Virtumonde infected my comp. Please help!

Alexandergreat3 · Nov 18, 2008

Hi folks,

My comp has just been infected with the Virtumonde, and I can't seem to be able to get rid of it using Spybot S&D. It is redirecting my web browser and seems to be causing my hard drive to make constant noises and giving me fake security warnings, telling me to download "antispyware programs". Please help!

Here is my HiJackThis 2.0.2 log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:18 PM, on 11/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SysNotifier.exe
C:\Documents and Settings\1\Desktop\ADWARE & SPYWARE REMOVER\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061207
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [f03d2091] rundll32.exe "C:\WINDOWS\system32\tekejumn.dll",b
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1217624078015
O17 - HKLM\System\CCS\Services\Tcpip\..\{931ECC4B-5F93-4997-89BA-4D55A76595F7}: NameServer = 69.19.190.116 69.19.190.120
O20 - AppInit_DLLs: cowyfu.dll
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

--
End of file - 3075 bytes

Bio-Hazard · Nov 18, 2008

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
I f you don't know or understand something please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Absence of symptoms does not mean that everything is clear.

NOTE: Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe

Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

Alternate download link 1
Alternate download link 2

Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
- Make sure the Perform Full Scan option is selected.
- Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.[/color]

Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on ComboFix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Combofix should never take more that 20 minutes including the reboot if malware is detected.

Next Reply

Please reply with:

ComboFix log (found at C:\Combofix.txt)
Malwarebytes Antimalware Log
New HijackThis log

Alexandergreat3 · Nov 18, 2008

Hi BioHazard,

Thank you for your reply.

Here is my current situation:

Comp is running on safe mode (normal mode gave me an error Stop: c0000218 Unknown Hard Error)
Comp has no internet connection due to safe mode (I'm on another comp)
I have ran the Malwarebytes' Anti-Malware and fixed several trojans
I'm running the ComboFix right now (without the Microsoft Recovery Console)

Question: Where can I download the MS Recovery Console?

Thank you very much for helping me!

Alexandergreat3 · Nov 18, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:13 AM, on 11/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\1\Desktop\ADWARE & SPYWARE REMOVER\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061207
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1217624078015
O17 - HKLM\System\CCS\Services\Tcpip\..\{931ECC4B-5F93-4997-89BA-4D55A76595F7}: NameServer = 69.19.190.116 69.19.190.120
O20 - AppInit_DLLs: bdaqte.dll
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

--
End of file - 3261 bytes
------------------------------------------------

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2

11/18/2008 9:45:22 AM
mbam-log-2008-11-18 (09-45-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 80522
Time elapsed: 9 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\bdaqte.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\iifgHxUM.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ljJATmJC.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{1cad29df-1d6d-41a2-8c55-eaa2c7edcdeb} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{3382d6a5-7973-4e14-96ea-bdf15b8011a3} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e15338c4-490d-4636-9a99-5f75c3c8cd42} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljjatmjc (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1cad29df-1d6d-41a2-8c55-eaa2c7edcdeb} (Trojan.BHO.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3382d6a5-7973-4e14-96ea-bdf15b8011a3} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e15338c4-490d-4636-9a99-5f75c3c8cd42} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\iifghxum -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\iifghxum -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\1\Application Data\Lavasoft\abkrc.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Documents and Settings\1\Desktop\ADWARE & SPYWARE REMOVER\backups\backup-20081117-004808-334.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\1\Desktop\ADWARE & SPYWARE REMOVER\backups\backup-20081117-005454-378.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\1\Desktop\ADWARE & SPYWARE REMOVER\backups\backup-20081117-005521-140.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\1\Desktop\ADWARE & SPYWARE REMOVER\backups\backup-20081117-005754-532.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\1\Desktop\ADWARE & SPYWARE REMOVER\backups\backup-20081117-010419-310.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\1\Desktop\ADWARE & SPYWARE REMOVER\backups\backup-20081117-012124-432.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\1\Desktop\CONTAINER FOR UNKNOWN PROGRAMS\pmnmjJBT.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\1\Local Settings\Temporary Internet Files\Content.IE5\EQQHTLCY\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\1\Local Settings\Temporary Internet Files\Content.IE5\NB91PTPM\kb600179[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MUxHgfii.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MUxHgfii.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bdaqte.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\iifgHxUM.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ldltufry.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJATmJC.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yrfutldl.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

--------------------------------

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2

11/18/2008 9:56:48 AM
mbam-log-2008-11-18 (09-56-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 70490
Time elapsed: 7 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljjatmjc (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ljJATmJC.dll (Trojan.Vundo.H) -> No action taken.

