Virtumonde - I've got it too

Same Problem with renamed file

I renamed the file Killz.exe, but I get the same results - It says "preparing to run" and then seconds later the PC reboots.
 
So we try then safe mode with command prompt.

Move killz.exe to c root (c: )
Choose safe mode with command prompt from same menu from which you choose safe mode.

When you are in command prompt type:
cd\ and press enter
killz and press enter

If combofix now runs, reboot back to safe mode with command prompt when combofix reboots.
 
Same behavior

I started killz in command mode. It says "preparing to run combofix" and a few seconds later the PC reboots. I'm now rebooted and in command prompt mode again.
 
DDS, Malware and Hijack run

Just to speed things up I ran DDS, Malware and Hijack. I've posted the results. Malware shows no infected files, but that's because I directed Malware to fix the infected files two days ago and I haven't connected to the internet since.
 
attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 5/31/2004 6:32:25 PM
System Uptime: 7/20/2009 2:35:26 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | A7N8X-LA
Processor: AMD Athlon(tm) XP 2800+ | Socket A | 2079/166mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 109 GiB total, 81.714 GiB free.
D: is FIXED (FAT32) - 6 GiB total, 0.557 GiB free.
E: is CDROM ()
F: is Removable
J: is CDROM ()
K: is Removable
L: is Removable
M: is Removable
N: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1794: 7/19/2009 7:24:17 AM - Installed BotHunter.
RP1795: 7/19/2009 7:24:18 AM - System Checkpoint
RP1796: 7/19/2009 7:24:20 AM - System Checkpoint
RP1797: 7/19/2009 7:24:22 AM - System Checkpoint
RP1798: 7/19/2009 7:24:24 AM - System Checkpoint

==== Installed Programs ======================


7-Zip 3.13
Adobe Acrobat 7.0 Professional
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 Plugin
Adobe Flash Player 9
Adobe Flash Player ActiveX
Adobe Help Viewer CS3
Adobe PDF Library Files
Adobe Reader 8.1.1
Adobe Setup
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Advanced Port Scanner v1.2
ArcSoft ShowBiz 2
Audacity 1.2.3
AXIS Media Control
B2 Spice A_D v4 Pro
BotHunter
CCleaner (remove only)
Color LaserJet 2600n
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
EAGLE 4.11
ERUNT 1.1j
FileZilla Client 3.2.2.1
Free Solitaire
FreeRIP v2.942
GoToMeeting 4.0.0.320
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP OfficeJet Series 700 (Remove Only)
HP Photo & Imaging 3.0
HPIZ Fix2
hpmdtab
HpSdpAppCoreApp
HPSystemDiagnostics
Intel(R) Extreme Graphics Driver
InterVideo WinDVD Player
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Java(TM) 6 Update 13
Java(TM) 6 Update 6
Java(TM) 6 Update 7
KBD
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
MDI2PDF 2.4
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Meeting 2007
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition
Microsoft Project 2000 SR-1
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Works 7.0
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.0.11)
Mozilla Thunderbird (1.5)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Multimedia Card Reader
NVIDIA Drivers
NVIDIA Ethernet Driver
NVIDIA Gart Driver
NVIDIA Windows 2000/XP Display Drivers
Palm Desktop
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PhotoGallery
Photosmart 140,240,7200,7600,7700,7900 Series
PrintScreen
PS2
PSShortcutsP
Python 2.2 combined Win32 extensions
Python 2.2.1
QFolder
Quicken 2008
QuickProjects
QuickTime
RealOne Player
RecordNow!
S3Display
S3Gamma2
S3Info2
S3Overlay
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
SigmaTel MSCN Audio Player
SimpleOCR 3.1
SkinsHP1
SkinsHP2
Skype web features
Skype™ 4.1
SPSS 12.0.1 for Windows
Spybot - Search & Destroy
TaxCut Deluxe 2005
TaxCut Pennsylvania 2006
TaxCut Pennsylvania 2007
TaxCut Pennsylvania 2008
TaxCut Premium + State + Efile 2008
TaxCut Premium + State 2007
TaxCut Premium 2006
TextPad 5
TrayApp
Trillian
Unload
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoCacheView
VLC media player 0.9.8a
WAV MP3 Converter 2.3 build 679
Waver Version 2.95
WebFldrs XP
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinPcap 4.0.2
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

