virtumonde strikes again

eigerzoom · Dec 22, 2008

i know where i got this virus from
i downloaded a "free" program from a p2p .torrent site
i am aware you do not recommend p2p and i never use utorrent outside of a private community anymore
(save this one recent incident which will be my last)
i no longer use bitlord...it will be uninstalled
i apologize for my own stupidity of using p2p frivolously and having to come here for your help with virtumonde
spybot did find a malware which did not resurface after fixing
virtumonde keeps coming back
and as described in the details...tries to access the internet via winlogon...
it also tries to open webpages/popups frequently

thank you for you help in advance
here is the HJT Log without wordwrap

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:50:04 AM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\j2 Messenger 4.4\J2GDllCmd.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\OSDEx\OSDEx.exe
X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\electrochemic°\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\MICROS~4\Streets.exe
X:\TorrentialRain\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {0F242F92-7A07-45C1-A408-1C5C4C917457} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\fccaWqqr.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {B868C96B-E0E3-4FCA-AA37-2899CA28388A} - C:\WINDOWS\system32\urqQigee.dll
O2 - BHO: (no name) - {c2090b76-c93a-4d18-8c0d-d020441c717e} - C:\WINDOWS\system32\paselilu.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [zepoyuyofe] Rundll32.exe "C:\WINDOWS\system32\gewapaba.dll",s
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [j2 4.4] "C:\Program Files\j2 Messenger 4.4\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [Pinnacle Game Profiler] "C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" -atboottime
O4 - HKUS\S-1-5-19\..\Run: [zepoyuyofe] Rundll32.exe "C:\WINDOWS\system32\gewapaba.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [zepoyuyofe] Rundll32.exe "C:\WINDOWS\system32\gewapaba.dll",s (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: E-mail.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: Shortcut to tclock.lnk = X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe (User 'Default user')
O4 - .DEFAULT Startup: E-mail.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: Shortcut to tclock.lnk = X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe (User 'Default user')
O4 - Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe
O4 - Startup: E-mail.lnk = ?
O4 - Startup: Shortcut to tclock.lnk = X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe
O4 - Global Startup: Pidgin.lnk = C:\Program Files\Pidgin\pidgin.exe
O4 - Global Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222471195500
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
O20 - AppInit_DLLs: ,C:\WINDOWS\system32\mirububu.dll eetbuk.dll
O20 - Winlogon Notify: fccaWqqr - C:\WINDOWS\SYSTEM32\fccaWqqr.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 8296 bytes

Blade81 · Dec 27, 2008

Hi

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

eigerzoom · Dec 27, 2008

thanks

just an FYI...i installed a new video card and ram this week since last HJT...
new card ATI...old Nvidia

ComboFix 08-12-26.03 - electrochemic° 2008-12-27 10:57:39.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1645 [GMT -5:00]
Running from: c:\documents and settings\electrochemic°\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\arpqzt.dll
c:\windows\system32\duxohnvn.dll
c:\windows\system32\dyhslt.dll
c:\windows\system32\eegiQqru.ini
c:\windows\system32\eegiQqru.ini2
c:\windows\system32\evfwwuvt.ini
c:\windows\system32\fbeuoxev.dll
c:\windows\system32\fccaWqqr.dll
c:\windows\system32\gflkqkmm.dll
c:\windows\system32\hjsvdmwj.ini
c:\windows\system32\hquudmrv.ini
c:\windows\system32\jjohsifj.dll
c:\windows\system32\jkhndgim.ini
c:\windows\system32\knbkpcop.dll
c:\windows\system32\lcvwftkp.dll
c:\windows\system32\migdnhkj.dll
c:\windows\system32\mirububu.dll
c:\windows\system32\ncdcwfsq.dll
c:\windows\system32\nuystygd.dll
c:\windows\system32\nvnhoxud.ini
c:\windows\system32\okhwfgfl.dll
c:\windows\system32\pocpkbnk.ini
c:\windows\system32\qvjfvb.dll
c:\windows\system32\reibiu.dll
c:\windows\system32\tvuwwfve.dll
c:\windows\system32\txltokiv.ini
c:\windows\system32\uuinzx.dll
c:\windows\system32\vexouebf.ini
c:\windows\system32\vrmduuqh.dll
c:\windows\system32\vwgihh.dll
c:\windows\system32\wtyeqegc.dll
c:\windows\system32\wvUljHYr.dll
c:\windows\system32\xxyyvvUl.dll
c:\windows\system32\ymaluhns.dll
c:\windows\system32\yvjyoyhu.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))
.

