Virtumonde, need help!

[compgeek960]

for the past 3 or 4 days my internet had been going on and off but it would always be show as connected so i thought i might have a virus or something so i installed spybot s&d and ran the scan and got some stuff that was Virtumonde. i was so happy at that point because i thought i got rid of it and would finally be able to use the internet but no luck. the internet still didn't work. i ran the scan again but nothing showed up. i tried again the next day and i got more Virtumonde files picked up by the scan so it just keeps on coming back. i have tried using spybot s&d and avg but neither is able to completely remove the infection so i came here. i hope someone will be able to help me!

here is the log file from hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:55 PM, on 8/29/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DynDNS Updater\DynTray.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 130.94.23.113:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6A811C6D-6E8E-4493-AD5C-16C082ABC747} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {8B6E45C1-FF1C-48D5-80BF-1AF56BE1B1BB} - (no file)
O2 - BHO: (no name) - {8EB8B0AE-B706-419A-A5D6-E39C5E888AE8} - (no file)
O2 - BHO: (no name) - {9BC896DC-6B85-47D8-B17A-1B06885F3557} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {BC868FB8-2AE4-493B-94F7-D5C3FF537ABF} - C:\Windows\system32\fcccAqnm.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: (no name) - {DD4A967A-4118-4C29-B14D-3BF2FCC61EF4} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BM996a6d7b] Rundll32.exe "C:\Windows\system32\bdnhcyyt.dll",s
O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: BOINC System Tray.lnk = C:\Windows\boinctray.exe
O4 - Global Startup: DynDNS Updater Tray Icon.lnk = C:\Program Files\DynDNS Updater\DynTray.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - https://www.cchs.net/onlinelearning/include/web_players7/awswaxd.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E98B2F9B-0B31-4490-802B-98347199046A}: NameServer = 192.168.0.1,192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll oqwinn.dll tiotbc.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BOINC - Space Sciences Laboratory - C:\Program Files\BOINC\boinc.exe
O23 - Service: DynDNS Updater - Unknown owner - C:\Program Files\DynDNS Updater\DynUpSvc.exe
O23 - Service: lxbk_device - - C:\Windows\system32\lxbkcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 6251 bytes

 

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove and that is compounded by the fact that many tools will not run on Vista. I can only promise to do my best.

1) I do not see TeaTimer running, we need it disabled if it is:
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

2) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

 

[compgeek960]

i tried

i tried to follow the tutorial that u provided a link to but when i run combofix here is what it says:

Please wait.
ComboFix is preparing to run.
1 file<s> moved.
2008-08-30 was unexpected at this time.

one thing i don't understand about this is that it isn't even august 30, it is the 31. then it just doesn't do anything. in the tutorial, it says to drag a file into the combofix icon but that file is for xp. is there a file for vista that i would have to drag into the icon because i am just double clicking on the combofix icon directly. and right now i had to use the virtual pc app to use my virtual pc to access the internet because most web pages just won't load including the one with the tutorial. thanks for your help.

 

[pskelley]

If you clock is not set to the correct time, set it.

The tutorial is important in the overall instructions, but most important is this:

Make sure you are running combofix as administrator since this is Vista, then follow these directions.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks

 

[compgeek960]

i still keep on getting the same error. i made sure the time was right by synchronizing with time.microsoft.com. the user account i am using is the only user account i have on the system and it is and administrator account. i have combofix on the desktop and i tried double clicking on it and by right clicking and selecting run as administrator but with the same result. if u want i will let u remote control my computer suing a program called teamviewer so that u can see exactly what is happening and show me what i am doing wrong because i can't seem to find any errors in what i am doing. if you would like to do this then email me at and i will give u the information u would need to access my comp or else we will just continue our communication on this forum. Thanks again!