-----------------------------------

ComboFix 08-11-17.06 - 1 2008-11-18 11:18:07.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.832 [GMT -8:00]

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\poolsv.exe
c:\windows\system32\cowyfu.dll
c:\windows\system32\drivers\TDSSpaxt.sys
c:\windows\system32\drivers\TDSSpqxt.sys
c:\windows\system32\fjzjhl.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\plybuvmk.dll
c:\windows\system32\sptjdlgu.dll
c:\windows\system32\TDSScfgb.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSfpmp.dll
c:\windows\system32\TDSSfxmp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSoeqh.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSosvn.dll
c:\windows\system32\TDSSpaxt.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\TDSSthym.log
c:\windows\system32\TDSStkdv.log
c:\windows\system32\ttjxvkle.dll
c:\windows\system32\x64
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV
-------\Legacy_TDSSSERV
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Legacy_NPF
-------\Legacy_PACKET
-------\Service_NPF
-------\Service_Packet

((((((((((((((((((((((((( Files Created from 2008-10-18 to 2008-11-18 )))))))))))))))))))))))))))))))
.

2008-11-18 09:30 . 2008-11-18 09:30 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-18 09:30 . 2008-11-18 09:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-18 09:30 . 2008-11-18 09:30 <DIR> d-------- c:\documents and settings\1\Application Data\Malwarebytes
2008-11-18 09:30 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-18 09:30 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-17 22:51 . 2008-11-18 09:44 200,704 --a------ c:\windows\SysNotifier.exe
2008-11-17 22:30 . 2008-11-17 22:30 120 ---hs---- c:\windows\system32\nmujeket.ini
2008-11-17 02:21 . 2008-11-17 02:21 <DIR> d-------- c:\program files\InterMute
2008-11-16 22:47 . 2008-11-16 22:47 120 --ahs---- c:\windows\system32\eepsbphf.ini
2008-11-15 19:03 . 2008-11-15 19:03 26,624 --a------ c:\documents and settings\1\~.exe
2008-11-07 16:42 . 2008-11-07 16:42 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-07 16:42 . 2008-11-07 16:42 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 17:46 --------- d-----w c:\documents and settings\1\Application Data\Lavasoft
2008-11-18 07:26 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-18 01:12 --------- d-----w c:\program files\Lx_cats
2008-11-15 08:53 --------- d-----w c:\documents and settings\1\Application Data\LimeWire
2008-11-14 20:19 --------- d-----w c:\program files\LimeWire
2008-11-13 02:44 2,048 ----a-w c:\windows\vknt.tmp
2008-11-08 21:59 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-22 06:56 737,280 ----a-w c:\windows\iun6002.exe
2008-06-08 19:55 100,496 ----a-w c:\documents and settings\1\Application Data\GDIPFONTCACHEV1.DAT
2006-12-15 00:05 0 ------w c:\documents and settings\1\Application Data\wklnhst.dat
2006-12-14 01:48 88 --sha-r c:\windows\system32\04202E8837.sys
2006-12-14 02:01 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"LXCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-07-20 73728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-07 98304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-27 143360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-27 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-27 135168]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-22 1261200]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-26 169984]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 c:\windows\stsystra.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Wrapper"="runonce" [X]
"GrpConv"="grpconv -o" [X]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-10-22 399504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-05-30 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-12 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=bdaqte.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--------- 2005-11-17 01:33 52848 c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
--a------ 2004-04-01 06:51 1589248 c:\dell\DellHelp\DellHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--------- 2005-10-05 01:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 12:01 67584 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
--------- 2005-07-12 01:36 299008 c:\program files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-06-27 07:11 163840 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--------- 2006-07-06 05:15 151552 c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
--------- 2005-11-17 01:33 120464 c:\program files\Norton Internet Security\CfgWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--------- 2004-07-27 14:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--------- 2004-07-27 14:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxccmon.exe]
--------- 2005-07-20 16:16 192512 c:\program files\Lexmark 3300 Series\LXCCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 08:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2008-06-27 07:10 135168 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
--------- 2005-11-17 01:33 218240 c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
--------- 2005-11-17 01:33 23168 c:\program files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"mnmsrvc"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"SNDSrvc"=3 (0x3)
"NSCService"=3 (0x3)
"ERSvc"=2 (0x2)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"rpcapd"=3 (0x3)
"MDM"=2 (0x2)
"comHost"=3 (0x3)
"ccISPwdSvc"=3 (0x3)
"SPBBCSvc"=2 (0x2)
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"c:\\Program Files\\GamePark\\GameparkUpdate.exe"=
"c:\\Program Files\\GamePark\\gameparkclient_en.exe"=
"c:\\Program Files\\GamePark\\gameparkloader_en.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\PokerStars\\PokerStars.exe"=
"c:\\Program Files\\PokerStars\\PokerStarsCommunicate.exe"=
"c:\\Program Files\\PokerStars\\PokerStarsUpdate.exe"=
"c:\\Program Files\\PokerStars\\Tracer.exe"=
"c:\\Program Files\\WildTangent\\Apps\\Dell Game Console\\GameConsole.exe"=
"c:\\WINDOWS\\system32\\lxcccoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxccpswx.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"c:\\Program Files\\IGZones\\IGZones.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)

