Virtumonde infection

[moneypenny720]

Help .. I can't get rid of Virtumonde. I'm 3 days into this housekeeping nitemare.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:46 PM, on 8/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [161b1342] rundll32.exe "C:\WINDOWS\system32\whfaoetn.dll",b
O4 - HKLM\..\Run: [BM152820de] Rundll32.exe "C:\WINDOWS\system32\imawadsq.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA7330] command /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1214] cmd /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4260] command /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5253] cmd /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3271] command /c del "C:\WINDOWS\SYSTEM32\rqRLffdC.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9873] cmd /c del "C:\WINDOWS\SYSTEM32\rqRLffdC.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3463] command /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2865] cmd /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7015] command /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1574] cmd /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6710] command /c del "C:\WINDOWS\SYSTEM32\rqRLffdC.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2652] cmd /c del "C:\WINDOWS\SYSTEM32\rqRLffdC.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8549] command /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3681] cmd /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-8.0.5.30/aces/aces-en_US.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-8.0.1.32/slots/alibaba-en_US.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-8.0.5.30/blackjack/blackjack-en_US.cab
O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.9.4.41/cascade/cascade-en_US.cab
O16 - DPF: Bowling by pogo - http://game1.pogo.com/applet-8.0.1.23/bowling/bowling-en_US.cab
O16 - DPF: Dice City Roller by pogo - http://game1.pogo.com/applet-8.0.3.20/ytz/ytz-en_US.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-8.0.2.32/checkeredflag/checkeredflag-en_US.cab
O16 - DPF: Double Deuce Poker by pogo - http://game1.pogo.com/applet-8.0.5.30/videopoker2/doubledeuce-en_US.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-8.0.4.32/firstclass2/firstclass2-en_US.cab
O16 - DPF: Hog Heaven Slots by pogo - http://game1.pogo.com/applet-8.0.2.40/fancy/fancy-en_US.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-8.0.3.20/jigsaw/jigsaw-en_US.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-8.0.5.30/gin2/gin2-en_US.cab
O16 - DPF: Payday Freecell Solitaire by pogo - http://game1.pogo.com/applet-8.0.4.41/freecell2/freecell2-en_US.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-8.0.2.32/waterwheel/waterwheel-en_US.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-8.0.0.20/popfu/popfu-en_US.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-8.0.2.32/poppazoppa/poppazoppa-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-8.0.5.30/poppit2/poppit2-en_US.cab
O16 - DPF: SciFi Slots by pogo - http://game1.pogo.com/applet-8.0.2.32/slots/scifi-en_US.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-8.0.4.32/slots/showbiz2-en_US.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-8.0.4.32/slots/showbiz-en_US.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-8.0.2.32/spider/spider-en_US.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-8.0.1.32/squelchies/squelchies-en_US.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-8.0.5.30/sweettooth/sweettooth-en_US.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-8.0.1.32/whackdown/whackdown-en_US.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-8.0.4.32/worldclass/worldclass-en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6973 bytes

 

[moneypenny720]

comboFix Log

Following the instructions posted on bleeping computer, I ran comboFix and it has helped clean up some of the issues. I'm still getting a spybot Registry Denied popup when I login.

I can't tell u how appreciatiative I am for all of the folks here. I'm a computer professional and am visiting my Mom. It's her computer that was infected ... She had over 5000 virae and I've installed several things so that it doesn't happen again; and I'm so disgusted that there are such malicious people out there in the world that would want to inflict this kind of malicious software on innocents. It's just a shame!

Here's my ComboFix log.