7/20/2009 6:17:48 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
7/20/2009 6:16:09 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
7/20/2009 6:16:09 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
7/20/2009 6:16:09 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/20/2009 6:16:09 AM, error: Service Control Manager [7001] - The IP Traffic Filter Driver service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/20/2009 6:16:09 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/20/2009 6:16:09 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
7/20/2009 6:16:09 AM, error: Service Control Manager [7001] - The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/20/2009 6:15:54 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
7/20/2009 6:15:42 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/19/2009 3:42:45 PM, error: System Error [1003] - Error code 100000be, parameter1 804e37c5, parameter2 004e3161, parameter3 f78d6cc8, parameter4 0000000b.
7/19/2009 3:31:01 PM, error: System Error [1003] - Error code 100000be, parameter1 804e37c5, parameter2 004e3161, parameter3 f78dacc8, parameter4 0000000b.
7/19/2009 3:19:07 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
7/19/2009 3:08:24 PM, error: System Error [1003] - Error code 100000be, parameter1 804e37c5, parameter2 004e3161, parameter3 f78c6cc8, parameter4 0000000b.
7/19/2009 3:07:04 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
7/19/2009 3:07:04 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/19/2009 3:02:45 PM, error: Service Control Manager [7031] - The Symantec AntiVirus service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
7/19/2009 3:02:06 PM, error: Service Control Manager [7031] - The Symantec AntiVirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
7/18/2009 9:00:00 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402
7/18/2009 8:00:00 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402
7/18/2009 6:00:00 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402
7/18/2009 5:00:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
7/18/2009 4:00:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
7/18/2009 3:00:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402
7/18/2009 2:00:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
7/18/2009 12:52:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402
7/18/2009 1:00:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
7/17/2009 12:00:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
7/17/2009 11:00:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
7/17/2009 11:00:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
7/17/2009 10:00:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
7/17/2009 1:00:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402
7/16/2009 7:00:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
7/16/2009 4:00:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
7/16/2009 2:00:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
7/15/2009 9:00:01 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
7/15/2009 8:00:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
7/15/2009 7:00:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
7/15/2009 6:00:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
7/15/2009 5:00:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402
7/15/2009 3:00:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
7/15/2009 10:00:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
7/14/2009 12:34:10 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000034' while processing the file '~efe2.tmp' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
7/14/2009 12:11:57 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 000C6EFEDEBE. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
7/13/2009 2:52:40 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\ctfmon.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
7/13/2009 2:49:17 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
7/13/2009 2:47:38 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

==== End Of File ===========================
 
dds.text

DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 14:37:16.68 on Mon 07/20/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.670 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Multimedia Card Reader\shwicon2k .exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
mSearch Page = hxxp://www.google.com
mDefault_Search_Url = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} -
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {8F4902B6-6C04-4ade-8052-AA58578A21BD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [FreeRAM XP] "c:\program files\yourware solutions\freeram xp pro\FreeRAM XP Pro.exe" -win
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: troweprice.com\www3
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - hxxps://www.windowsonecare.com/install/cli/0.8.0794.48/WinSSWebAgent.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126369175812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38138.8417361111
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ar174uw8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]