S0 qikio;qikio;c:\windows\system32\drivers\lxvye.sys []
S2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\DRIVERS\hnm_wrls_pkt.sys [2006-07-13 13824]
S2 wsppkt;Wireless Security Protocol;c:\windows\system32\DRIVERS\wsp_pkt.sys [2006-07-13 13696]
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;c:\windows\system32\DRIVERS\wg11tnd5.sys [2007-03-13 285216]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys [2007-03-13 43392]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\windows\system32\DNINDIS5.SYS [2007-03-11 17149]
S3 NAL;Nal Service ;\??\c:\windows\system32\Drivers\iqvw32.sys [2006-06-05 24064]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - 1.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-11-17 01:32]

2008-11-18 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-07-30 14:45]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB} - c:\documents and settings\1\Application Data\Lavasoft\abkrc.dll
BHO-{E15338C4-490D-4636-9A99-5F75C3C8CD42} - c:\windows\system32\iifgHxUM.dll
HKLM-RunOnce-<NO NAME> - (no file)
Notify-abkrc - c:\documents and settings\1\Application Data\Lavasoft\abkrc.dll
SafeBoot-TDSSpaxt.sys
MSConfigStartUp-ECenter - c:\dell\E-Center\EULALauncher.exe

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 11:27:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\tsd32.dll
.
Completion time: 2008-11-18 11:30:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-18 19:30:22

Pre-Run: 91,344,572,416 bytes free
Post-Run: 92,091,830,272 bytes free

273

Bio-Hazard · Nov 18, 2008

Hello!

Are you able to boot into a normal mode now?

If you can update Malwarebytes Antimalware and run it again and post that log for me to see.

Install Recovery Console via Combofix

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System
Download the file & save it as it's originally named.

---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
At the next prompt, click 'Yes' to run the full ComboFix scan.
When the tool is finished, it will produce a report for you.

Next Reply

Please reply with:

ComboFix log (found at C:\Combofix.txt)
New HijackThis log

Alexandergreat3 · Nov 19, 2008

Hi Bio-Hazard,

Yes, I'm able to boot in normal mode now

.