 

[compgeek960]

just disregard my last reply, it finally worked although i didn't do anything different this time. well anyways here is the combofix log:

ComboFix 08-08-30.03 - Owner 2008-09-01 0:18:25.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1307 [GMT -4:00]
Running from: C:\Users\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Owner\AppData\Roaming\macromedia\Flash Player\#SharedObjects\3DDNFZLT\bin.clearspring.com
C:\Users\Owner\AppData\Roaming\macromedia\Flash Player\#SharedObjects\3DDNFZLT\bin.clearspring.com\clearspring.sol
C:\Users\Owner\AppData\Roaming\macromedia\Flash Player\#SharedObjects\3DDNFZLT\interclick.com
C:\Users\Owner\AppData\Roaming\macromedia\Flash Player\#SharedObjects\3DDNFZLT\interclick.com\ud.sol
C:\Users\Owner\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Users\Owner\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Users\Owner\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Users\Owner\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Windows\system32\bdnhcyyt.dll
C:\Windows\system32\hkwoegrg.dll
C:\Windows\System32\Jmnmonpo.ini
C:\Windows\System32\Jmnmonpo.ini2
C:\Windows\system32\jxibvjqa.dll
C:\Windows\system32\mdgommeq.dll
C:\Windows\system32\mnqAcccf.ini
C:\Windows\System32\mnqAcccf.ini2
C:\Windows\system32\nvlhgcgs.dll
C:\Windows\System32\nWvCJSBc.ini
C:\Windows\System32\nWvCJSBc.ini2
C:\Windows\system32\oqwinn.dll
C:\Windows\System32\phifqpbo.ini
C:\Windows\system32\qemmogdm.ini
C:\Windows\system32\rehmmipu.exe
C:\Windows\system32\sgcghlvn.ini
C:\Windows\system32\tiotbc.dll
C:\Windows\System32\twwvyGgh.ini
C:\Windows\System32\twwvyGgh.ini2
C:\Windows\System32\ueolbkhj.ini
C:\Windows\system32\uhpnxphf.dll
C:\Windows\System32\vseysakc.ini
C:\Windows\System32\vulqaged.ini
C:\Windows\System32\vxmalilg.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 )))))))))))))))))))))))))))))))
.