ComboFix 08-08-14.03 - Administrator 2008-08-15 11:19:49.1 - FAT32x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.228 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\aepenny\Application Data\rhctv0j0en2b
C:\WINDOWS\BM152820de.txt
C:\WINDOWS\BM152820de.xml
C:\WINDOWS\hosts
C:\WINDOWS\pskt.ini
C:\WINDOWS\start.exe
C:\WINDOWS\system\oeminfo.ini
C:\WINDOWS\SYSTEM32\aphefpke.ini
C:\WINDOWS\system32\araejc.dll
C:\WINDOWS\system32\awpbavkd.dll
C:\WINDOWS\system32\bgepmsop.dll
C:\WINDOWS\system32\bhgyaa.dll
C:\WINDOWS\system32\bhpymt.dll
C:\WINDOWS\system32\bikihbhr.dll
C:\WINDOWS\system32\bojwqr.dll
C:\WINDOWS\system32\bykqwxsx.exe
C:\WINDOWS\system32\CdffLRqr.ini
C:\WINDOWS\SYSTEM32\CdffLRqr.ini2
C:\WINDOWS\system32\dirwcqot.dll
C:\WINDOWS\system32\dvnped.dll
C:\WINDOWS\system32\ecxmwryl.ini
C:\WINDOWS\system32\efcDSMFy.dll
C:\WINDOWS\system32\ffasmbtt.dll
C:\WINDOWS\system32\fugttmqt.ini
C:\WINDOWS\system32\gknrptxr.ini
C:\WINDOWS\SYSTEM32\glgokllu.ini
C:\WINDOWS\system32\habhhc.dll
C:\WINDOWS\system32\hjbpdwkp.ini
C:\WINDOWS\system32\hwovpj.dll
C:\WINDOWS\system32\imawadsq.dll
C:\WINDOWS\system32\iryihprg.dll
C:\WINDOWS\system32\iywwcfcx.ini
C:\WINDOWS\system32\kqoztw.dll
C:\WINDOWS\system32\kstveg.dll
C:\WINDOWS\system32\kxbcyglc.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\meakuiht.dll
C:\WINDOWS\system32\mlejhkbt.dll
C:\WINDOWS\system32\ngdpwoyb.dll
C:\WINDOWS\system32\nnnmmnMe.dll
C:\WINDOWS\SYSTEM32\nteoafhw.ini
C:\WINDOWS\system32\omkdik.dll
C:\WINDOWS\system32\oupvaiak.ini
C:\WINDOWS\system32\ovrtfu.dll
C:\WINDOWS\system32\prBLkUvw.ini
C:\WINDOWS\SYSTEM32\prBLkUvw.ini2
C:\WINDOWS\system32\qarqujka.exe
C:\WINDOWS\system32\qniims.dll
C:\WINDOWS\system32\qtmimuus.dll
C:\WINDOWS\system32\REGOBJ.DLL
C:\WINDOWS\system32\rtiwol.dll
C:\WINDOWS\system32\seuiji.dll
C:\WINDOWS\system32\shlqdxck.exe
C:\WINDOWS\system32\sogoiawv.dll
C:\WINDOWS\SYSTEM32\suumimtq.ini
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\tndkhnth.ini
C:\WINDOWS\SYSTEM32\ttbmsaff.ini
C:\WINDOWS\system32\twgvakpi.dll
C:\WINDOWS\system32\uaqapesd.dll
C:\WINDOWS\system32\ufsnktpg.ini
C:\WINDOWS\system32\ullkoglg.dll
C:\WINDOWS\system32\uxnrdvij.dll
C:\WINDOWS\system32\vlbucgyu.dll
C:\WINDOWS\system32\vlniwiyf.dll
C:\WINDOWS\system32\whfaoetn.dll
C:\WINDOWS\system32\windows.scr
C:\WINDOWS\system32\wplldwrm.dll
C:\WINDOWS\system32\xatbmnge.ini
C:\WINDOWS\system32\xgmryudp.dll
C:\WINDOWS\SYSTEM32\xttoexxa.ini
C:\WINDOWS\SYSTEM32\xxbKQXyb.ini
C:\WINDOWS\SYSTEM32\xxbKQXyb.ini2
C:\WINDOWS\SYSTEM32\yFMSDcfe.ini
C:\WINDOWS\SYSTEM32\yFMSDcfe.ini2
C:\WINDOWS\system32\yiaehpgm.dll
C:\WINDOWS\system32\ytogtkxd.dll
C:\WINDOWS\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSREST.SYS
-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
.