Here is my latest log:

Malwarebytes' Anti-Malware 1.30
Database version: 1410
Windows 5.1.2600 Service Pack 2

11/18/2008 4:14:49 PM
mbam-log-2008-11-18 (16-14-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 140397
Time elapsed: 41 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 33

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir (Trojan.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cowyfu.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fjzjhl.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\plybuvmk.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sptjdlgu.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfgb.dll.vir (Trojan.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfum.dll.vir (Trojan.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoeqh.dll.vir (Trojan.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSofxh.dll.vir (Trojan.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoiqh.dll.vir (Trojan.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSosvn.dll.vir (Trojan.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir (Trojan.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ttjxvkle.dll.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpaxt.sys.vir (Trojan.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpqxt.sys.vir (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143982.sys (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143983.dll (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143984.dll (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143985.dll (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143986.dll (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143988.sys (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143989.dll (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143990.dll (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143991.dll (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143992.dll (Trojan.TDSS) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0144004.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0144005.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0144006.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0144007.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0144008.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0144019.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0144020.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0144021.dll (Trojan.Vundo) -> No action taken.

Alexandergreat3 · Nov 19, 2008

Malwarebytes' Anti-Malware 1.30
Database version: 1410
Windows 5.1.2600 Service Pack 2

11/18/2008 4:23:19 PM
mbam-log-2008-11-18 (16-23-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 140397
Time elapsed: 41 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 33

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cowyfu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fjzjhl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\plybuvmk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sptjdlgu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfgb.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfum.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoeqh.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSofxh.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoiqh.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSosvn.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ttjxvkle.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpaxt.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpqxt.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143982.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143983.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143984.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143985.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143986.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143988.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143989.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143990.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143991.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0143992.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0144004.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0144005.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0144006.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0144007.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0144008.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0144019.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0144020.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP495\A0144021.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Alexandergreat3 · Nov 19, 2008

ComboFix 08-11-17.06 - 1 2008-11-18 16:56:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.658 [GMT -8:00]
Running from: c:\documents and settings\1\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\1\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))
.

2008-11-18 13:59 . 2008-11-18 13:59 <DIR> d-------- c:\program files\Windows Defender
2008-11-18 09:30 . 2008-11-18 09:30 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-18 09:30 . 2008-11-18 09:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-18 09:30 . 2008-11-18 09:30 <DIR> d-------- c:\documents and settings\1\Application Data\Malwarebytes
2008-11-18 09:30 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-18 09:30 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-17 22:30 . 2008-11-17 22:30 120 ---hs---- c:\windows\system32\nmujeket.ini
2008-11-17 02:21 . 2008-11-17 02:21 <DIR> d-------- c:\program files\InterMute
2008-11-16 22:47 . 2008-11-16 22:47 120 --ahs---- c:\windows\system32\eepsbphf.ini
2008-11-07 16:42 . 2008-11-07 16:42 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-07 16:42 . 2008-11-07 16:42 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 17:46 --------- d-----w c:\documents and settings\1\Application Data\Lavasoft
2008-11-18 07:26 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-18 01:12 --------- d-----w c:\program files\Lx_cats
2008-11-15 08:53 --------- d-----w c:\documents and settings\1\Application Data\LimeWire
2008-11-14 20:19 --------- d-----w c:\program files\LimeWire
2008-11-13 02:44 2,048 ----a-w c:\windows\vknt.tmp
2008-11-08 21:59 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-22 06:56 737,280 ----a-w c:\windows\iun6002.exe
2008-06-08 19:55 100,496 ----a-w c:\documents and settings\1\Application Data\GDIPFONTCACHEV1.DAT
2006-12-15 00:05 0 ------w c:\documents and settings\1\Application Data\wklnhst.dat
2003-06-20 11:05 49,776 ----a-w c:\windows\inf\usbhub20.sys
2003-06-20 11:05 24,752 ----a-w c:\windows\inf\hidclass.sys
2003-06-20 11:05 20,688 ----a-w c:\windows\inf\usbd.sys
2003-06-20 11:05 19,728 ----a-w c:\windows\inf\usbehci.sys
2003-06-20 11:05 138,288 ----a-w c:\windows\inf\usbport.sys
2006-12-14 01:48 88 --sha-r c:\windows\system32\04202E8837.sys
2006-12-14 02:01 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"LXCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-07-20 73728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-07 98304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-27 143360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-27 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-27 135168]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-05-30 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-12 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=bdaqte.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--------- 2005-11-17 01:33 52848 c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
--a------ 2004-04-01 06:51 1589248 c:\dell\DellHelp\DellHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--------- 2005-10-05 01:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 12:01 67584 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
--------- 2005-07-12 01:36 299008 c:\program files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-06-27 07:11 163840 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--------- 2006-07-06 05:15 151552 c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
--------- 2005-11-17 01:33 120464 c:\program files\Norton Internet Security\CfgWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--------- 2004-07-27 14:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--------- 2004-07-27 14:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxccmon.exe]
--------- 2005-07-20 16:16 192512 c:\program files\Lexmark 3300 Series\LXCCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 08:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2008-06-27 07:10 135168 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
--------- 2005-11-17 01:33 218240 c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
--------- 2005-11-17 01:33 23168 c:\program files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"mnmsrvc"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"SNDSrvc"=3 (0x3)
"NSCService"=3 (0x3)
"ERSvc"=2 (0x2)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"rpcapd"=3 (0x3)
"MDM"=2 (0x2)
"comHost"=3 (0x3)
"ccISPwdSvc"=3 (0x3)
"SPBBCSvc"=2 (0x2)
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"c:\\Program Files\\GamePark\\GameparkUpdate.exe"=
"c:\\Program Files\\GamePark\\gameparkclient_en.exe"=
"c:\\Program Files\\GamePark\\gameparkloader_en.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\PokerStars\\PokerStars.exe"=
"c:\\Program Files\\PokerStars\\PokerStarsCommunicate.exe"=
"c:\\Program Files\\PokerStars\\PokerStarsUpdate.exe"=
"c:\\Program Files\\PokerStars\\Tracer.exe"=
"c:\\Program Files\\WildTangent\\Apps\\Dell Game Console\\GameConsole.exe"=
"c:\\WINDOWS\\system32\\lxcccoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxccpswx.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"c:\\Program Files\\IGZones\\IGZones.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)