2008-12-27 08:48 . 2008-12-27 08:48 <DIR> d-------- c:\program files\TrayMin
2008-12-27 08:47 . 1997-01-18 11:40 299,520 --a------ c:\windows\uninst.exe
2008-12-26 10:02 . 2008-12-26 10:03 1,407 --a------ c:\windows\ATICIM.INI
2008-12-26 09:59 . 2008-12-26 09:59 <DIR> d-------- C:\ATI
2008-12-25 22:56 . 2008-12-25 22:56 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Softland
2008-12-25 20:08 . 2008-12-27 05:36 <DIR> d-------- c:\program files\Fighter Ace Anniversary Edition
2008-12-25 15:27 . 2008-12-25 15:27 0 --a------ c:\windows\ativpsrm.bin
2008-12-25 15:18 . 2008-12-25 15:18 <DIR> d-------- c:\program files\Common Files\ATI Technologies
2008-12-25 15:16 . 2008-06-02 21:05 593,920 --a------ c:\windows\system32\ati2sgag.exe
2008-12-25 12:40 . 2008-12-26 10:12 <DIR> d-------- c:\program files\ATI Technologies
2008-12-22 06:47 . 2008-12-24 05:41 <DIR> d-------- c:\program files\Absolute Poker
2008-12-22 06:47 . 2008-12-22 06:47 <DIR> d-------- c:\program files\_uninstallation_info
2008-12-20 13:14 . 2008-12-20 13:14 153 --a------ c:\windows\wininit.ini
2008-12-20 12:06 . 2008-12-20 12:10 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-20 12:06 . 2008-12-20 14:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-19 10:59 . 2008-12-19 10:59 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-19 10:41 . 2008-12-19 10:41 <DIR> d-------- c:\windows\Sun
2008-12-19 10:26 . 2008-12-19 10:26 <DIR> d-------- c:\program files\Security Task Manager
2008-12-19 10:26 . 2008-12-23 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-19 06:09 . 2008-12-19 06:09 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Softland
2008-12-19 06:06 . 2008-12-19 06:06 <DIR> d-------- c:\program files\Softland
2008-12-19 06:06 . 2008-12-02 12:11 20,632 --a------ c:\windows\system32\dopdfmn6.dll
2008-12-19 06:06 . 2008-12-02 12:11 18,072 --a------ c:\windows\system32\dopdfmi6.dll
2008-12-19 06:06 . 2008-10-13 15:23 7,533 --a------ c:\windows\system32\dopdf6.ctm
2008-12-19 05:50 . 2008-12-27 10:30 2,204 --a------ c:\windows\twxeowsc
2008-12-19 05:49 . 2008-12-19 05:49 <DIR> d-------- C:\Archive
2008-12-19 02:14 . 2008-12-19 02:16 43 --a------ c:\windows\gswin32.ini
2008-12-19 02:09 . 2008-12-19 02:41 <DIR> d-------- c:\documents and settings\All Users\FreePDF
2008-12-18 07:52 . 2008-12-24 11:32 <DIR> d-------- c:\documents and settings\electrochemic°\Application Data\uTorrent
2008-12-16 06:30 . 2008-12-16 06:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Syscan
2008-12-13 07:06 . 2008-12-13 07:06 <DIR> d-------- c:\program files\ratDVD
2008-12-09 15:42 . 2008-12-09 15:42 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-09 07:08 . 2008-12-09 07:08 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-12-08 20:45 . 2008-12-08 20:45 <DIR> d-------- c:\documents and settings\electrochemic°\Application Data\OpenOffice.org
2008-12-08 20:43 . 2008-12-08 20:43 <DIR> d-------- c:\program files\OpenOffice.org 3
2008-12-08 20:43 . 2008-12-08 20:43 <DIR> d-------- c:\program files\JRE
2008-12-08 20:43 . 2008-12-09 15:42 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-08 20:42 . 2008-12-09 15:42 <DIR> d-------- c:\program files\Java
2008-12-08 20:42 . 2008-12-08 20:42 <DIR> d-------- c:\program files\Common Files\Java
2008-12-06 23:03 . 2008-12-06 23:03 91,632 --a------ c:\windows\system32\dsofile.dll
2008-12-06 22:53 . 2008-12-06 22:53 <DIR> d-------- c:\documents and settings\electrochemic°\Application Data\KALiNKOsoft
2008-12-06 22:48 . 2008-12-06 22:48 <DIR> d-------- c:\program files\KALiNKOsoft
2008-12-06 20:19 . 2008-12-10 02:48 <DIR> d-------- c:\program files\Sauerbraten
2008-12-05 03:18 . 2008-12-05 03:18 <DIR> d-------- c:\program files\Yahoo!
2008-12-05 03:18 . 2008-12-05 03:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-05 03:14 . 2008-12-05 03:14 <DIR> d-------- c:\documents and settings\default
2008-12-04 21:21 . 2008-12-04 21:24 <DIR> d-------- c:\program files\Microsoft Streets & Trips 2009