2008-08-13 20:28 . 2008-08-14 22:46 538 --a------ C:\WINDOWS\wininit.ini
2008-08-13 19:36 . 2008-08-13 19:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-13 19:36 . 2008-08-13 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-13 17:43 . 2008-08-13 17:43 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-13 15:39 . 2008-08-13 15:39 958 --a------ C:\WINDOWS\Active Setup Log.BAK
2008-08-13 11:45 . 2008-08-13 11:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-08-13 11:43 . 2008-04-14 05:42 236,544 --a------ C:\WINDOWS\SYSTEM32\dllcache\smi2smir.exe
2008-08-13 11:43 . 2008-04-14 05:42 92,160 --a------ C:\WINDOWS\SYSTEM32\evntwin.exe
2008-08-13 11:43 . 2008-04-14 05:42 92,160 --a------ C:\WINDOWS\SYSTEM32\dllcache\evntwin.exe
2008-08-13 11:43 . 2008-04-14 05:42 24,064 --a------ C:\WINDOWS\SYSTEM32\evntcmd.exe
2008-08-13 11:43 . 2008-04-14 05:42 24,064 --a------ C:\WINDOWS\SYSTEM32\dllcache\evntcmd.exe
2008-08-13 11:43 . 2008-04-14 05:42 6,144 --a------ C:\WINDOWS\SYSTEM32\snmpmib.dll
2008-08-13 11:43 . 2008-04-14 05:42 6,144 --a------ C:\WINDOWS\SYSTEM32\dllcache\snmpmib.dll
2008-08-13 11:42 . 2008-04-14 05:42 188,416 --a------ C:\WINDOWS\SYSTEM32\dllcache\snmpsmir.dll
2008-08-13 11:42 . 2008-04-14 05:41 39,936 --a------ C:\WINDOWS\SYSTEM32\hostmib.dll
2008-08-13 11:42 . 2008-04-14 05:41 39,936 --a------ C:\WINDOWS\SYSTEM32\dllcache\hostmib.dll
2008-08-13 11:41 . 2008-04-14 05:42 358,400 --a------ C:\WINDOWS\SYSTEM32\dllcache\snmpincl.dll
2008-08-13 11:41 . 2008-04-14 05:42 259,072 --a------ C:\WINDOWS\SYSTEM32\dllcache\snmpcl.dll
2008-08-13 11:41 . 2008-04-14 05:42 33,280 --a------ C:\WINDOWS\SYSTEM32\snmp.exe
2008-08-13 11:41 . 2008-04-14 05:42 33,280 --a------ C:\WINDOWS\SYSTEM32\dllcache\snmp.exe
2008-08-13 11:41 . 2008-04-14 05:42 8,704 --a------ C:\WINDOWS\SYSTEM32\snmptrap.exe
2008-08-13 11:41 . 2008-04-14 05:42 8,704 --a------ C:\WINDOWS\SYSTEM32\dllcache\snmptrap.exe
2008-08-13 11:39 . 2008-08-13 11:39 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-13 11:39 . 2008-04-14 05:42 294,912 --------- C:\WINDOWS\SYSTEM32\dllcache\dlimport.exe
2008-08-13 11:39 . 2008-04-14 05:41 101,888 --a------ C:\WINDOWS\SYSTEM32\evntagnt.dll
2008-08-13 11:39 . 2008-04-14 05:41 101,888 --a------ C:\WINDOWS\SYSTEM32\dllcache\evntagnt.dll
2008-08-13 11:39 . 2008-04-14 05:42 39,936 --a------ C:\WINDOWS\SYSTEM32\dllcache\snmpthrd.dll
2008-08-13 11:39 . 2008-04-14 05:41 33,792 --a------ C:\WINDOWS\SYSTEM32\lmmib2.dll
2008-08-13 11:39 . 2008-04-14 05:41 33,792 --a------ C:\WINDOWS\SYSTEM32\dllcache\lmmib2.dll
2008-08-13 11:26 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\002814_.tmp
2008-08-13 11:17 . 2008-08-13 11:17 <DIR> d-------- C:\WINDOWS\EHome