R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\DRIVERS\hnm_wrls_pkt.sys [2006-07-13 13824]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\DRIVERS\wsp_pkt.sys [2006-07-13 13696]
S0 qikio;qikio;c:\windows\system32\drivers\lxvye.sys []
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;c:\windows\system32\DRIVERS\wg11tnd5.sys [2007-03-13 285216]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys [2007-03-13 43392]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\windows\system32\DNINDIS5.SYS [2007-03-11 17149]
S3 NAL;Nal Service ;\??\c:\windows\system32\Drivers\iqvw32.sys [2006-06-05 24064]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-11-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-11-15 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - 1.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-11-17 01:32]

2008-11-18 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-07-30 14:45]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 16:57:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-18 16:58:19
ComboFix-quarantined-files.txt 2008-11-19 00:58:11
ComboFix2.txt 2008-11-18 19:30:25

Pre-Run: 90,915,917,824 bytes free
Post-Run: 90,912,006,144 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

234

Alexandergreat3 · Nov 19, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:35 PM, on 11/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\1\Desktop\ADWARE & SPYWARE REMOVER\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061207
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1217624078015
O17 - HKLM\System\CCS\Services\Tcpip\..\{931ECC4B-5F93-4997-89BA-4D55A76595F7}: NameServer = 69.19.190.116 69.19.190.120
O20 - AppInit_DLLs: bdaqte.dll
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

--
End of file - 3340 bytes

Bio-Hazard · Nov 19, 2008

Use of P2P (Person to Person) file sharing programs

Limewire

I see that you have signs of P2P program in your computer. Please read HERE the Safer Networks policy on the use of P2P file sharing programs. Please remove it before we can continue any further. Post back when you have done it so we can continue the cleaning process.

I have added those 2 Limewire folders onto the Combofix script so if you havent uninstall it will remove it.
======================================================

Run CFScript

Close any open browsers.
Open Notepad by click start
Click Run
Type notepad into the box and click enter
Notepad will open
Copy and Paste everything from the Code box into Notepad:

Code:

File::
c:\windows\system32\nmujeket.ini
c:\windows\system32\eepsbphf.ini
Folder::
c:\documents and settings\1\Application Data\LimeWire
c:\program files\LimeWire
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.