2008-12-04 21:19 . 2008-12-04 21:19 <DIR> d-------- c:\program files\MSECache
2008-12-03 19:19 . 2008-12-03 19:19 <DIR> d-------- C:\97914e1baa146da91f977c89fc7be2d0
2008-12-03 19:18 . 2008-12-03 19:19 <DIR> d-------- C:\ecc3bbfb26245cd3fd5f96eb1e
2008-12-03 17:56 . 2008-12-03 17:56 <DIR> d-------- c:\documents and settings\electrochemic°\Application Data\j2 Global
2008-12-03 17:54 . 2008-12-03 17:54 <DIR> d-------- c:\documents and settings\electrochemic°\Application Data\j2 Messenger
2008-12-03 17:54 . 2008-12-03 17:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\j2 Messenger 4.4 Output
2008-12-03 17:54 . 2008-12-03 17:54 0 --a------ c:\windows\system32\jConnect_4_4_Port
2008-12-03 17:53 . 2008-12-03 17:54 <DIR> d-------- c:\program files\j2 Messenger 4.4
2008-12-03 02:08 . 2008-04-13 20:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-03 02:08 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-03 02:08 . 2008-04-13 14:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-03 02:08 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-01 22:42 . 2008-12-01 22:42 <DIR> d-------- c:\program files\Pidgin
2008-12-01 16:02 . 2008-04-13 14:45 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2008-11-28 22:29 . 2008-11-28 22:57 <DIR> d-------- c:\windows\system32\Defaults
2008-11-28 22:29 . 2000-12-05 09:11 4,174,814 --a------ c:\windows\system32\CT4MGM.SF2
2008-11-28 22:17 . 2008-11-28 22:18 <DIR> d--h----- c:\program files\Creative Installation Information
2008-11-28 22:17 . 2008-11-28 22:17 <DIR> d-------- c:\program files\Common Files\Creative
2008-11-28 22:17 . 1999-12-13 01:01 44,032 --a------ c:\windows\system32\CTSVCCDA.EXE
2008-11-28 22:17 . 1999-11-18 01:00 25,088 --a------ c:\windows\system32\CTSVCCTL.EXE
2008-11-28 21:05 . 2008-12-11 04:43 <DIR> d-------- c:\program files\Bodog Poker
2008-11-28 01:20 . 2008-11-28 01:20 <DIR> d-------- c:\program files\Syscan
2008-11-27 23:09 . 2008-11-27 23:09 0 --a------ c:\windows\nsreg.dat
2008-11-27 23:04 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-11-27 23:04 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-11-27 23:03 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-27 23:03 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-27 23:03 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-27 23:03 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-27 23:03 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-27 23:03 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-27 23:03 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-11-27 23:02 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-27 23:02 . 2008-04-13 14:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 16:05 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-27 16:05 --------- d-----w c:\documents and settings\electrochemic°\Application Data\.purple
2008-12-27 15:24 53,248 ----a-w c:\windows\system32\zlib.dll
2008-12-25 20:19 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 02:06 --------- d-----w c:\documents and settings\electrochemic°\Application Data\vlc
2008-12-02 03:41 --------- d-----w c:\program files\Common Files\GTK
2008-11-29 06:07 361,600 ----a-w c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2008-11-29 06:07 361,600 ----a-w c:\windows\system32\drivers\TCPIP.SYS
2008-11-29 05:57 --------- d-----w c:\program files\BitLord
2008-11-29 03:20 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-11-29 03:17 --------- d-----w c:\program files\Creative
2008-11-28 06:26 --------- d-----w c:\program files\Common Files\Adobe
2008-11-28 06:20 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-26 08:18 32 --sha-w c:\windows\{D3FB4103-4A4A-4968-AA94-68E0D6F76E4C}.dat
2008-09-20 12:05 82,944 --sha-w c:\windows\system32\powamahe.dll
2008-09-20 12:05 62,464 --sha-w c:\windows\system32\zimilogo.dll
2008-09-26 08:18 32 --sha-w c:\windows\system32\{8D0A2401-5F60-430C-B7E3-558C05FB2A7A}.dat
.

