Virtumonde Help

T

tangy_zizzle99

New member
I am also having the same virtumonde problem as many of you (I also wanted to have someone take a look at my log and see if there is anything else grabbing attention).
Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:47 PM, on 9/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\CFusionMX7\db\slserver54\bin\swagent.exe
C:\CFusionMX7\db\slserver54\bin\swstrtr.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\CFusionMX7\db\slserver54\bin\swsoc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\niSvcLoc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.4\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\internet explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\PROGRA~1\gspec\gspec.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\PROGRA~1\gspec\gspec.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB001" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA7181] command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1148] cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA772] command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5942] cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\RunOnce: [SpybotDeletingA4826] command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3867] cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6666] command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC832] cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [EssentialPIM Pro Portable] "C:\Documents and Settings\Jackie1\Application Data\U3\0000060509085983\D21BCD35-A0B0-4a36-B3EE-25E71DE87398\Exec\EssentialPIM.exe" /autorun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [SpybotDeletingB6057] command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2779] cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4541] command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3086] command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1228] cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3541] command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4041] cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk.disabled
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Monitor Apache Servers.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143741896000
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128336298531
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 ODBC Agent - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swagent.exe
O23 - Service: ColdFusion MX 7 ODBC Server - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swstrtr.exe
O23 - Service: ColdFusion MX 7 Search Server - Verity, Inc. - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\system32\niSvcLoc.exe
O23 - Service: Port Reporter (PortReporter) - Unknown owner - C:\Program Files\PortReporter\portreporter.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 15979 bytes
 
Next

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:18:36 PM, on 9/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\CFusionMX7\db\slserver54\bin\swagent.exe
C:\CFusionMX7\db\slserver54\bin\swstrtr.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\CFusionMX7\db\slserver54\bin\swsoc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\niSvcLoc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.4\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\PROGRA~1\gspec\gspec.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\PROGRA~1\gspec\gspec.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB001" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA7181] command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1148] cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA772] command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5942] cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\RunOnce: [SpybotDeletingA4826] command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3867] cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6666] command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC832] cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5016] command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC669] cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [EssentialPIM Pro Portable] "C:\Documents and Settings\Jackie1\Application Data\U3\0000060509085983\D21BCD35-A0B0-4a36-B3EE-25E71DE87398\Exec\EssentialPIM.exe" /autorun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [SpybotDeletingB8534] command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5925] cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk.disabled
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Monitor Apache Servers.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143741896000
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128336298531
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 ODBC Agent - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swagent.exe
O23 - Service: ColdFusion MX 7 ODBC Server - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swstrtr.exe
O23 - Service: ColdFusion MX 7 Search Server - Verity, Inc. - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\system32\niSvcLoc.exe
O23 - Service: Port Reporter (PortReporter) - Unknown owner - C:\Program Files\PortReporter\portreporter.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 15580 bytes
 
Combo

ComboFix 07-08-30.3 - "Jackie1" 2007-09-04 17:06:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.128 [GMT -5:00]


((((((((((((((((((((((((( Files Created from 2007-08-04 to 2007-09-04 )))))))))))))))))))))))))))))))


2007-09-04 11:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-31 10:42 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-31 06:25 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-21 21:06 <DIR> d-------- C:\WINDOWS\system32\quicktime
2007-08-21 21:06 <DIR> d-------- C:\Program Files\AVI Codec Pack
2007-08-06 11:00 <DIR> d-------- C:\Program Files\iPod
2007-08-06 10:59 <DIR> d-------- C:\Program Files\iTunes


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-02 23:54 --------- d-------- C:\DOCUME~1\Jackie1\APPLIC~1\U3
2007-08-23 13:53 --------- d-------- C:\DOCUME~1\Jackie1\APPLIC~1\gspec
2007-08-21 20:53 --------- d-------- C:\Program Files\Winamp
2007-07-27 10:55 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-23 02:42 --------- d-------- C:\DOCUME~1\Jackie1\APPLIC~1\Apple Computer
2007-07-13 18:11 --------- d-------- C:\Program Files\QuickTime
2007-07-13 18:08 --------- d-------- C:\Program Files\Apple Software Update
2007-07-11 13:36 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-11 13:36 --------- d-------- C:\Program Files\OBID
2007-07-06 18:31 --------- d-------- C:\DOCUME~1\Jackie1\APPLIC~1\WinRAR
2007-07-04 12:33 --------- d-------- C:\Program Files\Common Files\Apple
2007-07-04 12:33 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe


((((((((((((((((((((((((((((( snapshot_2007-08-31_ 63211.81 )))))))))))))))))))))))))))))))))))))))))

----a-w 135,194 2007-08-31 14:26:10 C:\WINDOWS\system32\perfc009.dat
----a-w 602,682 2007-08-31 14:26:10 C:\WINDOWS\system32\perfh009.dat
----a-w 821,600 2007-09-04 10:20:51 C:\WINDOWS\system32\drivers\avg7core.sys
----a-w 234,731 2007-08-31 13:18:03 C:\WINDOWS\system32\inetsrv\MetaBase.bin
----atw 16,384 2007-08-31 13:14:56 C:\WINDOWS\temp\Perflib_Perfdata_8dc.dat
----atw 16,384 2007-08-31 13:15:28 C:\WINDOWS\temp\Perflib_Perfdata_b24.dat
--sha-w 16,384 2007-09-03 12:18:02 C:\WINDOWS\temp\Cookies\index.dat
--sha-w 16,384 2007-09-03 12:18:02 C:\WINDOWS\temp\History\History.IE5\index.dat
--sha-w 32,768 2007-09-03 12:18:02 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\index.dat