Next Reply

Please reply with:

ComboFix log (found at C:\Combofix.txt)
New HijackThis log

Alexandergreat3 · Nov 20, 2008

Hi Bio-Hazard,

Thank you for your reply. I've uninstalled Limewire. Here are the latest logs:

ComboFix 08-11-17.06 - 1 2008-11-19 16:45:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.603 [GMT -8:00]
Running from: c:\documents and settings\1\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\1\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\eepsbphf.ini
c:\windows\system32\nmujeket.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\1\Application Data\LimeWire
c:\documents and settings\1\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\1\Application Data\LimeWire\createtimes.cache
c:\documents and settings\1\Application Data\LimeWire\downloads.dat
c:\documents and settings\1\Application Data\LimeWire\fileurns.bak
c:\documents and settings\1\Application Data\LimeWire\fileurns.cache
c:\documents and settings\1\Application Data\LimeWire\filters.props
c:\documents and settings\1\Application Data\LimeWire\gnutella.net
c:\documents and settings\1\Application Data\LimeWire\installation.props
c:\documents and settings\1\Application Data\LimeWire\library.dat
c:\documents and settings\1\Application Data\LimeWire\limewire.props
c:\documents and settings\1\Application Data\LimeWire\mojito.props
c:\documents and settings\1\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\1\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\1\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\1\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\1\Application Data\LimeWire\questions.props
c:\documents and settings\1\Application Data\LimeWire\responses.cache
c:\documents and settings\1\Application Data\LimeWire\simpp.xml
c:\documents and settings\1\Application Data\LimeWire\spam.dat
c:\documents and settings\1\Application Data\LimeWire\tables.props
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\1\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\1\Application Data\LimeWire\ttrees.cache
c:\documents and settings\1\Application Data\LimeWire\ttroot.cache
c:\documents and settings\1\Application Data\LimeWire\version.xml
c:\documents and settings\1\Application Data\LimeWire\versions.props
c:\documents and settings\1\Application Data\LimeWire\xml\data\audio.sxml2
c:\documents and settings\1\Application Data\LimeWire\xml\data\image.sxml2
c:\program files\LimeWire
c:\program files\LimeWire\hs_err_pid3136.log
c:\program files\LimeWire\hs_err_pid3316.log
c:\windows\IE4 Error Log.txt
c:\windows\system32\eepsbphf.ini
c:\windows\system32\nmujeket.ini