2008-08-28 23:24 . 2008-08-28 23:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-28 19:30 . 2008-08-28 19:30 93,696 --------- C:\Windows\System32\lsrmiavt.cay
2008-08-28 15:50 . 2008-08-28 15:50 <DIR> d-------- C:\Users\All Users\CrypKey
2008-08-28 15:50 . 2008-08-28 15:50 <DIR> d-------- C:\ProgramData\CrypKey
2008-08-28 15:50 . 2008-08-28 16:04 2,240 --a------ C:\Windows\System32\esnecil.nlp
2008-08-28 15:50 . 2008-08-28 18:39 2,240 --a------ C:\Windows\System32\esnecil.ind
2008-08-28 15:50 . 2008-08-28 18:39 4 --a------ C:\Windows\vx86036.dat
2008-08-28 15:44 . 2008-08-28 15:44 <DIR> d-------- C:\Program Files\VW
2008-08-28 15:43 . 2008-08-28 15:43 <DIR> d-------- C:\Users\All Users\InstallShield
2008-08-28 15:43 . 2008-08-28 15:43 <DIR> d-------- C:\ProgramData\InstallShield
2008-08-28 15:42 . 1999-06-18 17:49 165,888 --a------ C:\Windows\Ckconfig.exe
2008-08-28 15:42 . 2007-03-14 19:56 122,880 --a------ C:\Windows\System32\Crypserv.exe
2008-08-28 15:42 . 2006-01-09 22:47 31,846 --a------ C:\Windows\System32\Ckldrv.sys
2008-08-28 15:42 . 1996-05-03 13:21 27,648 -ra------ C:\Windows\Setup_ck.exe
2008-08-28 15:42 . 1996-05-03 11:36 18,432 --a------ C:\Windows\Setup_ck.dll
2008-08-28 15:42 . 1995-07-04 14:33 11,776 --a------ C:\Windows\Ckrfresh.exe
2008-08-28 15:42 . 2008-08-28 15:42 46 --a------ C:\Windows\Crypkey.ini
2008-08-28 15:41 . 2008-08-28 18:39 <DIR> d-------- C:\Program Files\ZoomText 9.1
2008-08-28 15:40 . 2008-02-25 14:18 122,880 --a------ C:\Windows\System32\Zosf.dll
2008-08-28 15:40 . 2008-02-25 14:18 86,016 --a------ C:\Windows\System32\Ai2XOR.dll
2008-08-27 16:14 . 2008-08-27 16:14 <DIR> d-------- C:\Users\Owner\dwhelper
2008-08-26 19:36 . 2008-08-26 19:36 91 --a------ C:\Windows\wininit.ini
2008-08-26 19:09 . 2008-08-26 19:21 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-26 19:09 . 2008-08-26 19:21 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-08-26 19:09 . 2008-08-26 19:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-26 19:07 . 2008-08-26 19:07 <DIR> d-------- C:\VundoFix Backups
2008-08-26 18:38 . 2008-08-26 18:38 33,832 --a------ C:\Windows\System32\ayzqnwqd.exe
2008-08-26 16:37 . 2008-08-26 16:37 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-24 14:38 . 2008-08-24 14:38 <DIR> d-------- C:\Users\Owner\AppData\Roaming\Template
2008-08-24 14:38 . 2008-08-24 18:43 120 --a------ C:\Users\Owner\AppData\Roaming\wklnhst.dat
2008-08-22 18:55 . 2008-08-22 18:55 0 --a------ C:\Windows\System32\Setup_ver1.1645.0
2008-08-22 14:20 . 2008-07-19 01:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-22 14:20 . 2008-07-18 23:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-22 14:20 . 2008-07-19 01:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-22 14:20 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-22 14:20 . 2008-07-18 23:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-22 14:20 . 2008-07-19 01:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-22 14:20 . 2008-07-19 01:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-22 14:20 . 2008-07-19 01:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-22 14:20 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-21 23:55 . 2008-08-21 23:55 <DIR> d-------- C:\Users\Owner\AppData\Roaming\WNR
2008-08-21 17:49 . 2008-08-21 17:49 <DIR> d-------- C:\Program Files\Zoo Digital Publishing
2008-08-21 12:19 . 2008-08-21 12:22 <DIR> d-------- C:\Capitalism II
2008-08-18 23:11 . 2008-08-18 23:00 2,552,676 --a------ C:\Users\Public\firenet3_win.zip
2008-08-18 23:06 . 2008-08-18 23:12 <DIR> d-------- C:\Program Files\Unibrain
2008-08-18 23:04 . 2008-08-18 23:00 22,500,695 --a------ C:\Users\Public\ubCorePro32_080808.exe
2008-08-16 21:48 . 2008-08-16 21:48 <DIR> d-------- C:\Program Files\Cornelsen
2008-08-15 13:35 . 2008-08-15 13:35 <DIR> d-------- C:\Users\All Users\TEMP
2008-08-15 13:35 . 2008-08-15 13:35 <DIR> d-------- C:\ProgramData\TEMP
