\Webroot
2008-05-16 21:10 1,518 ----a-w C:\WINDOWS\win.tmp
2008-05-16 21:02 --------- d-----w C:\Program Files\TradeStation Archives
2008-05-16 14:47 --------- d-----w C:\Program Files\Trend Micro
2008-05-15 04:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-06 16:04 --------- d-----w C:\Program Files\eSignal Pro
2008-05-05 20:14 --------- d-----w C:\Program Files\Analog Devices
2008-05-05 05:40 --------- d-----w C:\Program Files\CASHFLOW
2008-05-02 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-05-02 20:13 --------- d-----w C:\Program Files\TechSmith
2008-05-02 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-04-17 19:52 --------- d-----w C:\Program Files\Free Desktop Clock
2008-04-07 13:09 --------- d-----w C:\Program Files\iTunes
2008-04-07 13:08 --------- d-----w C:\Program Files\iPod
2008-04-07 13:06 --------- d-----w C:\Program Files\QuickTime
2008-04-03 20:28 --------- d-----w C:\Documents and Settings\User\Application Data\dvdcss
2008-03-31 02:07 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-03-31 02:07 204,816 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-03-31 01:50 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-03-29 00:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 00:41 --------- d-----w C:\Program Files\EA Sports
2008-03-19 23:00 --------- d-----w C:\Documents and Settings\User\Application Data\1clickPro
2006-12-13 20:15 2,233 ----a-w C:\Documents and Settings\User\Application Data\SAS7_000.DAT
2006-11-17 01:01 162 ---h--w C:\Program Files\Common Files\client.lcs
2006-11-17 00:59 226 ---h--w C:\Program Files\Common Files\server.lcs
2006-10-19 03:28 461 ----a-w C:\Program Files\INSTALL.LOG
2004-10-01 22:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2006-11-13 21:03 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-17_13.00.41.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 19:54:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-18 15:12:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-30 04:45:47 77,824 ----a-w C:\WINDOWS\system32\kdfapi.dll
+ 2008-05-18 01:06:29 77,824 ----a-w C:\WINDOWS\system32\kdfapi.dll
- 2008-04-30 04:45:47 53,248 ----a-w C:\WINDOWS\system32\Kdfhok.dll
+ 2008-05-18 01:06:29 53,248 ----a-w C:\WINDOWS\system32\Kdfhok.dll
- 2008-04-30 04:45:47 726,568 ----a-w C:\WINDOWS\system32\kdfmgr.exe
+ 2008-05-18 01:06:29 726,568 ----a-w C:\WINDOWS\system32\kdfmgr.exe
- 2008-04-30 04:45:47 192,512 ----a-w C:\WINDOWS\system32\kdfvmgr.exe
+ 2008-05-18 01:06:29 192,512 ----a-w C:\WINDOWS\system32\kdfvmgr.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= "C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll" [2007-09-16 07:21 103760]

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2005-04-20 10:44 894464]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 03:45 23120680]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-12-16 20:50 492808]
"PowerBar"="" []
"SkinClock"="C:\Program Files\Free Desktop Clock\DesktopClock.exe" [2006-10-01 16:50 334848]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-13 00:46 3375104]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Index Washer"="C:\Program Files\Webroot\Washer\WashIdx.exe" [2005-04-07 13:45 51200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2005-11-28 14:02 988701]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2005-12-27 18:01 1544099]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 10:33 243248]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 01:45 385024]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30 81920]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:30 249856]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 12:38 163840]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-09-22 00:55 57344]
"AsusServiceProvider"="C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe" [2006-08-03 02:25 591360]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2006-08-22 12:46 1422848]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2005-11-28 14:02 118784]
"DT GWY"="C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-09 18:45 81920]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 16:48 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 19:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 15:58 61440]
"CmPCIaudio"="CMICNFG3.CPL" []
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 03:07 843776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-12-13 00:46 3375104]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-04 21:30:00 546816]
network.bat [2008-03-28 17:34:28 62]
Shortcut to KnockOut.lnk - C:\Documents and Settings\User\Desktop\KnockOut.exe [2002-12-16 20:22:42 83968]
æTorrent.lnk - C:\Program Files\uTorrent\utorrent.exe [2006-07-02 09:29:46 219952]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-07-09 12:05:16 25214]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-09-22 00:55:04 57344]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-04 21:43:54 11000]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:27:34 471040]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-10-22 16:31:03 651264]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2006-10-22 16:03:40 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo1"= CSvidcap.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\mentalray\\satellite\\raysat_3dsmax8server.exe"=
"C:\\Program Files\\Autodesk\\VIZ2007\\3dsviz.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\IBP 9\\IBP.exe"=
"C:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"=
"C:\\Program Files\\eSignal Pro\\winros.exe"=
"C:\\Program Files\\TradeStation 8.3 (Build 1419)\\Program\\ORPlat.exe"=
"C:\\Program Files\\TradeStation 8.3 (Build 1419)\\Program\\TickShel.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:*