=============== Created Last 30 ================

2009-07-20 14:34 <DIR> --ds---- C:\Killz
2009-07-20 14:34 389,120 a------- c:\windows\system32\CF3046.exe
2009-07-20 13:49 389,120 a------- c:\windows\system32\CF26899.exe
2009-07-20 13:04 389,120 a------- c:\windows\system32\CF18111.exe
2009-07-20 13:00 389,120 a------- c:\windows\system32\CF17373.exe
2009-07-20 12:56 389,120 a------- c:\windows\system32\CF16540.exe
2009-07-20 06:22 <DIR> --ds---- C:\ComboFix
2009-07-20 06:22 389,120 a------- c:\windows\system32\CF4933.exe
2009-07-20 06:18 389,120 a------- c:\windows\system32\CF4169.exe
2009-07-19 18:25 389,120 a------- c:\windows\system32\CF28399.exe
2009-07-19 18:25 389,120 a------- c:\windows\system32\CF28233.exe
2009-07-19 16:12 389,120 a------- c:\windows\system32\CF2271.exe
2009-07-19 15:39 389,120 a------- c:\windows\system32\CF28652.exe
2009-07-19 15:28 389,120 a------- c:\windows\system32\CF26353.exe
2009-07-19 15:26 389,120 a------- c:\windows\system32\CF26072.exe
2009-07-19 15:04 219,648 a------- c:\windows\PEV.exe
2009-07-19 15:04 161,792 a------- c:\windows\SWREG.exe
2009-07-19 15:04 98,816 a------- c:\windows\sed.exe
2009-07-19 15:03 389,120 a------- c:\windows\system32\CF20527.exe
2009-07-19 14:57 3,147,475 a----r-- C:\Killz.exe
2009-07-18 20:48 27,660 a------- c:\windows\system32\braviax.exe95
2009-07-18 20:48 27,660 a------- c:\windows\system32\braviax.exe56
2009-07-18 20:48 27,660 a------- c:\windows\system32\braviax.exe55
2009-07-18 20:48 27,660 a------- c:\windows\system32\braviax.exe48
2009-07-18 20:48 8,704 a------- c:\windows\system32\braviax .exe
2009-07-18 09:21 196,610 a------- c:\windows\system32\j0IA32t6.exe
2009-07-15 14:26 <DIR> --d----- C:\_OTM
2009-07-13 16:00 <DIR> --d----- c:\documents and settings\owner\.SunDownloadManager
2009-07-13 15:20 <DIR> --d----- c:\program files\Trend Micro
2009-07-13 15:03 <DIR> --d----- c:\docume~1\owner\applic~1\SRI
2009-07-12 14:50 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-07-12 14:50 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-12 14:50 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-12 14:50 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-12 14:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-11 08:31 179 a------- c:\windows\system\hpsysdrv .DAT
2009-07-10 15:56 <DIR> --d----- c:\temp\FR90PE
2009-07-06 15:21 53,760 ac------ c:\windows\system32\dllcache\vfwwdm32.dll
2009-07-06 15:21 20,992 ac------ c:\windows\system32\dllcache\dshowext.ax
2009-07-06 15:21 53,760 a------- c:\windows\system32\vfwwdm32.dll
2009-07-06 15:21 20,992 a------- c:\windows\system32\dshowext.ax
2009-07-06 15:16 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-07-05 13:41 <DIR> --d----- c:\windows\pss
2009-06-29 20:57 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-29 20:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-25 16:01 <DIR> --d----- c:\documents and settings\owner\Tracing
2009-06-25 15:56 81,736 a------- c:\windows\system32\lmdimon8.dll
2009-06-25 15:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Applications

==================== Find3M ====================

2009-07-19 18:27 27,660 a------- c:\windows\system32\hkcmd.exe
2009-07-19 16:39 27,660 a------- c:\windows\system32\ctfmon.exe.tmp
2009-05-10 20:49 34,720 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-06 17:07 60,744 a------- c:\documents and settings\owner\g2mdlhlpx.exe
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2007-05-03 22:14 839 a------- c:\docume~1\owner\applic~1\waver_2.95.dat
2007-02-03 14:36 439,296 a------- c:\documents and settings\owner\GoToAssist_phone__317_en.exe
2006-12-04 16:30 389,120 a------- c:\documents and settings\owner\remote.exe
2004-01-01 23:43 0 a--sh--- c:\windows\sminst\HPCD.sys
2008-09-13 11:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091320080914\index.dat

============= FINISH: 14:39:31.82 ===============
 
hijack.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:40:52 PM, on 7/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Multimedia Card Reader\shwicon2k .exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - https://www.windowsonecare.com/install/cli/0.8.0794.48/WinSSWebAgent.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126369175812
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7310 bytes
 
mbam.log

Malwarebytes' Anti-Malware 1.38
Database version: 2413
Windows 5.1.2600 Service Pack 3

7/20/2009 2:57:45 PM
mbam-log-2009-07-20 (14-57-45).txt

Scan type: Quick Scan
Objects scanned: 101007
Time elapsed: 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Please delete these:

c:\windows\system32\braviax.exe95
c:\windows\system32\braviax.exe56
c:\windows\system32\braviax.exe55
c:\windows\system32\braviax.exe48
c:\windows\system32\braviax .exe
c:\windows\system32\j0IA32t6.exe

Empty Recycle Bin.