2008-08-15 13:33 . 2008-08-20 20:57 <DIR> d-------- C:\Program Files\Badaboom
2008-08-14 00:58 . 2008-08-14 00:58 <DIR> d-------- C:\Users\Public\DVD2
2008-08-13 23:17 . 2008-08-13 23:17 <DIR> d-------- C:\Users\Owner\AppData\Roaming\LEAPS
2008-08-13 23:14 . 2008-08-13 23:14 <DIR> d-------- C:\Program Files\Pegasys Inc
2008-08-13 14:43 . 2008-08-13 14:43 <DIR> d-------- C:\Windows\System32\URTTEMP
2008-08-13 14:40 . 2008-08-13 14:40 <DIR> d-------- C:\Program Files\Sonic
2008-08-13 14:36 . 2008-08-13 14:36 <DIR> d-------- C:\Users\Owner\dvd4
2008-08-13 14:31 . 2008-08-13 14:31 <DIR> d-------- C:\Users\Owner\dvd3
2008-08-13 14:29 . 2008-08-13 14:29 <DIR> d-------- C:\Users\Owner\dvd1
2008-08-13 14:17 . 2008-08-13 14:17 <DIR> d-------- C:\Users\Owner\.thumb
2008-08-13 13:56 . 2008-08-13 13:56 107 --a------ C:\Windows\IfoEdit.INI
2008-08-13 13:21 . 2008-08-13 16:34 <DIR> d-------- C:\Projects
2008-08-13 13:18 . 2008-08-14 13:42 <DIR> d-------- C:\Program Files\DVDlabPro2
2008-08-13 10:51 . 2008-08-25 18:56 <DIR> d-------- C:\Users\Owner\AppData\Roaming\Folding@home-gpu
2008-08-13 10:51 . 2008-08-13 10:51 <DIR> d-------- C:\Program Files\Folding@home
2008-08-13 10:38 . 2008-08-13 10:17 7,937,396 --a------ C:\Users\Public\Badaboom_v0.9.exe
2008-08-12 23:42 . 2008-08-12 23:42 <DIR> d-------- C:\Users\Owner\AppData\Roaming\Pegasys Inc
2008-08-12 23:34 . 2008-08-12 23:32 145,504 --a------ C:\Windows\System32\bgsvcgen.exe
2008-08-12 23:34 . 2008-08-12 23:32 59,488 --a------ C:\Windows\System32\GenSvcInst.exe
2008-08-12 23:34 . 2008-08-12 23:32 33,408 --a------ C:\Windows\System32\drivers\CDRBSDRV.SYS
2008-08-12 23:30 . 2008-08-13 21:44 104 --a------ C:\Windows\Muxman.ini
2008-08-12 22:59 . 2008-08-14 12:13 <DIR> d-------- C:\Program Files\Super_DVD_Creator_9.8
2008-08-12 15:46 . 2008-08-12 15:46 <DIR> d-------- C:\Windows\System32\AGEIA
2008-08-12 15:46 . 2008-08-12 15:46 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-08-12 15:45 . 2008-08-12 15:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-12 15:08 . 2008-08-12 15:51 <DIR> d-------- C:\Users\Public\Sid & Krishna
2008-08-12 14:12 . 2008-07-15 21:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-12 14:01 . 2008-06-26 21:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-12 14:01 . 2008-06-27 00:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-12 14:01 . 2008-06-18 23:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-12 14:01 . 2008-04-18 01:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-12 13:59 . 2008-04-10 01:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-12 13:56 . 2008-08-12 13:56 <DIR> d-------- C:\Users\All Users\Ahead
2008-08-12 13:56 . 2008-08-12 13:56 <DIR> d-------- C:\ProgramData\Ahead
2008-08-10 20:33 . 2008-08-10 20:33 0 --a------ C:\Users\Owner\jagex_runescape_preferences.dat
2008-08-10 20:09 . 2008-08-10 20:09 <DIR> d-------- C:\Windows\.jagex_cache_32
2008-08-07 16:14 . 2008-08-07 16:14 647,168 --a------ C:\Windows\System32\FireiX.dll
2008-08-06 17:23 . 2008-08-06 17:23 393,216 --a------ C:\Windows\System32\CFiCamera.dll
2008-08-06 17:21 . 2008-08-06 17:21 1,482,752 --a------ C:\Windows\System32\ubShared.dll
2008-08-06 17:21 . 2008-08-06 17:21 253,952 --a------ C:\Windows\System32\FiCommon.dll
2008-08-06 17:17 . 2008-08-06 17:17 692,224 --a------ C:\Windows\System32\ubUI.dll
2008-08-06 15:59 . 2008-08-06 15:59 1,130,496 --a------ C:\Windows\System32\UB1394.dll
2008-08-06 15:34 . 2008-08-06 15:34 233,472 --a------ C:\Windows\System32\ubVideo.dll
2008-08-06 13:53 . 2008-08-06 13:53 39,424 --a------ C:\Windows\System32\drivers\UBUMAPI.sys
2008-08-06 13:52 . 2008-08-06 13:52 100,352 --a------ C:\Windows\System32\drivers\UB1394.sys
2008-08-06 13:52 . 2008-08-06 13:52 17,408 --a------ C:\Windows\System32\drivers\UBSBM.sys
2008-08-06 13:48 . 2008-08-06 13:48 114,688 --a------ C:\Windows\System32\drivers\ubohci.sys
2008-08-06 08:26 . 2008-08-06 08:26 124,928 --a------ C:\Windows\System32\drivers\Rtlh86.sys