isabled:bittorrent 6881
"6882:TCP"= 6882:TCP:*

isabled:bittorrent 6882
"6883:TCP"= 6883:TCP:*

isabled:bittorrent 6883
"6884:TCP"= 6884:TCP:*

isabled:bittorrent 6884
"6888:TCP"= 6888:TCP:*

isabled:6888 Utorrent

S2 Flexlm Service 1;Flexlm Service 1;C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe [2006-05-29 18:22]
S2 RaySat_3dsmax8Server;RaySat_3dsmax8 Server;C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe [2006-03-24 15:55]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2006-07-27 21:28]
S3 axskbus;axskbus;C:\WINDOWS\system32\DRIVERS\axskbus.sys []
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 13:50]
S3 IndieVolume;IndieVolume Service;C:\Program Files\IndieVolume\IndieVolume.sys []
S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []
S3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 04:54:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-16 21:03:16 C:\WINDOWS\Tasks\TradeStation Backup - Monthly.job"
- C:\Program Files\TradeStation 8.3 (Build 1631)\Program\TSBackupRestore.exeT/Backup C:\Program Files\TradeStation 8.3 (Build 1631)\Templates\Backup\Monthly.tsb7C:\Program Files\TradeStation 8.3 (Build 1631)\Program
"2007-04-28 01:22:17 C:\WINDOWS\Tasks\Update iTunes music library.job"
- C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\itunes library updater\iTLU.bat
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 08:13:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-18 8:19:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-18 15:18:59
ComboFix2.txt 2008-05-17 20:50:28
ComboFix3.txt 2008-05-17 20:02:02

Pre-Run: 42,981,507,072 bytes free
Post-Run: 42,964,619,264 bytes free

234 --- E O F --- 2008-05-17 19:44:31

*******************
HIJACKTHIS LOG
*******************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:51 AM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [JMB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AsusServiceProvider] "C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DT GWY] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -GWY
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "User"
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: network.bat
O4 - Startup: Shortcut to KnockOut.lnk = C:\Documents and Settings\User\Desktop\KnockOut.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\utorrent.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173376378546
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe (file missing)
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/User/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif

--
End of file - 12200 bytes

Shaba · May 18, 2008

Hi

Delete these:

C:\WINDOWS\system32\hwnpyval.dll
C:\WINDOWS\system32\kjboyfdh.dll
C:\WINDOWS\system32\mrgwwqfh.dll
C:\WINDOWS\system32\qtyyhqkt.exe

Empty Recycle Bin.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
Click the Save Report As... button (see red arrow below)
In the Save as... prompt, select Desktop
In the File name box, name the file KasScan-ddmmyy (or similar)
In the Save as type prompt, select Text file (see below)
Now click on the Save as Text button
Savethe file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only! Keep ALL other programs closed during the scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

Zander · May 18, 2008

do I do this in safe or normal mode?

Hi Shaba,

Should I do this in Safe mode with networking on, or in Normal mode? Does it matter?

Shaba · May 18, 2008

Hi

In normal mode if possible, please

Zander · May 19, 2008

kaspersky and HJT report

Ok, that took a while

I've attached the reports, completed in Normal mode.

**************
KASPERSKY REPORT
**************
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 18, 2008 5:59:19 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/05/2008
Kaspersky Anti-Virus database records: 783219
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
M:\