.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-18 13:59 . 2008-11-18 13:59 <DIR> d-------- c:\program files\Windows Defender
2008-11-18 09:30 . 2008-11-18 09:30 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-18 09:30 . 2008-11-18 09:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-18 09:30 . 2008-11-18 09:30 <DIR> d-------- c:\documents and settings\1\Application Data\Malwarebytes
2008-11-18 09:30 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-18 09:30 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-17 02:21 . 2008-11-17 02:21 <DIR> d-------- c:\program files\InterMute
2008-11-07 16:42 . 2008-11-07 16:42 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-07 16:42 . 2008-11-07 16:42 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-19 01:03 --------- d-----w c:\program files\PokerStars
2008-11-18 17:46 --------- d-----w c:\documents and settings\1\Application Data\Lavasoft
2008-11-18 07:26 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-18 01:12 --------- d-----w c:\program files\Lx_cats
2008-11-13 02:44 2,048 ----a-w c:\windows\vknt.tmp
2008-11-08 21:59 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-22 06:56 737,280 ----a-w c:\windows\iun6002.exe
2008-06-08 19:55 100,496 ----a-w c:\documents and settings\1\Application Data\GDIPFONTCACHEV1.DAT
2006-12-15 00:05 0 ------w c:\documents and settings\1\Application Data\wklnhst.dat
2003-06-20 11:05 49,776 ----a-w c:\windows\inf\usbhub20.sys
2003-06-20 11:05 24,752 ----a-w c:\windows\inf\hidclass.sys
2003-06-20 11:05 20,688 ----a-w c:\windows\inf\usbd.sys
2003-06-20 11:05 19,728 ----a-w c:\windows\inf\usbehci.sys
2003-06-20 11:05 138,288 ----a-w c:\windows\inf\usbport.sys
2006-12-14 01:48 88 --sha-r c:\windows\system32\04202E8837.sys
2006-12-14 02:01 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"LXCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-07-20 73728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-07 98304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-27 143360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-27 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-27 135168]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-05-30 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-12 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--------- 2005-11-17 01:33 52848 c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
--a------ 2004-04-01 06:51 1589248 c:\dell\DellHelp\DellHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--------- 2005-10-05 01:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 12:01 67584 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
--------- 2005-07-12 01:36 299008 c:\program files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-06-27 07:11 163840 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--------- 2006-07-06 05:15 151552 c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
--------- 2005-11-17 01:33 120464 c:\program files\Norton Internet Security\CfgWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--------- 2004-07-27 14:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--------- 2004-07-27 14:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxccmon.exe]
--------- 2005-07-20 16:16 192512 c:\program files\Lexmark 3300 Series\LXCCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 08:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2008-06-27 07:10 135168 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
--------- 2005-11-17 01:33 218240 c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
--------- 2005-11-17 01:33 23168 c:\program files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"mnmsrvc"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"SNDSrvc"=3 (0x3)
"NSCService"=3 (0x3)
"ERSvc"=2 (0x2)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"rpcapd"=3 (0x3)
"MDM"=2 (0x2)
"comHost"=3 (0x3)
"ccISPwdSvc"=3 (0x3)
"SPBBCSvc"=2 (0x2)
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"c:\\Program Files\\GamePark\\GameparkUpdate.exe"=
"c:\\Program Files\\GamePark\\gameparkclient_en.exe"=
"c:\\Program Files\\GamePark\\gameparkloader_en.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\PokerStars\\PokerStars.exe"=
"c:\\Program Files\\PokerStars\\PokerStarsCommunicate.exe"=
"c:\\Program Files\\PokerStars\\PokerStarsUpdate.exe"=
"c:\\Program Files\\PokerStars\\Tracer.exe"=
"c:\\Program Files\\WildTangent\\Apps\\Dell Game Console\\GameConsole.exe"=
"c:\\WINDOWS\\system32\\lxcccoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxccpswx.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"c:\\Program Files\\IGZones\\IGZones.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)

R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\DRIVERS\hnm_wrls_pkt.sys [2006-07-13 13824]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\DRIVERS\wsp_pkt.sys [2006-07-13 13696]
S0 qikio;qikio;c:\windows\system32\drivers\lxvye.sys []
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;c:\windows\system32\DRIVERS\wg11tnd5.sys [2007-03-13 285216]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys [2007-03-13 43392]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\windows\system32\DNINDIS5.SYS [2007-03-11 17149]
S3 NAL;Nal Service ;\??\c:\windows\system32\Drivers\iqvw32.sys [2006-06-05 24064]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-11-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-11-15 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - 1.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-11-17 01:32]

2008-11-18 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-07-30 14:45]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 16:47:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-19 16:48:30
ComboFix-quarantined-files.txt 2008-11-20 00:48:13
ComboFix2.txt 2008-11-19 00:58:20
ComboFix3.txt 2008-11-18 19:30:25

Pre-Run: 90,844,082,176 bytes free
Post-Run: 90,854,457,344 bytes free

280

--------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:47 PM, on 11/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\1\Desktop\ADWARE & SPYWARE REMOVER\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061207
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1217624078015
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

--
End of file - 3186 bytes

Bio-Hazard · Nov 20, 2008

ATF-Cleaner

Please download ATF Cleaner by Atribune.

Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords please click No at the prompt.
Click Exit on the Main menu to close the program.

F-Secure Online Scan

Note: You will need to use Internet explorer for this scan
Go here to run an online scan from F-Secure
Click on Start scanning
This will open a new internet explorer window
It will require an activex control please install it
Click Accept
Click Full System Scan
It will now download the scanner this may take a while please be patient
It will then start scanning wait for the scan to finish
Click Automatic cleaning (recommended)
Wait for it finish the cleaning process
Click show report
This will open up a window with the results of the scan copy and paste those results as a reply to this topic

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

F-Secure Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving

Alexandergreat3 · Nov 21, 2008

Hi Bio-Hazard,

I've ran the ATF-Cleaner.
I'm now running F-Secure Online Scan.

I'll get back to you when I have the logs. I really appreciate your help

.