2008-08-13 09:00 . 2006-02-28 08:00 28,288 --a------ C:\WINDOWS\SYSTEM32\dllcache\xjis.nls
2008-08-13 08:58 . 2006-02-28 08:00 1,875,968 --a------ C:\WINDOWS\SYSTEM32\dllcache\msir3jp.lex
2008-08-13 08:57 . 2008-04-14 05:39 13,463,552 --a------ C:\WINDOWS\SYSTEM32\dllcache\hwxjpn.dll
2008-08-13 08:56 . 2006-02-28 08:00 1,677,824 --a------ C:\WINDOWS\SYSTEM32\dllcache\chsbrkr.dll
2008-08-13 08:50 . 2008-08-13 08:50 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2008-08-13 08:49 . 2008-08-13 08:49 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-08-13 08:49 . 2008-08-13 08:49 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2008-08-13 08:49 . 2008-08-13 08:49 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2008-08-13 08:49 . 2008-08-13 08:49 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2008-08-13 08:37 . 2006-02-28 08:00 1,086,058 -ra------ C:\WINDOWS\SET3F.tmp
2008-08-13 08:37 . 2006-02-28 08:00 1,042,903 -ra------ C:\WINDOWS\SET3C.tmp
2008-08-07 09:56 . 2006-02-28 08:00 16,384 --a------ C:\WINDOWS\SYSTEM32\dllcache\isignup.exe
2008-08-07 09:45 . 2006-02-28 08:00 1,086,058 -ra------ C:\WINDOWS\SETDD.tmp
2008-08-07 09:45 . 2006-02-28 08:00 1,042,903 -ra------ C:\WINDOWS\SETDA.tmp
2008-08-07 09:45 . 2006-02-28 08:00 14,573 -ra------ C:\WINDOWS\SET11C.tmp
2008-08-07 09:45 . 2006-02-28 08:00 13,753 -ra------ C:\WINDOWS\SETE9.tmp
2008-08-07 08:54 . 2008-08-13 07:31 218,886 --a------ C:\WINDOWS\setupapi.old
2008-08-07 04:07 . 2008-08-07 04:07 <DIR> d--hs---- C:\FOUND.001
2008-08-04 12:30 . 2008-08-04 12:30 <DIR> d--hs---- C:\FOUND.000
2008-08-03 18:07 . 2008-02-16 00:07 52,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmactmon.sys
2008-08-03 18:07 . 2008-02-16 00:07 52,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmevtmgr.sys
2008-08-03 18:02 . 2008-08-03 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-08-03 16:48 . 2008-08-03 16:48 <DIR> d-------- C:\Documents and Settings\aepenny\Application Data\ParetoLogic
2008-08-03 16:46 . 2008-08-03 16:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic
2008-08-03 16:44 . 2008-08-03 16:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-08-03 16:18 . 2008-02-16 00:07 138,384 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-08-03 15:52 . 2008-08-03 15:52 <DIR> d-------- C:\Program Files\RegCure
2008-08-02 21:03 . 2008-08-02 21:03 <DIR> d-------- C:\Documents and Settings\aepenny\Application Data\System Doctor Free
2008-08-02 20:53 . 2008-08-02 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\System Doctor Free
2008-08-02 20:53 . 2008-08-02 20:53 <DIR> dra------ C:\Documents and Settings\All Users\Application Data\SalesMon
2008-08-02 16:37 . 2008-08-02 16:37 0 --a------ C:\END