2008-08-06 08:26 . 2008-08-06 08:26 9,728 --a------ C:\Windows\System32\RtNicProp32.dll
2008-08-01 11:05 . 2008-08-01 11:05 70,936 --a------ C:\Windows\System32\PhysXLoader.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 03:06 --------- d-----w C:\Users\Owner\AppData\Roaming\Free Download Manager
2008-08-31 20:16 --------- d-----w C:\Program Files\BOINC
2008-08-31 03:47 --------- d-----w C:\Users\Owner\AppData\Roaming\uTorrent
2008-08-30 02:02 --------- d-----w C:\Users\Owner\AppData\Roaming\Any Video Converter
2008-08-30 02:02 --------- d-----w C:\Program Files\Any Video Converter
2008-08-28 19:56 97,928 ----a-w C:\Windows\system32\drivers\avgldx86.sys
2008-08-28 19:46 --------- d-----w C:\Program Files\Trillian
2008-08-28 19:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-28 19:43 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-24 18:36 --------- d-----w C:\Program Files\Microsoft Works
2008-08-19 03:16 --------- d-----w C:\ProgramData\NVIDIA
2008-08-19 03:15 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-16 15:30 --------- d-----w C:\Users\Owner\AppData\Roaming\Apple Computer
2008-08-14 17:48 --------- d-----w C:\Users\Owner\AppData\Roaming\OpenOffice.org2
2008-08-14 17:42 --------- d-----w C:\Program Files\Google
2008-08-14 17:41 --------- d-----w C:\Program Files\Coupons
2008-08-14 14:53 --------- d-----w C:\Users\Owner\AppData\Roaming\dvdcss
2008-08-13 14:43 --------- d-----w C:\Program Files\Windows Mail
2008-08-12 19:06 --------- d-----w C:\Users\Owner\AppData\Roaming\Download Manager
2008-08-12 18:13 --------- d-----w C:\ProgramData\Microsoft Help
2008-08-12 17:56 --------- d-----w C:\Users\Owner\AppData\Roaming\Ahead
2008-08-02 16:20 7,314,528 ----a-w C:\Windows\system32\drivers\nvlddmkm.sys
2008-07-31 01:19 --------- d-----w C:\Program Files\Java
2008-07-29 03:25 --------- d-----w C:\ProgramData\Apple Computer
2008-07-29 03:25 --------- d-----w C:\Program Files\QuickTime
2008-07-29 03:25 --------- d-----w C:\Program Files\iTunes
2008-07-29 03:25 --------- d-----w C:\Program Files\iPod
2008-07-29 03:24 --------- d-----w C:\Program Files\Apple Software Update
2008-07-29 03:23 --------- d-----w C:\ProgramData\Apple
2008-07-29 03:23 --------- d-----w C:\Program Files\Common Files\Apple
2008-07-26 16:22 --------- d-----w C:\Program Files\DiskTrix
2008-07-26 15:16 --------- d-----w C:\Program Files\PConPoint
2008-07-21 18:41 --------- d-----w C:\Users\Owner\AppData\Roaming\Atari
2008-07-21 17:14 --------- d-----w C:\Users\Owner\AppData\Roaming\Leadertech
2008-07-21 17:14 --------- d-----w C:\Program Files\Common Files\PocketSoft
2008-07-21 17:11 --------- d-----w C:\Program Files\Atari
2008-07-20 22:58 --------- d-----w C:\Program Files\FreeRIP3
2008-07-19 02:11 --------- d-----w C:\ProgramData\FreeRIP
2008-07-14 03:50 --------- d-----w C:\ProgramData\DFX
2008-07-10 03:35 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-07 19:33 --------- d-----w C:\Users\Owner\AppData\Roaming\ImgBurn
2008-07-07 19:09 --------- d-----w C:\Program Files\Opera
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-04-16 22:13 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BOINC Manager.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\BOINC Manager.lnk
backup=C:\Windows\pss\BOINC Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BOINC System Tray.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\BOINC System Tray.lnk
backup=C:\Windows\pss\BOINC System Tray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DynDNS Updater Tray Icon.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\DynDNS Updater Tray Icon.lnk
backup=C:\Windows\pss\DynDNS Updater Tray Icon.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
backup=C:\Windows\pss\Run Google Web Accelerator.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
backup=C:\Windows\pss\OpenOffice.org 2.3.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9a595ee7
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yodm3D