----a-w 135,194 2007-08-27 11:31:55 C:\WINDOWS\system32\perfc009.dat
----a-w 602,682 2007-08-27 11:31:56 C:\WINDOWS\system32\perfh009.dat
----a-w 821,536 2007-08-16 10:21:19 C:\WINDOWS\system32\drivers\avg7core.sys
----a-w 234,726 2007-08-27 08:48:28 C:\WINDOWS\system32\inetsrv\MetaBase.bin
----atw 16,384 2007-08-15 08:08:25 C:\WINDOWS\temp\Perflib_Perfdata_8dc.dat
--sha-w 16,384 2007-08-27 12:18:02 C:\WINDOWS\temp\Cookies\index.dat
--sha-w 16,384 2007-08-27 12:18:02 C:\WINDOWS\temp\History\History.IE5\index.dat
--sha-w 49,152 2007-08-27 12:18:02 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\index.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 13:28 C:\WINDOWS\KHALMNPR.Exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-16 06:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2005-05-31 01:04]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-08-16 05:21]
"EPSON Stylus Photo RX600"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.exe" [2003-09-10 03:00]
"NWEReboot"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-15 16:12]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"EssentialPIM Pro Portable"="C:\Documents and Settings\Jackie1\Application Data\U3\0000060509085983\D21BCD35-A0B0-4a36-B3EE-25E71DE87398\Exec\EssentialPIM.exe" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 14:32]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 09:53]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 14:39]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingD2779"=cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
"SpybotDeletingB4541"=command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
"SpybotDeletingB3086"=command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
"SpybotDeletingD1228"=cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
"SpybotDeletingB3541"=command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
"SpybotDeletingD4041"=cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
"SpybotDeletingA7181"=command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
"SpybotDeletingC1148"=cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
"SpybotDeletingA772"=command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
"SpybotDeletingC5942"=cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
"SpybotDeletingA4826"=command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
"SpybotDeletingC3867"=cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
"SpybotDeletingA6666"=command /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"
"SpybotDeletingC832"=cmd /c del "C:\WINDOWS\system32\SENDKEY.DLL_tobedeleted"

C:\DOCUME~1\Jackie1\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"C-Media Mixer"=Mixer.exe /startup
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"WinVNC"="C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
"WinampAgent"=C:\Program Files\Winamp\winampa.exe

R1 vcdrom;Virtual CD-ROM Device Driver;\??\C:\WINDOWS\system32\drivers\VCdRom.sys
R2 ColdFusion MX 7 Application Server;ColdFusion MX 7 Application Server;"C:\CFusionMX7\runtime\bin\jrunsvc.exe"
R2 ColdFusion MX 7 ODBC Agent;ColdFusion MX 7 ODBC Agent;C:\CFusionMX7\db\slserver54\bin\swagent.exe "ColdFusion MX 7 ODBC Agent"
R2 ColdFusion MX 7 ODBC Server;ColdFusion MX 7 ODBC Server;C:\CFusionMX7\db\slserver54\bin\swstrtr.exe "ColdFusion MX 7 ODBC Server"
R2 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server;"C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 MAC_IBM;MAC_IBM;C:\WINDOWS\system32\drivers\MAC_IBM.sys
R2 MAC_MOT;MAC_MOT;C:\WINDOWS\system32\drivers\MAC_MOT.sys
R2 Macraigor_PCI;Macraigor_PCI;C:\WINDOWS\system32\drivers\windrvr.sys
R2 MsDtsServer;SQL Server Integration Services;"C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe"
R2 PEDRV;P&E Microcomputer System PCI Driver.;C:\WINDOWS\system32\drivers\PEDRV.sys
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);"C:\Program Files\Microsoft SQL Server\MSSQL.4\Reporting Services\ReportServer\bin\ReportingServicesService.exe"
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R2 VICHW11;P&E BDM Cable Driver II;\??\C:\WINDOWS\SYSTEM32\DRIVERS\VICHW11.SYS
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 WinDriver6;WinDriver6;C:\WINDOWS\system32\drivers\windrvr6.sys
S2 ParllIo;Zeecube Direct I/O PPort Driver;\??\C:\WINDOWS\system32\ParllIo.sys
S2 WinDriver;WinDriver;C:\WINDOWS\system32\drivers\WINDRVR.SYS
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 PortReporter;Port Reporter;C:\Program Files\PortReporter\portreporter.exe
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
AutoRun\command- I:\LaunchU3.exe -a

*Newly Created Service* - GTNDIS5

Contents of the 'Scheduled Tasks' folder
2007-09-03 12:18:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-09-04 11:59:22 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 17:11:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:MSSQLSERVER"

Completion time: 2007-09-04 17:12:41
C:\ComboFix-quarantined-files.txt ... 2007-09-04 17:12
C:\ComboFix2.txt ... 2007-08-31 06:33

--- E O F ---
 
Virtumonde

Please help.
Still having the same problem.
Cannot remove virtumonde

TeaTimer also requests registry change everytime after Spybot scan of like 5 separate reg entries
 
Hello.

Because of the volume of posts to your own topic, helpers may have thought you were already being assisted.

We ask only for a HJT log and the results of an on-line anti virus scan.

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

Start with ONLY the Two Logs We Ask For in Our Sticky Topic, NOT CF etc

For people waiting who have not resolved their problem, we have a sticky topic:
The Waiting Room: Post here if waiting for help longer than four days

However if members waiting for assistance do not post there, their topic is archived after seven days.

If you need the thread re-opened, please send me a private message (pm) and provide a link.
 
You must log in or register to reply here.
Back
Top