Scan Statistics:
Total number of scanned objects: 246103
Number of viruses found: 11
Number of infected objects: 36
Number of suspicious objects: 4
Duration of the scan process: 02:46:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Trend Micro\TrendSecure\Log\TS-CF-20080514-060130-343.log Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012008051820080519\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\IMGBD8.tmp Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\Perflib_Perfdata_10a8.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\Perflib_Perfdata_15fc.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\Perflib_Perfdata_a10.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\Perflib_Perfdata_ebc.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\My Documents\outlook backup\backup1.pst/Alexander's Mail & Contacts/Inbox/Daily/PalmPilot/03 Mar 2000 15:08 from InSync Online:Beam Me The Money.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\User\My Documents\outlook backup\backup1.pst MailMSMaill: suspicious - 1 skipped
C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\DShutdown\DShutdown.exe Infected: not-a-virus:RiskTool.Win32.Shutdown.g skipped
C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\vnc\UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\vnc\UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\vnc\UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\Documents and Settings\User\My Documents\_Storage\Stored Programs\Utilities\vnc\UltraVNC-102-Setup.exe Inno: infected - 3 skipped
C:\Documents and Settings\User\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2008-05-18.10-18-28.log Object is locked skipped
C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\aad.log Object is locked skipped
C:\Program Files\UltraVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cgqyuqen.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.rtf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hdauvuyy.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rnupvjbb.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rpvvnudr.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wbwhikhg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.rtf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wqyomtnc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.rsp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xxyxUoOh.dll.vir Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\QooBox\Quarantine\catchme2008-05-17_134054.25.zip/yayXrsqq.dll Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\QooBox\Quarantine\catchme2008-05-17_134054.25.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP619\A0147819.exe/data0000.cab/is152564.exe Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP619\A0147819.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP619\A0147819.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP619\A0147820.exe/data0000.cab/is152564.exe Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP619\A0147820.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP619\A0147820.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP619\A0147821.exe/data0000.cab/is153740.exe Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP619\A0147821.exe/data0000.cab Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP619\A0147821.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP621\A0154054.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rqy skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP621\A0154078.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rqz skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP621\A0154079.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rsp skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP626\A0162965.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rtf skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP626\A0162968.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP626\A0162972.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP626\A0162973.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP626\A0162976.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rtf skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP626\A0162977.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.rsp skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP626\A0162978.dll Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP626\A0164086.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP627\A0164117.exe Infected: not-a-virus:Monitor.Win32.Perflogger.ad skipped
C:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP627\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{47C887F7-3ED1-4C45-AA43-1E16769B03C0}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd2749.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_210.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP627\change.log Object is locked skipped
E:\temp\outlook backup\backup1.pst/Alexander's Mail & Contacts/Inbox/Daily/PalmPilot/03 Mar 2000 15:08 from InSync Online:Beam Me The Money.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
E:\temp\outlook backup\backup1.pst MailMSMaill: suspicious - 1 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP627\change.log Object is locked skipped
M:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
M:\System Volume Information\_restore{40DC1747-85F4-4F34-9DC9-A377820662D9}\RP627\change.log Object is locked skipped

Scan process completed.

**************
HJT REPORT
**************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:59 PM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\adskflex.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Documents and Settings\User\Desktop\KnockOut.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [JMB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AsusServiceProvider] "C:\Program Files\ASUS\AASP\1.00.05\aaCenter.exe"
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DT GWY] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -GWY
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: network.bat
O4 - Startup: Shortcut to KnockOut.lnk = C:\Documents and Settings\User\Desktop\KnockOut.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\utorrent.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173376378546
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - C:\Program Files\Autodesk Architectural Desktop 2007\FlexLM\lmgrd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Online Backup Service - Unknown owner - C:\Program Files\Data Deposit Box\Data Deposit Box\nts.exe (file missing)
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/User/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif

--
End of file - 15436 bytes

Shaba · May 19, 2008

Hi

Empty this folder:

C:\QooBox\Quarantine

Delete this unless you need it:

E:\temp\outlook backup\backup1.pst

Empty Recycle Bin.

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?

Zander · May 19, 2008

what do you recommend

Hi,
I deleted the files in that folder and emptied the recycle bin. I don't know how I can tell if there is anything else in my computer.

Do you recommend a particular Security Suite to people? I use TrendMicro, which didn't catch this outbreak...

I've installed Firefox on my machine because I'm afraid to use Internet Explorer - is this what you use?

...so how do we get rid of the restore stuff?

Thank you for all this help Shaba - I appreciate it !

Shaba · May 20, 2008

Hi

"Do you recommend a particular Security Suite to people? I use TrendMicro, which didn't catch this outbreak...

I've installed Firefox on my machine because I'm afraid to use Internet Explorer - is this what you use?

...so how do we get rid of the restore stuff?"

Well I don't recommend any particular one but I think that Kaspersky Internet Suite (KIS) is maybe one of the best suites available.

Yes, I use Firefox.

I give you final instructions in a bit unless any other questions?

Zander · May 20, 2008

can the virtumonde spread

Hi,
I had another computer in my network that was also infected. I took it off the network as soon as I realized what had happened, to make sure no cross-contamination would occur between the machines.

I ended up taking the hard drive from a third clean machine and installing it in the infected computer, re-configured windows xp so that it worked on the new hardware, and attached the infected hard drive as a secondary drive so I could get the required files off it.

Prior to taking any of the files off the infected drive I ran Kaspersky and it did find Virtumonde among other spyware and viruses, which it attempted to delete, disinfect etc.

What I want to do is grab the My Documents folder, email (.pst) backup file and Desktop/Favorites off it (and they are clean) and then wipe the infected drive with 'KillDisk' or equivalent - is it dangerous for me to take these files and transfer them to the clean drive?

And can Virtumonde jump from the infected hard drive to the clean one in this scenario?

Thanks so much!

Virtumonde.dll - can't get rid of it

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member