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2007-12-22 03:20 222080 C:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-10 09:47 116040 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 05:39 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
--a------ 2008-01-19 03:33 125952 C:\Windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-10 10:51 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2008-01-19 03:33 1233920 C:\Program Files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-08-18 18:41 1832272 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSnD]
-rahs---- 2008-07-07 09:42 4891472 C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-04-11 23:48 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
--a------ 2008-01-19 03:36 2153472 C:\Windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BM996a6d7b"=Rundll32.exe "C:\Windows\system32\bdnhcyyt.dll",s
"9a595ee7"=rundll32.exe "C:\Windows\system32\obpqfihp.dll",b

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CD64D2D4-93F2-4318-BDCC-601A8B4544A5}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{7E28A8E6-2F35-4A71-B5C3-3D58EED75E62}"= UDP:C:\Windows\System32\lxbkcoms.exe:Lexmark Communications System
"{CCF40B32-7C52-4752-B472-4E4EE2F59D9A}"= TCP:C:\Windows\System32\lxbkcoms.exe:Lexmark Communications System
"{DC473CFF-5769-4F26-9049-3C3C8540AE35}"= UDP:C:\Windows\System32\lxbkcoms.exe:Lexmark Communications System
"{0B89A884-778D-4014-82D9-9C851D96B0DA}"= TCP:C:\Windows\System32\lxbkcoms.exe:Lexmark Communications System
"{0783D837-0366-43FD-A798-5ACA815C64F0}"= UDP:C:\Windows\System32\spool\drivers\w32x86\3\lxbkpswx.exerinter Status Window
"{11A73F3D-7827-453D-93D9-DCF1C23A5443}"= TCP:C:\Windows\System32\spool\drivers\w32x86\3\lxbkpswx.exerinter Status Window
"{5F99581A-D182-4EC5-877C-491F6E045BC3}"= UDP:3388:Remote1
"{FDCE5609-0199-42AA-A9B2-473C86A930D1}"= TCP:3388:Remote2
"{2518543C-0EF2-4B76-9577-D609427AE2B8}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{75DECBF9-F993-4CB4-90A3-77DB6EB87A2B}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"TCP Query User{80617137-2AE9-4AD5-802E-4D6BF36663CC}C:\\program files\\videolan\\vlc\\vlc.exe"= UDP:C:\program files\videolan\vlc\vlc.exe:VLC media player
"UDP Query User{0B4E6D2B-E457-4FE7-953F-B49EC48EA2C3}C:\\program files\\videolan\\vlc\\vlc.exe"= TCP:C:\program files\videolan\vlc\vlc.exe:VLC media player
"{47580A17-9798-4659-A7D1-5009C5E50E00}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"TCP Query User{2E09C2A0-9D01-4D97-B1C1-C2FF3B32BDE7}C:\\program files\\trillian\\trillian.exe"= UDP:C:\program files\trillian\trillian.exe:Trillian
"UDP Query User{C9D24377-E0D8-4491-AB83-B45AECDBE992}C:\\program files\\trillian\\trillian.exe"= TCP:C:\program files\trillian\trillian.exe:Trillian
"{0269879B-E4BA-4717-9011-1804FAE0A0A8}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{4BD4AAF2-F92D-4048-8250-67A007120672}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{11D06650-4A0B-4A02-AD54-E49ECB91CF09}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{F26BF8DA-1937-4F0F-8988-4FA6EF1242AE}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{EBC38C1A-1DAE-4C8F-8C2E-763F61CD6E01}"= UDP:1111:uTorrent
"{8EBFDA2C-CFA3-4DB7-85A3-8EFF5823B9D5}"= TCP:1111:uTorrent
"TCP Query User{07303089-A745-494F-B855-B1E6C9EC56DD}C:\\program files\\opera\\opera.exe"= UDP:C:\program files\opera\opera.exe:Opera Internet Browser
"UDP Query User{5EE7B230-24C7-43E2-A239-5292D1554EE4}C:\\program files\\opera\\opera.exe"= TCP:C:\program files\opera\opera.exe:Opera Internet Browser
"{195BEE22-C78A-4148-9109-6D553CDBFD39}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{3256AA87-2305-4381-AFDA-E11B4ED2E833}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{137FBA08-E403-4BD5-B17E-FDD66CC36ABD}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{1DBFBFF2-F86A-4590-AFC3-A76981A54339}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{EC04B904-08B6-41F5-8908-B96FF8C7F7C8}"= UDP:9420:Red Swoosh
"{F8C6F8AA-B28D-44DA-AA71-0F0F8E6337C3}"= TCP:5000:Red Swoosh
"TCP Query User{D85F165A-C7C3-454A-B4DD-5D5930564260}C:\\capitalism ii\\cap2.exe"= UDP:C:\capitalism ii\cap2.exe:cap2
"UDP Query User{AFC90AF3-3BAE-4F80-A46E-55FE626B5BBC}C:\\capitalism ii\\cap2.exe"= TCP:C:\capitalism ii\cap2.exe:cap2
"{F158E2D6-0580-4C92-823A-DF8C98356F62}"= UDP:C:\Program Files\ZoomText 9.1\Zt.exe:ZoomText 9.1
"{F2B55368-CEDE-4BF7-8263-3E2C279ECD17}"= TCP:C:\Program Files\ZoomText 9.1\Zt.exe:ZoomText 9.1
"{4EE3B194-A907-4BAD-BB9E-BDB791CDDE46}"= UDP:C:\Program Files\ZoomText 9.1\Zt.exe:ZoomText 9.1
"{336C7B72-A41D-4355-9E34-36264180DEB3}"= TCP:C:\Program Files\ZoomText 9.1\Zt.exe:ZoomText 9.1
"TCP Query User{31A4C956-BF96-44EB-B31B-6D20D774C230}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{C84FC2A3-743E-4BCC-AA10-98CE2791B524}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