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 18:18 62,912 ----a-w C:\Documents and Settings\aepenny\Application Data\GDIPFONTCACHEV1.DAT
2002-11-08 19:13 0 ----a-w C:\Program Files\Common Files\as.ini
2001-11-05 22:39 197,120 ----a-w C:\Documents and Settings\All Users\GKids1.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"OEMRUNONCE"=c:\windows\options\cabs\oemrun.exe
"EnsoniqMixer"=starter.exe
"Hot Key Kbd 9910 Daemon"=SK9910DM.EXE
"Norton Auto-Protect"=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
"NAV DefAlert"=C:\PROGRA~1\NORTON~1\DEFALERT.EXE
"CreateCD50"="C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqnrs08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder

2008-08-15 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE []

2002-10-22 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE [2002-08-07 09:04]

2002-10-22 C:\WINDOWS\Tasks\Video Reminder.job
- C:\WINDOWS\TUNEUP.EXE []

2008-08-14 C:\WINDOWS\Tasks\Nightly Full System Scan.job
- C:\Program Files\Norton AntiVirus\SCNHNDLR.EXE []

2008-08-14 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-08-15 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]

2008-08-14 C:\WINDOWS\Tasks\ParetoLogic Registration.job
- C:\WINDOWS\system32\rundll32.exe [2008-04-14 05:42]
.
- - - - ORPHANS REMOVED - - - -

BHO-{40A05491-07D4-434B-95BB-7E78F979001E} - C:\WINDOWS\system32\rqRLffdC.dll
BHO-{6C5027E7-711D-4500-80BC-721D6F00F7A3} - (no file)
BHO-{938838B5-F66D-427D-8996-4DAF70D23C43} - (no file)
BHO-{9B8CD9CF-DA45-4268-A894-C03395AF3ACB} - C:\WINDOWS\system32\byXQKbxx.dll
BHO-{DCA04B7A-330A-4005-B6C6-70729F5286C0} - (no file)
HKLM-Run-161b1342 - C:\WINDOWS\system32\tqmttguf.dll
HKLM-Run-BM152820de - C:\WINDOWS\system32\imawadsq.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\aepenny\Application Data\Mozilla\Firefox\Profiles\u8nxuj96.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 11:29:57
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LOCATOR.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\SFCTLCOM.EXE
C:\WINDOWS\SYSTEM32\SNMP.EXE
C:\PROGRAM FILES\TREND MICRO\BM\TMBMSRV.EXE
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
.
**************************************************************************
.
Completion time: 2008-08-15 11:33:56 - machine was rebooted [aepenny]
ComboFix-quarantined-files.txt 2008-08-15 15:33:40

Pre-Run: 10,132,439,040 bytes free
Post-Run: 9,703,325,696 bytes free

271 --- E O F --- 2008-07-11 12:49:22

 

[moneypenny720]

Latest HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47, on 2008-08-15
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-8.0.5.30/aces/aces-en_US.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-8.0.1.32/slots/alibaba-en_US.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-8.0.5.30/blackjack/blackjack-en_US.cab
O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.9.4.41/cascade/cascade-en_US.cab
O16 - DPF: Bowling by pogo - http://game1.pogo.com/applet-8.0.1.23/bowling/bowling-en_US.cab
O16 - DPF: Dice City Roller by pogo - http://game1.pogo.com/applet-8.0.3.20/ytz/ytz-en_US.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-8.0.2.32/checkeredflag/checkeredflag-en_US.cab
O16 - DPF: Double Deuce Poker by pogo - http://game1.pogo.com/applet-8.0.5.30/videopoker2/doubledeuce-en_US.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-8.0.4.32/firstclass2/firstclass2-en_US.cab
O16 - DPF: Hog Heaven Slots by pogo - http://game1.pogo.com/applet-8.0.2.40/fancy/fancy-en_US.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-8.0.3.20/jigsaw/jigsaw-en_US.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-8.0.5.30/gin2/gin2-en_US.cab
O16 - DPF: Payday Freecell Solitaire by pogo - http://game1.pogo.com/applet-8.0.4.41/freecell2/freecell2-en_US.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-8.0.2.32/waterwheel/waterwheel-en_US.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-8.0.0.20/popfu/popfu-en_US.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-8.0.2.32/poppazoppa/poppazoppa-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-8.0.5.30/poppit2/poppit2-en_US.cab
O16 - DPF: SciFi Slots by pogo - http://game1.pogo.com/applet-8.0.2.32/slots/scifi-en_US.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-8.0.4.32/slots/showbiz2-en_US.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-8.0.4.32/slots/showbiz-en_US.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-8.0.2.32/spider/spider-en_US.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-8.0.1.32/squelchies/squelchies-en_US.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-8.0.5.30/sweettooth/sweettooth-en_US.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-8.0.1.32/whackdown/whackdown-en_US.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-8.0.4.32/worldclass/worldclass-en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 5331 bytes

 

[tashi]

Hello,

Please read the forum stickies
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

We do request members don't add to their topic before a helper has responded and also:
Do NOT run 'fixes' before helpers have analyzed the HJT log

Which is the most important part.

Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days

Cheers.