------- Sigcheck -------

2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-09-26 03:49 359040 27a5959c94ee173a063ca06bd14f021a c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
2008-11-29 01:07 361600 d24ea301e2b36c4e975fd216ca85d8e7 c:\windows\system32\dllcache\TCPIP.SYS
2008-11-29 01:07 361600 d24ea301e2b36c4e975fd216ca85d8e7 c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-09-26 4608]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Pinnacle Game Profiler"="c:\program files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" [2008-12-06 2535424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-09-21 54976]
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-09-21 38592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]
"SmartGuardian"="c:\program files\SOYO\HW Monitor\ITESmart.exe" [2002-05-24 163840]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

c:\documents and settings\electrochemicø\Start Menu\Programs\Startup\
Dialog Box Assistant.lnk - c:\program files\OSDEx\OSDEx.exe [2002-07-13 176128]

c:\documents and settings\electrochemicø\Start Menu\Programs\Startup\
Dialog Box Assistant.lnk - c:\program files\OSDEx\OSDEx.exe [2002-07-13 176128]

c:\documents and settings\electrochemicø\Start Menu\Programs\Startup\
Dialog Box Assistant.lnk - c:\program files\OSDEx\OSDEx.exe [2002-07-13 176128]

c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\
Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2008-10-19 45603]
TrayMin.lnk - c:\program files\TrayMin\traymin.exe [2008-12-27 45056]
WordWeb Pro.lnk - c:\program files\WordWeb\wweb32.exe [2008-09-26 19968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-26 16:37 133104 c:\documents and settings\electrochemic°\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j2 4.4]
--a------ 2008-10-07 16:53 95744 c:\program files\j2 Messenger 4.4\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
--a------ 2003-03-11 15:24 86016 c:\program files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSnD]
-rahs---- 2008-07-07 09:42 4891472 c:\program files\Spybot - Search & Destroy\SpybotSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RegistryMechanic"=
"zepoyuyofe"=Rundll32.exe "c:\windows\system32\gewapaba.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"x:\\Software Downloads\\Data.Integrity\\utorrent.exe"=

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\DRIVERS\SI3112r.sys [2007-08-29 116264]
R2 ccPxySvc;Symantec Proxy Service;"c:\program files\Norton Personal Firewall\ccPxySvc.exe" [2002-09-21 34496]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-12-25 93696]
R3 ctgame;Game Port;c:\windows\system32\DRIVERS\ctgame.sys [2002-12-30 18840]
R3 iteio;iteio;\??\c:\windows\system32\drivers\iteio.sys [2008-09-25 3680]
S0 twxeowsc;twxeowsc;c:\windows\system32\drivers\ulfpbziy.sys []
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]
S3 itsernum;itsernum Filter ÅX°Êµ{¦¡;c:\windows\system32\DRIVERS\itsernum.sys [2008-09-25 20133]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2008-09-27 112384]
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\crzapdtv.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]

2008-12-27 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\electrochemic []

2008-09-26 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 08:04]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0F242F92-7A07-45C1-A408-1C5C4C917457} - (no file)
BHO-{892753d0-003f-4388-a7c7-930bae49430e} - c:\windows\system32\qvjfvb.dll
BHO-{c2090b76-c93a-4d18-8c0d-d020441c717e} - c:\windows\system32\paselilu.dll
BHO-{FCF50B96-3C1D-4F69-AA2A-31BC201EB753} - c:\windows\system32\urqQigee.dll
HKLM-Run-zepoyuyofe - c:\windows\system32\gewapaba.dll
MSConfigStartUp-fc31781a - c:\windows\system32\fbeuoxev.dll
MSConfigStartUp-zepoyuyofe - c:\windows\system32\gewapaba.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local

c:\windows\Downloaded Program Files\CTSUEng.ocx - c:\windows\Downloaded Program Files\CTSUEngn.ocx
O16 -: {6C269571-C6D7-4818-BCA4-32A035E8C884}
hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
c:\windows\Downloaded Program Files\CTSUEng.inf
FF - ProfilePath - c:\documents and settings\electrochemic°\Application Data\Mozilla\Firefox\Profiles\i7eprqrr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\electrochemic°\Application Data\Mozilla\Firefox\Profiles\i7eprqrr.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-27 11:04:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\drivers\ulfpbziy.sys 25088 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Norton Personal Firewall\NISUM.EXE
c:\windows\system32\scardsvr.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Windows Live\Mail\wlmail.exe
x:\software downloads\Essential\tclocklight-040702-3\tclock.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-27 11:06:54 - machine was rebooted [electrochemic°]
ComboFix-quarantined-files.txt 2008-12-27 16:06:51