Alexandergreat3 · Nov 22, 2008

Ok, I've gotten to step 3 of the F-Secure Scanner, but when my download reached 100%, an error came up with the following messages:

"Microsoft Internet Explorer

An error has occured! Please close the scanner and your browser, then try again. (Id: 12)"

I've closed the scanner and my browser, and I've tried again several times, but the same error came up. Please let me know how I can fix this error. Thank you

Alexandergreat3 · Nov 22, 2008

By the way, before I got the F-Secure online scan, I have this pop up error message on my computer when I start up Windows. And when I tried to close it, it kept on popping up:

"Microsoft Windows
The system has recovered from a serious error.
A log of this error has been created.

BCCode : 100000d1 BCP1 : 00000030 BCP2 : 00000005 BCP3 : 00000000
BCP4 : F66ED613 OSVer : 5_1_2600 SP : 2_0 Product : 256_1

The following files will be included in this error report:

C:\DOCUME~1\1\LOCALS~1\Temp\WER8c89.dir00\Mini122906-01.dmp
C:\DOCUME~1\1\LOCALS~1\Temp\WER8c89.dir00\sysdata.xml"

Bio-Hazard · Nov 22, 2008

Hello!

Sorry to hear about your troubles. Lets try this scanner.

Eset online scannne

Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select
Run as Administratorhttp://netsecurity.about.com/od/quicktips/qt/qt_run_as.htm
from the context menu.

Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

ESET Log
A fresh HijackThis Log ( after all the above has been done)

Alexandergreat3 · Nov 22, 2008

Hi,

Here are the logs:

ESET Log

C:\Qoobox\Quarantine\C\WINDOWS\poolsv.exe.vir

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:36:12 PM, on 11/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\1\Desktop\ADWARE & SPYWARE REMOVER\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061207
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1217624078015
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{931ECC4B-5F93-4997-89BA-4D55A76595F7}: NameServer = 69.19.190.116 69.19.190.120
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

--
End of file - 3514 bytes

Bio-Hazard · Nov 23, 2008

Hello!

Are you still getting that error message when you are booting up or shutting down your computer?

Poker sites

Party Poker, PartyCasino, UltimateBet, EmpirePoker, and the related sites are a risk and that's where most malware gets installed. Online Poker sites are well known for placing all manner of Internet parasites on their visitors' computers and continue to do so. They should be highly suspect for any Malware on your computer. In a lot of cases, these Poker plugins are also getting installed without your asking for it. You can read Poker gamers targeted by a rootkit backdoor regarding the risk involved with visiting the Poker games web sites. Two safe alternatives are PokerStars and Pogo.com.

I recommend that you remove Pokerstars

Click Start
Go to Control Panel
Go to Add/Remove Programs
Find and click Remove for the following (if present):

Pokerstars

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving

Alexandergreat3 · Nov 23, 2008

Hi Bio-Hazard,

I did a system restore, and that fixed the Window Error.

After that, I ran the ESET scan as you instructed and got this in the log:
C:\Qoobox\Quarantine\C\WINDOWS\poolsv.exe.vir

Should I run the ESET scan again and select Remove Found Threats?

Regarding pokerstars, I've been using it for several years now and had no problems with it. I'm quite sure that I didn't get the virtumonde from pokerstars, because I haven't used it for months.

The day when my comp got infected was when I went to an image hosting site named usercash.com, and then that was when I started noticing my browser was being redirected and whatnot, and then I did the scan with Spybot, which detected virtumonde :red:

Alexandergreat3 · Nov 23, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:53 AM, on 11/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Documents and Settings\1\Desktop\ADWARE & SPYWARE REMOVER\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061207
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1217624078015
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{931ECC4B-5F93-4997-89BA-4D55A76595F7}: NameServer = 69.19.190.116 69.19.190.120
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

--
End of file - 3562 bytes

Virtumonde infected my comp. Please help!

New member

Emeritus- Malware Team

New member

New member

Emeritus- Malware Team

New member

New member

New member

New member

Emeritus- Malware Team

New member

Emeritus- Malware Team

New member

New member

New member

Emeritus- Malware Team

New member

Emeritus- Malware Team

New member

New member