Download to the desktop: Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif

    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
 
Almost had the same problem

I tried to start drweb, but got the following error message - "8tr89.exe has encountered a problem and needs to close". :sick:

But this worked - I opened two drweb programs at the same time. The first one got the same error message. The second program is running now. I'm through the RAM scan and it found and cured 3 infected files. I'm in the process of running the complete file scan now and will report back when it is finished.
 
Hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:28 AM, on 7/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - https://www.windowsonecare.com/install/cli/0.8.0794.48/WinSSWebAgent.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126369175812
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7129 bytes
 
DrWeb log

kbd.exe;c:\hp\kbd;Trojan.DownLoad.40292;Deleted.;
shwicon2k.exe;c:\program files\multimedia card reader;Trojan.DownLoad.40292;Deleted.;
hkcmd.exe;c:\windows\system32;Trojan.DownLoad.40292;Deleted.;
RegUBP2b-Owner.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Moved.;
Terminator.exe;C:\hp\bin;Trojan.KillApp.30208;Deleted.;
kbd.exe110;C:\hp\KBD;Trojan.DownLoad.40292;Deleted.;
kbd.exe119;C:\hp\KBD;Trojan.DownLoad.40292;Deleted.;
kbd.exe1617;C:\hp\KBD;Trojan.DownLoad.40292;Deleted.;
kbd.exe26033;C:\hp\KBD;Trojan.DownLoad.40292;Deleted.;
kbd.exe41;C:\hp\KBD;Trojan.DownLoad.40292;Deleted.;
kbd.exe46;C:\hp\KBD;Trojan.DownLoad.40292;Deleted.;
kbd.exe51;C:\hp\KBD;Trojan.DownLoad.40292;Deleted.;
kbd.exe58;C:\hp\KBD;Trojan.DownLoad.40292;Deleted.;
kbd.exe67;C:\hp\KBD;Trojan.DownLoad.40292;Deleted.;
kbd.exe69;C:\hp\KBD;Trojan.DownLoad.40292;Deleted.;
kbd.exe75;C:\hp\KBD;Trojan.DownLoad.40292;Deleted.;
kbd.exe78;C:\hp\KBD;Trojan.DownLoad.40292;Deleted.;
kbd.exe91;C:\hp\KBD;Trojan.DownLoad.40292;Deleted.;
kbd.exe98;C:\hp\KBD;Trojan.DownLoad.40292;Deleted.;
hphupd05.exe1612;C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0};Trojan.DownLoad.40292;Deleted.;
hphupd05.exe26025;C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0};Trojan.DownLoad.40292;Deleted.;
shwicon2k.exe119;C:\Program Files\Multimedia Card Reader;Trojan.DownLoad.40292;Deleted.;
shwicon2k.exe123;C:\Program Files\Multimedia Card Reader;Trojan.DownLoad.40292;Deleted.;
shwicon2k.exe1620;C:\Program Files\Multimedia Card Reader;Trojan.DownLoad.40292;Deleted.;
shwicon2k.exe26043;C:\Program Files\Multimedia Card Reader;Trojan.DownLoad.40292;Deleted.;
shwicon2k.exe46;C:\Program Files\Multimedia Card Reader;Trojan.DownLoad.40292;Deleted.;
shwicon2k.exe49;C:\Program Files\Multimedia Card Reader;Trojan.DownLoad.40292;Deleted.;
shwicon2k.exe51;C:\Program Files\Multimedia Card Reader;Trojan.DownLoad.40292;Deleted.;
shwicon2k.exe52;C:\Program Files\Multimedia Card Reader;Trojan.DownLoad.40292;Deleted.;
shwicon2k.exe58;C:\Program Files\Multimedia Card Reader;Trojan.DownLoad.40292;Deleted.;
shwicon2k.exe60;C:\Program Files\Multimedia Card Reader;Trojan.DownLoad.40292;Deleted.;
shwicon2k.exe65;C:\Program Files\Multimedia Card Reader;Trojan.DownLoad.40292;Deleted.;
shwicon2k.exe67;C:\Program Files\Multimedia Card Reader;Trojan.DownLoad.40292;Deleted.;
shwicon2k.exe70;C:\Program Files\Multimedia Card Reader;Trojan.DownLoad.40292;Deleted.;
shwicon2k.exe73;C:\Program Files\Multimedia Card Reader;Trojan.DownLoad.40292;Deleted.;