Pre-Run: 51,468,574,720 bytes free
Post-Run: 51,480,383,488 bytes free

298 --- E O F --- 2008-12-09 12:08:16

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:39 AM, on 12/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SOYO\HW Monitor\ITESmart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\TrayMin\traymin.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\OSDEx\OSDEx.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
X:\TorrentialRain\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\SOYO\HW Monitor\ITESmart.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pinnacle Game Profiler] "C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" -atboottime
O4 - S-1-5-18 Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: E-mail.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: Shortcut to tclock.lnk = X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe (User 'Default user')
O4 - .DEFAULT Startup: E-mail.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: Shortcut to tclock.lnk = X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe (User 'Default user')
O4 - Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe
O4 - Startup: E-mail.lnk = ?
O4 - Startup: Shortcut to tclock.lnk = X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe
O4 - Global Startup: Pidgin.lnk = C:\Program Files\Pidgin\pidgin.exe
O4 - Global Startup: TrayMin.lnk = C:\Program Files\TrayMin\traymin.exe
O4 - Global Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\electrochemic°\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\electrochemic°\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222471195500
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 7687 bytes

Blade81 · Dec 27, 2008

Ok. Thanks for the update on the status

Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Upload following files to http://www.virustotal.com and post back the results:
c:\windows\{D3FB4103-4A4A-4968-AA94-68E0D6F76E4C}.dat
c:\windows\system32\{8D0A2401-5F60-430C-B7E3-558C05FB2A7A}.dat

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Driver::
twxeowsc

File::
c:\windows\twxeowsc
c:\windows\system32\powamahe.dll
c:\windows\system32\zimilogo.dll
c:\windows\system32\gewapaba.dll
c:\windows\system32\drivers\ulfpbziy.sys
c:\windows\Tasks\crzapdtv.job

Folder::
c:\documents and settings\electrochemic°\Application Data\uTorrent
c:\program files\BitLord

DirLook::
C:\Archive

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"zepoyuyofe"=-

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

eigerzoom · Dec 27, 2008

ok...first off...thanks again...

i think i still have some bugs in here
not sure if you will address them
i have a window security alert in the tray - i think its a spoof
and ie browser keeps reappearing on my desktop and setting itself to default
i use firefox...all ie browser activity is blocked via firewall
i lost administrator righs somewhere along the path of infection with virtumonde
the ATI Catalyst drivers will not install completely without administrative rights
not sure at this point if they have been reinstated...
i meant to mention this earlier

here are the logs
i was unable to navigate to the kaspersky website
i have had this problem in the past
so...sorry...that log is omitted

File _D3FB4103-4A4A-4968-AA94-68E0D6F7 received on 12.27.2008 22:58:00 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/39 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.27 -
AhnLab-V3 2008.12.25.0 2008.12.27 -
AntiVir 7.9.0.45 2008.12.27 -
Authentium 5.1.0.4 2008.12.27 -
Avast 4.8.1281.0 2008.12.27 -
AVG 8.0.0.199 2008.12.26 -
BitDefender 7.2 2008.12.27 -
CAT-QuickHeal 10.00 2008.12.27 -
ClamAV 0.94.1 2008.12.27 -
Comodo 826 2008.12.27 -
DrWeb 4.44.0.09170 2008.12.27 -
eSafe 7.0.17.0 2008.12.24 -
eTrust-Vet 31.6.6276 2008.12.24 -
Ewido 4.0 2008.12.27 -
F-Prot 4.4.4.56 2008.12.26 -
F-Secure 8.0.14332.0 2008.12.27 -
Fortinet 3.117.0.0 2008.12.27 -
GData 19 2008.12.27 -
Ikarus T3.1.1.45.0 2008.12.27 -
K7AntiVirus 7.10.568 2008.12.27 -
Kaspersky 7.0.0.125 2008.12.27 -
McAfee 5476 2008.12.27 -
McAfee+Artemis 5476 2008.12.27 -
Microsoft 1.4205 2008.12.27 -
NOD32 3719 2008.12.27 -
Norman 5.80.02 2008.12.26 -
Panda 9.0.0.4 2008.12.27 -
PCTools 4.4.2.0 2008.12.27 -
Prevx1 V2 2008.12.27 -
Rising 21.09.52.00 2008.12.27 -
SecureWeb-Gateway 6.7.6 2008.12.27 -
Sophos 4.37.0 2008.12.27 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.27 -
TheHacker 6.3.1.4.200 2008.12.26 -
TrendMicro 8.700.0.1004 2008.12.26 -
VBA32 3.12.8.10 2008.12.27 -
ViRobot 2008.12.26.1536 2008.12.26 -
VirusBuster 4.5.11.0 2008.12.27 -
Additional information
File size: 32 bytes
MD5...: 607ddab19e90003e46dadb7c2a01a474
SHA1..: b85ef4f26556a18b6a5c72cb40d058493b50ab45
SHA256: f7d6523267c9c9580ddfb3c3d1dd5d63c408a5c89dfbd35b2f90e76273c3f9d1
SHA512: 9c5e1429382d48c151db253cf507eaeb85ffe4c37e56cb1e2ed6487a444fb51f
3523557acd09040e82bf876abc9c6875c5e9ee6be88c6e2a6b2d9a505c85e1d3
ssdeep: 3:0bPATPq0BHUUTPq0Bn:0bePq4FPq4n
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -

File _8D0A2401-5F60-430C-B7E3-558C05FB received on 12.27.2008 23:01:16 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/39 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.27 -
AhnLab-V3 2008.12.25.0 2008.12.27 -
AntiVir 7.9.0.45 2008.12.27 -
Authentium 5.1.0.4 2008.12.27 -
Avast 4.8.1281.0 2008.12.27 -
AVG 8.0.0.199 2008.12.26 -
BitDefender 7.2 2008.12.27 -
CAT-QuickHeal 10.00 2008.12.27 -
ClamAV 0.94.1 2008.12.27 -
Comodo 826 2008.12.27 -
DrWeb 4.44.0.09170 2008.12.27 -
eSafe 7.0.17.0 2008.12.24 -
eTrust-Vet 31.6.6276 2008.12.24 -
Ewido 4.0 2008.12.27 -
F-Prot 4.4.4.56 2008.12.24 -
F-Secure 8.0.14332.0 2008.12.27 -
Fortinet 3.117.0.0 2008.12.27 -
GData 19 2008.12.27 -
Ikarus T3.1.1.45.0 2008.12.27 -
K7AntiVirus 7.10.568 2008.12.27 -
Kaspersky 7.0.0.125 2008.12.27 -
McAfee 5476 2008.12.27 -
McAfee+Artemis 5476 2008.12.27 -
Microsoft 1.4205 2008.12.27 -
NOD32 3719 2008.12.27 -
Norman 5.80.02 2008.12.26 -
Panda 9.0.0.4 2008.12.27 -
PCTools 4.4.2.0 2008.12.27 -
Prevx1 V2 2008.12.27 -
Rising 21.09.52.00 2008.12.27 -
SecureWeb-Gateway 6.7.6 2008.12.27 -
Sophos 4.37.0 2008.12.27 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.27 -
TheHacker 6.3.1.4.200 2008.12.26 -
TrendMicro 8.700.0.1004 2008.12.26 -
VBA32 3.12.8.10 2008.12.27 -
ViRobot 2008.12.26.1536 2008.12.26 -
VirusBuster 4.5.11.0 2008.12.27 -
Additional information
File size: 32 bytes
MD5...: e9c1651cb61cda794aa6719088110b1e
SHA1..: d4a2b9775d8b69dccd2d1fae807537874f8381de
SHA256: 9b2194783074605f8544a5f6985a7a1791aab94c6072b27c8cb42f79c6e45053
SHA512: 5db06305974f4dc3ac82873bdf07f40f121dc200c5f78a4d9f87ded35c0cdf07
cd224810a526bb1d796d9b904dacba84badd49ca2007183c2904e0df8a3273ce
ssdeep: 3:VoM3dCZyR3dT:nUyRN
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -

ComboFix 08-12-26.03 - electrochemic° 2008-12-27 17:09:26.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1612 [GMT -5:00]
Running from: c:\documents and settings\electrochemic°\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\electrochemic°\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\drivers\ulfpbziy.sys
c:\windows\system32\gewapaba.dll
c:\windows\system32\powamahe.dll
c:\windows\system32\zimilogo.dll
c:\windows\Tasks\crzapdtv.job
c:\windows\twxeowsc
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\electrochemic°\Application Data\uTorrent
c:\documents and settings\electrochemic°\Application Data\uTorrent\dht.dat
c:\documents and settings\electrochemic°\Application Data\uTorrent\dht.dat.old
c:\documents and settings\electrochemic°\Application Data\uTorrent\resume.dat
c:\documents and settings\electrochemic°\Application Data\uTorrent\resume.dat.old
c:\documents and settings\electrochemic°\Application Data\uTorrent\rss.dat
c:\documents and settings\electrochemic°\Application Data\uTorrent\rss.dat.old
c:\documents and settings\electrochemic°\Application Data\uTorrent\settings.dat
c:\documents and settings\electrochemic°\Application Data\uTorrent\settings.dat.old
c:\documents and settings\electrochemic°\Application Data\uTorrent\utorrent.lng
c:\program files\BitLord
c:\program files\BitLord\BitLord.exe
c:\program files\BitLord\BitLord.url
c:\program files\BitLord\BitLord.xml
c:\program files\BitLord\Downloads.xml
c:\program files\BitLord\lang\lang_ar_ae.xml
c:\program files\BitLord\lang\lang_bg_bg.xml
c:\program files\BitLord\lang\lang_ca_es.xml
c:\program files\BitLord\lang\lang_cz_cz.xml
c:\program files\BitLord\lang\lang_da_dk.xml
c:\program files\BitLord\lang\lang_de_de.xml
c:\program files\BitLord\lang\lang_el_gr.xml
c:\program files\BitLord\lang\lang_en_us.xml
c:\program files\BitLord\lang\lang_es_ar.xml
c:\program files\BitLord\lang\lang_es_es.xml
c:\program files\BitLord\lang\lang_et_ee.xml
c:\program files\BitLord\lang\lang_fi_fi.xml
c:\program files\BitLord\lang\lang_fr_fr.xml
c:\program files\BitLord\lang\lang_gl_es.xml
c:\program files\BitLord\lang\lang_he_il.xml
c:\program files\BitLord\lang\lang_hu_hu.xml
c:\program files\BitLord\lang\lang_it_it.xml
c:\program files\BitLord\lang\lang_jp_jp.xml
c:\program files\BitLord\lang\lang_ko_kr.xml
c:\program files\BitLord\lang\lang_nb_no.xml
c:\program files\BitLord\lang\lang_nl_nl.xml
c:\program files\BitLord\lang\lang_pl_pl.xml
c:\program files\BitLord\lang\lang_pt_br.xml
c:\program files\BitLord\lang\lang_pt_pt.xml
c:\program files\BitLord\lang\lang_ro_ro.xml
c:\program files\BitLord\lang\lang_ru_ru.xml
c:\program files\BitLord\lang\lang_sk_sk.xml
c:\program files\BitLord\lang\lang_sl_si.xml
c:\program files\BitLord\lang\lang_sr_sr.xml
c:\program files\BitLord\lang\lang_sv_se.xml
c:\program files\BitLord\lang\lang_th_th.xml
c:\program files\BitLord\lang\lang_tr_tr.xml
c:\program files\BitLord\lang\lang_va_es.xml
c:\program files\BitLord\lang\lang_zh_tw.xml
c:\program files\BitLord\License.txt
c:\program files\BitLord\rules\ipfilter.dat
c:\program files\BitLord\rules\tracker.dat
c:\program files\BitLord\Torrents\Chevelle Discography.torrent
c:\program files\BitLord\Torrents\Conjure One - Discography.torrent
c:\program files\BitLord\Torrents\Conjure One - Discography[0].torrent
c:\program files\BitLord\Torrents\Conjure One.torrent
c:\program files\BitLord\Torrents\Conjure One[0].torrent
c:\program files\BitLord\Torrents\Conjure One[1].torrent
c:\program files\BitLord\Torrents\Conjure One[2].torrent
c:\program files\BitLord\Torrents\DISCOGRAFIA GROOVE ARMADA.torrent
c:\program files\BitLord\Torrents\Groove Armada - Late Night Tales -2008 -HQ VBR.torrent
c:\program files\BitLord\Torrents\Groove Armada - Soundboy Rock - 2007 - [NUXX].torrent
c:\program files\BitLord\Torrents\Groove Armada - The Best Of [2004][CD+3Vids+Cov].torrent
c:\program files\BitLord\Torrents\Microsoft Streets and Trips 2009.rar.torrent
c:\program files\BitLord\Torrents\Pinnacle Game Profiler + Crack.torrent
c:\program files\BitLord\Torrents\The.House.Bunny[2008]DvDrip-aXXo.torrent
c:\program files\BitLord\Torrents\The.Ruins[2008][Unrated.Edition]DvDrip-aXXo.torrent
c:\program files\BitLord\Torrents\The.X.Files.I.Want.To.Believe.EXTENDED.DVDRip.XviD-OSiRiS.torrent
c:\program files\BitLord\Torrents\Three Days Grace - Discography.torrent
c:\program files\BitLord\Torrents\Tropic.Thunder[2008]DvDrip-aXXo.torrent
c:\program files\BitLord\Torrents\What.Happens.In.Vegas[2008]DvDrip-aXXo.torrent
c:\program files\BitLord\Torrents\Wild.Child[2008]DvDrip-aXXo.torrent
c:\program files\BitLord\uninst.exe
c:\windows\system32\powamahe.dll
c:\windows\system32\zimilogo.dll
c:\windows\Tasks\crzapdtv.job
c:\windows\twxeowsc