R1 Ai2sXP;Ai2sXP;C:\Windows\system32\drivers\Ai2sXP.sys [2008-02-25 13:54]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-08-28 15:56]
R2 DynDNS Updater;DynDNS Updater;C:\Program Files\DynDNS Updater\DynUpSvc.exe [2008-04-23 12:57]
R2 lxbk_device;lxbk_device;C:\Windows\system32\lxbkcoms.exe [2008-02-19 09:12]
R2 ubsbm;Unibrain 1394 SBM Driver;C:\Windows\system32\DRIVERS\ubsbm.sys [2008-08-06 13:52]
R2 ubumapi;Unibrain 1394 FireAPI Driver;C:\Windows\system32\DRIVERS\ubumapi.sys [2008-08-06 13:53]
R3 Ai2Mmpd;Ai2Mmpd;C:\Windows\system32\DRIVERS\Ai2Mmpd.sys [2008-02-25 13:54]
R3 ubohci;Unibrain 1394 OHCI Driver;C:\Windows\system32\DRIVERS\ubohci.sys [2008-08-06 13:48]
S2 BOINC;BOINC;C:\Program Files\BOINC\boinc.exe [2008-03-04 14:00]
S2 Parclass;Parclass;C:\Windows\system32\Drivers\Parclass.sys [2003-02-10 14:30]
S3 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 15:56]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-02-22 18:39]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-11-07 08:58]
S4 TeamViewer;TeamViewer 3;C:\Program Files\TeamViewer3\TeamViewer_Host.exe [2008-05-15 09:17]
S4 ZoomText Helper Service;ZoomText Helper Service;C:\Program Files\ZoomText 9.1\ZoomTextHelperService.exe [2008-02-25 14:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93d1c94f-2c44-11dd-89b8-001a4d548aae}]
\shell\AutoRun\command - H:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f6acdfd-08f6-11dd-a428-001a4d548aae}]
\shell\AutoRun\command - E:\Capinst.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3f484be-0739-11dd-9db8-001a4d548aae}]
\shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder

2008-09-01 C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3A8D0A97-79A8-4155-B346-13E0D06FABA1} - C:\Windows\system32\fcccAqnm.dll
HKLM-Run-BM996a6d7b - C:\Windows\system32\uhpnxphf.dll
MSConfigStartUp-BM996a6d7b - C:\Windows\system32\uhpnxphf.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\1c49wcx2.default\
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.1.0.30401.0.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\np32asw.dll
FF -: plugin - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\1c49wcx2.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF -: plugin - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-01 00:30:47
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\nvvsvc.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\System32\VSSVC.exe
C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe
C:\Windows\System32\iashost.exe
C:\Program Files\ZoomText 9.1\ZtUac.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-09-01 0:37:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-01 04:37:22

Pre-Run: 26,217,922,560 bytes free
Post-Run: 25,553,182,720 bytes free

364 --- E O F --- 2008-08-26 21:21:41





and the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:38, on 2008-09-01
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ZoomText 9.1\ZtUac.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 130.94.23.113:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - https://www.cchs.net/onlinelearning/include/web_players7/awswaxd.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E98B2F9B-0B31-4490-802B-98347199046A}: NameServer = 192.168.0.1,192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BOINC - Space Sciences Laboratory - C:\Program Files\BOINC\boinc.exe
O23 - Service: DynDNS Updater - Unknown owner - C:\Program Files\DynDNS Updater\DynUpSvc.exe
O23 - Service: lxbk_device - - C:\Windows\system32\lxbkcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 5277 bytes



Hope this helps and i am so glad it worked this time! Thanks again!

 

[pskelley]

Not a good idea to post your email addy, spambots look for those.

Thanks for returning your information, follow the directions carefully:

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run DISK CLEANUP: ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > DISK CLEANUP

Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Let me know how the computer is running now.

Thanks

 

[compgeek960]

the computer seems to be running better now since the internet is no longer being block. here are the log files:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:14, on 2008-09-01
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ZoomText 9.1\ZtUac.exe
C:\Program Files\ZoomText 9.1\ZtUac.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 130.94.23.113:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - https://www.cchs.net/onlinelearning/include/web_players7/awswaxd.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BOINC - Space Sciences Laboratory - C:\Program Files\BOINC\boinc.exe
O23 - Service: DynDNS Updater - Unknown owner - C:\Program Files\DynDNS Updater\DynUpSvc.exe
O23 - Service: lxbk_device - - C:\Windows\system32\lxbkcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 5079 bytes




Malwarebytes' Anti-Malware 1.25
Database version: 1103
Windows 6.0.6001 Service Pack 1

13:12:52 2008-09-01
mbam-log-09-01-2008 (13-12-52).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 305827
Time elapsed: 1 hour(s), 35 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\Windows\System32\bdnhcyyt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\hkwoegrg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\jxibvjqa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\mdgommeq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\nvlhgcgs.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\oqwinn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\rehmmipu.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\tiotbc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\uhpnxphf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\lsrmiavt.cay (Trojan.Vundo) -> Quarantined and deleted successfully.


Thanks again!

 

[pskelley]

Thanks for returning your information and the feedback. The junk MBAM found is in the combofix quarantine, except for the last item, and it will go with combofix.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

I am not seeing AVG 8 in Running Processes? Do you have it turned off or something...you must have a realtime antivirus program running.

Have a look at this tutorial a friend sent me in case you can benefit from it.
How to Install Free version AVG 8.0 without LinkScanner feature
http://russelltexas.com/tutorials/avg8install.htm

What I would like you to do at this point, is make sure AVG 8 is updated and run a system scan, remove what it finds and let me know how the computer is running at that point.

Thanks...Phil

 

[compgeek960]

i had turned off avg when i ran the combofix and then forgot to turn it back on. thanks for reminding me. i ran the scan and it found some tracking cookies. the computer is working fine now. thanks for all your help!

 

[pskelley]

Sounds great, safe surfing:bigthumb:

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html