shwicon2k.exe74;C:\Program Files\Multimedia Card Reader;Trojan.DownLoad.40292;Deleted.;
shwicon2k.exe93;C:\Program Files\Multimedia Card Reader;Trojan.DownLoad.40292;Deleted.;
A0169603.exe;C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1796;Trojan.DownLoad.40292;Deleted.;
A0169604.exe;C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1796;Trojan.DownLoad.40292;Deleted.;
A0169607.exe;C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1796;Trojan.DownLoad.40292;Deleted.;
A0169616.exe;C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1796;Trojan.DownLoad.40292;Deleted.;
A0169624.exe;C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1796;Trojan.DownLoad.40292;Deleted.;
A0169625.exe;C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1796;Trojan.DownLoad.40292;Deleted.;
A0169656.exe;C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1797;Trojan.DownLoad.40292;Deleted.;
A0169657.exe;C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1797;Trojan.DownLoad.40292;Deleted.;
A0169684.exe;C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1798;Trojan.DownLoad.40292;Deleted.;
A0169685.exe;C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1798;Trojan.DownLoad.40292;Deleted.;
A0169686.exe;C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1798;Trojan.DownLoad.40292;Deleted.;
popcaploader.dll;C:\WINDOWS\Downloaded Program Files;Program.PopcapLoader;Moved.;
hpsysdrv.exe1603;C:\WINDOWS\system;Trojan.DownLoad.40292;Deleted.;
hpsysdrv.exe26020;C:\WINDOWS\system;Trojan.DownLoad.40292;Deleted.;
ctfmon.exe.tmp;C:\WINDOWS\system32;Trojan.DownLoad.40292;Deleted.;
hkcmd.exe1607;C:\WINDOWS\system32;Trojan.DownLoad.40292;Deleted.;
hkcmd.exe50;C:\WINDOWS\system32;Trojan.DownLoad.40292;Deleted.;
hkcmd.exe57;C:\WINDOWS\system32;Trojan.DownLoad.40292;Deleted.;
hkcmd.exe59;C:\WINDOWS\system32;Trojan.DownLoad.40292;Deleted.;
hkcmd.exe69;C:\WINDOWS\system32;Trojan.DownLoad.40292;Deleted.;
hkcmd.exe70;C:\WINDOWS\system32;Trojan.DownLoad.40292;Deleted.;
hkcmd.exe74;C:\WINDOWS\system32;Trojan.DownLoad.40292;Deleted.;
hkcmd.exe93;C:\WINDOWS\system32;Trojan.DownLoad.40292;Deleted.;
hkcmd.exe96;C:\WINDOWS\system32;Trojan.DownLoad.40292;Deleted.;
hkcmd.exe97;C:\WINDOWS\system32;Trojan.DownLoad.40292;Deleted.;
hphmon05.exe100;C:\WINDOWS\system32;Trojan.DownLoad.40292;Deleted.;
hphmon05.exe106;C:\WINDOWS\system32;Trojan.DownLoad.40292;Deleted.;
hphmon05.exe26029;C:\WINDOWS\system32;Trojan.DownLoad.40292;Deleted.;
sdccinfo.dll;C:\WINDOWS\system32;Trojan.Click.origin;Incurable.Moved.;
 
OK it looks like that there might have been downloaders.

You might need to reinstall some programs like Multimedia Card Reader and HP software.

Please reconnect it to interner and let me know how it behaves now.
 
Took back control of Windows Firewall

Shaba,

I found this on the web and took back control of Windows Firewall by the following steps.

1. Click Start, Run and type Regedit.exe
2. Navigate to the following location:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ WindowsFirewall

3. Backup the key and then delete the WindowsFirewall branch.
4. Close Regedit.exe and restart Windows.

These viruses are very nasty to be able to disable the Firewall.
 
Everything OK so far

Let's wait for a few days to make sure all the malware is gone. I'll be looking for advice on how to immunize my computer. I think one of your former messages gave me some options.
 
You must log in or register to reply here.
Back
Top