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TWXEOWSC
-------\Service_twxeowsc

((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))
.

2008-12-27 08:48 . 2008-12-27 08:48 <DIR> d-------- c:\program files\TrayMin
2008-12-27 08:47 . 1997-01-18 11:40 299,520 --a------ c:\windows\uninst.exe
2008-12-26 10:02 . 2008-12-26 10:03 1,407 --a------ c:\windows\ATICIM.INI
2008-12-26 09:59 . 2008-12-26 09:59 <DIR> d-------- C:\ATI
2008-12-25 22:56 . 2008-12-25 22:56 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Softland
2008-12-25 20:08 . 2008-12-27 14:20 <DIR> d-------- c:\program files\Fighter Ace Anniversary Edition
2008-12-25 15:27 . 2008-12-25 15:27 0 --a------ c:\windows\ativpsrm.bin
2008-12-25 15:18 . 2008-12-25 15:18 <DIR> d-------- c:\program files\Common Files\ATI Technologies
2008-12-25 15:16 . 2008-06-02 21:05 593,920 --a------ c:\windows\system32\ati2sgag.exe
2008-12-25 12:40 . 2008-12-26 10:12 <DIR> d-------- c:\program files\ATI Technologies
2008-12-22 06:47 . 2008-12-24 05:41 <DIR> d-------- c:\program files\Absolute Poker
2008-12-22 06:47 . 2008-12-22 06:47 <DIR> d-------- c:\program files\_uninstallation_info
2008-12-20 13:14 . 2008-12-20 13:14 153 --a------ c:\windows\wininit.ini
2008-12-20 12:06 . 2008-12-20 12:10 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-20 12:06 . 2008-12-20 14:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-19 10:59 . 2008-12-19 10:59 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-19 10:41 . 2008-12-19 10:41 <DIR> d-------- c:\windows\Sun
2008-12-19 10:26 . 2008-12-19 10:26 <DIR> d-------- c:\program files\Security Task Manager
2008-12-19 10:26 . 2008-12-23 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-19 06:09 . 2008-12-19 06:09 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Softland
2008-12-19 06:06 . 2008-12-19 06:06 <DIR> d-------- c:\program files\Softland
2008-12-19 06:06 . 2008-12-02 12:11 20,632 --a------ c:\windows\system32\dopdfmn6.dll
2008-12-19 06:06 . 2008-12-02 12:11 18,072 --a------ c:\windows\system32\dopdfmi6.dll
2008-12-19 06:06 . 2008-10-13 15:23 7,533 --a------ c:\windows\system32\dopdf6.ctm
2008-12-19 05:50 . 2008-12-19 05:50 325,120 --a------ c:\windows\system32\urqQigee.dll
2008-12-19 05:50 . 2008-12-19 05:50 25,088 --a------ c:\windows\system32\drivers\ulfpbziy.sys
2008-12-19 05:49 . 2008-12-19 05:49 <DIR> d-------- C:\Archive
2008-12-19 02:14 . 2008-12-19 02:16 43 --a------ c:\windows\gswin32.ini
2008-12-19 02:09 . 2008-12-19 02:41 <DIR> d-------- c:\documents and settings\All Users\FreePDF
2008-12-16 06:30 . 2008-12-16 06:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Syscan
2008-12-13 07:06 . 2008-12-13 07:06 <DIR> d-------- c:\program files\ratDVD
2008-12-09 15:42 . 2008-12-09 15:42 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-09 07:08 . 2008-12-09 07:08 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-12-08 20:45 . 2008-12-08 20:45 <DIR> d-------- c:\documents and settings\electrochemic°\Application Data\OpenOffice.org
2008-12-08 20:43 . 2008-12-08 20:43 <DIR> d-------- c:\program files\OpenOffice.org 3
2008-12-08 20:43 . 2008-12-08 20:43 <DIR> d-------- c:\program files\JRE
2008-12-08 20:43 . 2008-12-09 15:42 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-08 20:42 . 2008-12-09 15:42 <DIR> d-------- c:\program files\Java
2008-12-08 20:42 . 2008-12-08 20:42 <DIR> d-------- c:\program files\Common Files\Java
2008-12-06 23:03 . 2008-12-06 23:03 91,632 --a------ c:\windows\system32\dsofile.dll
2008-12-06 22:53 . 2008-12-06 22:53 <DIR> d-------- c:\documents and settings\electrochemic°\Application Data\KALiNKOsoft
2008-12-06 22:48 . 2008-12-06 22:48 <DIR> d-------- c:\program files\KALiNKOsoft
2008-12-06 20:19 . 2008-12-10 02:48 <DIR> d-------- c:\program files\Sauerbraten
2008-12-05 03:18 . 2008-12-05 03:18 <DIR> d-------- c:\program files\Yahoo!
2008-12-05 03:18 . 2008-12-05 03:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-05 03:14 . 2008-12-05 03:14 <DIR> d-------- c:\documents and settings\default
2008-12-04 21:21 . 2008-12-04 21:24 <DIR> d-------- c:\program files\Microsoft Streets & Trips 2009
2008-12-04 21:19 . 2008-12-04 21:19 <DIR> d-------- c:\program files\MSECache
2008-12-03 19:19 . 2008-12-03 19:19 <DIR> d-------- C:\97914e1baa146da91f977c89fc7be2d0
2008-12-03 19:18 . 2008-12-03 19:19 <DIR> d-------- C:\ecc3bbfb26245cd3fd5f96eb1e
2008-12-03 17:56 . 2008-12-03 17:56 <DIR> d-------- c:\documents and settings\electrochemic°\Application Data\j2 Global
2008-12-03 17:54 . 2008-12-03 17:54 <DIR> d-------- c:\documents and settings\electrochemic°\Application Data\j2 Messenger
2008-12-03 17:54 . 2008-12-03 17:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\j2 Messenger 4.4 Output
2008-12-03 17:54 . 2008-12-03 17:54 0 --a------ c:\windows\system32\jConnect_4_4_Port
2008-12-03 17:53 . 2008-12-03 17:54 <DIR> d-------- c:\program files\j2 Messenger 4.4
2008-12-03 02:08 . 2008-04-13 20:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-03 02:08 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-03 02:08 . 2008-04-13 14:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-03 02:08 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-01 22:42 . 2008-12-01 22:42 <DIR> d-------- c:\program files\Pidgin
2008-12-01 16:02 . 2008-04-13 14:45 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2008-11-28 22:29 . 2008-11-28 22:57 <DIR> d-------- c:\windows\system32\Defaults
2008-11-28 22:29 . 2000-12-05 09:11 4,174,814 --a------ c:\windows\system32\CT4MGM.SF2
2008-11-28 22:17 . 2008-11-28 22:18 <DIR> d--h----- c:\program files\Creative Installation Information
2008-11-28 22:17 . 2008-11-28 22:17 <DIR> d-------- c:\program files\Common Files\Creative
2008-11-28 22:17 . 1999-12-13 01:01 44,032 --a------ c:\windows\system32\CTSVCCDA.EXE
2008-11-28 22:17 . 1999-11-18 01:00 25,088 --a------ c:\windows\system32\CTSVCCTL.EXE
2008-11-28 21:05 . 2008-12-11 04:43 <DIR> d-------- c:\program files\Bodog Poker
2008-11-28 01:20 . 2008-11-28 01:20 <DIR> d-------- c:\program files\Syscan
2008-11-27 23:09 . 2008-11-27 23:09 0 --a------ c:\windows\nsreg.dat
2008-11-27 23:04 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-11-27 23:04 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-11-27 23:03 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-27 23:03 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-27 23:03 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-27 23:03 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-27 23:03 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-27 23:03 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-27 23:03 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-11-27 23:02 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-27 23:02 . 2008-04-13 14:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 22:13 --------- d-----w c:\documents and settings\electrochemic°\Application Data\.purple
2008-12-27 22:12 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-25 20:19 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 02:06 --------- d-----w c:\documents and settings\electrochemic°\Application Data\vlc
2008-12-02 03:41 --------- d-----w c:\program files\Common Files\GTK
2008-11-29 06:07 361,600 ----a-w c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2008-11-29 06:07 361,600 ----a-w c:\windows\system32\drivers\TCPIP.SYS
2008-11-29 03:20 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-11-29 03:17 --------- d-----w c:\program files\Creative
2008-11-28 06:26 --------- d-----w c:\program files\Common Files\Adobe
2008-11-28 06:20 --------- d-----w c:\program files\Common Files\InstallShield
2008-09-26 08:18 32 --sha-w c:\windows\{D3FB4103-4A4A-4968-AA94-68E0D6F76E4C}.dat
2008-09-26 08:18 32 --sha-w c:\windows\system32\{8D0A2401-5F60-430C-B7E3-558C05FB2A7A}.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Archive ----

((((((((((((((((((((((((((((( snapshot@2008-12-27_11.06.19.87 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-27 22:12:41 16,384 ----atw c:\windows\temp\Perflib_Perfdata_660.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-09-26 4608]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Pinnacle Game Profiler"="c:\program files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" [2008-12-06 2535424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-09-21 54976]
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-09-21 38592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]
"SmartGuardian"="c:\program files\SOYO\HW Monitor\ITESmart.exe" [2002-05-24 163840]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

c:\documents and settings\electrochemicø\Start Menu\Programs\Startup\
Dialog Box Assistant.lnk - c:\program files\OSDEx\OSDEx.exe [2002-07-13 176128]

c:\documents and settings\electrochemicø\Start Menu\Programs\Startup\
Dialog Box Assistant.lnk - c:\program files\OSDEx\OSDEx.exe [2002-07-13 176128]

c:\documents and settings\electrochemicø\Start Menu\Programs\Startup\
Dialog Box Assistant.lnk - c:\program files\OSDEx\OSDEx.exe [2002-07-13 176128]

c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\
Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2008-10-19 45603]
TrayMin.lnk - c:\program files\TrayMin\traymin.exe [2008-12-27 45056]
WordWeb Pro.lnk - c:\program files\WordWeb\wweb32.exe [2008-09-26 19968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-26 16:37 133104 c:\documents and settings\electrochemic°\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j2 4.4]
--a------ 2008-10-07 16:53 95744 c:\program files\j2 Messenger 4.4\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
--a------ 2003-03-11 15:24 86016 c:\program files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSnD]
-rahs---- 2008-07-07 09:42 4891472 c:\program files\Spybot - Search & Destroy\SpybotSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RegistryMechanic"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"x:\\Software Downloads\\Data.Integrity\\utorrent.exe"=

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\DRIVERS\SI3112r.sys [2007-08-29 116264]
R2 ccPxySvc;Symantec Proxy Service;"c:\program files\Norton Personal Firewall\ccPxySvc.exe" [2002-09-21 34496]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-12-25 93696]
R3 ctgame;Game Port;c:\windows\system32\DRIVERS\ctgame.sys [2002-12-30 18840]
R3 iteio;iteio;\??\c:\windows\system32\drivers\iteio.sys [2008-09-25 3680]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]
S3 itsernum;itsernum Filter ÅX°Êµ{¦¡;c:\windows\system32\DRIVERS\itsernum.sys [2008-09-25 20133]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2008-09-27 112384]
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\electrochemic []

2008-09-26 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 08:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local

c:\windows\Downloaded Program Files\CTSUEng.ocx - c:\windows\Downloaded Program Files\CTSUEngn.ocx
O16 -: {6C269571-C6D7-4818-BCA4-32A035E8C884}
hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
c:\windows\Downloaded Program Files\CTSUEng.inf
FF - ProfilePath - c:\documents and settings\electrochemic°\Application Data\Mozilla\Firefox\Profiles\i7eprqrr.default\
FF - prefs.js: browser.search.selectedEngine - IMDB
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\electrochemic°\Application Data\Mozilla\Firefox\Profiles\i7eprqrr.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-27 17:12:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Norton Personal Firewall\NISUM.EXE
c:\windows\system32\scardsvr.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Windows Live\Mail\wlmail.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
x:\software downloads\Essential\tclocklight-040702-3\tclock.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-27 17:14:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-27 22:14:45
ComboFix2.txt 2008-12-27 16:06:55

Pre-Run: 51,465,011,200 bytes free
Post-Run: 51,408,609,280 bytes free

322 --- E O F --- 2008-12-09 12:08:16

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:27 PM, on 12/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SOYO\HW Monitor\ITESmart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\TrayMin\traymin.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\OSDEx\OSDEx.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
X:\TorrentialRain\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\SOYO\HW Monitor\ITESmart.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pinnacle Game Profiler] "C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" -atboottime
O4 - S-1-5-18 Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: E-mail.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: Shortcut to tclock.lnk = X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe (User 'Default user')
O4 - .DEFAULT Startup: E-mail.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: Shortcut to tclock.lnk = X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe (User 'Default user')
O4 - Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe
O4 - Startup: E-mail.lnk = ?
O4 - Startup: Shortcut to tclock.lnk = X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe
O4 - Global Startup: Pidgin.lnk = C:\Program Files\Pidgin\pidgin.exe
O4 - Global Startup: TrayMin.lnk = C:\Program Files\TrayMin\traymin.exe
O4 - Global Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\electrochemic°\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\electrochemic°\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222471195500
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 7745 bytes

Blade81 · Dec 28, 2008

Hi again,

Please check is C:\Archive folder really empty? If not, could you describe some items there?

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
c:\windows\system32\urqQigee.dll
c:\windows\system32\drivers\ulfpbziy.sys

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file, a fresh hjt log & above mentioned ComboFix resultant log in your next reply.

eigerzoom · Dec 28, 2008

Good morning from the east coast usa
thanks again for your help
i was actually doing a spybot scan when you replied
i have included the results because it found two entries for virtumonde.generic
i DID NOT remove or fix using spybot...i will only do as or when you instruct.
thank you again

C:/Archive is empty

----- SPYBOT RESULTS BELOW -----

Hint of the Day: Click the bar at the right of this to see more information! ()

Virtumonde.generic: [SBI $6C003E72] User settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde.generic: [SBI $6C003E72] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Common Dialogs: History (82 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: Activity: imsins.log (Backup file, nothing done)
C:\WINDOWS\imsins.log

Log: Activity: OEWABLog.txt (Backup file, nothing done)
C:\WINDOWS\OEWABLog.txt

Log: Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINDOWS\ntbtlog.txt

Log: Install: comsetup.log (Backup file, nothing done)
C:\WINDOWS\comsetup.log

Log: Install: Directx.log (Backup file, nothing done)
C:\WINDOWS\Directx.log

Log: Install: ocgen.log (Backup file, nothing done)
C:\WINDOWS\ocgen.log

Log: Install: setupact.log (Backup file, nothing done)
C:\WINDOWS\setupact.log

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: Install: setuplog.txt (Backup file, nothing done)
C:\WINDOWS\setuplog.txt

Log: Install: svcpack.log (Backup file, nothing done)
C:\WINDOWS\svcpack.log

Log: Install: wmsetup.log (Backup file, nothing done)
C:\WINDOWS\wmsetup.log

Log: Install: DtcInstall.log (Backup file, nothing done)
C:\WINDOWS\DtcInstall.log

Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\mofcomp.log

Log: Shutdown: System32\wbem\logs\setup.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\setup.log

Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemcore.log

Log: Shutdown: System32\wbem\logs\wbemess.lo_ (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.lo_

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\wmiadap.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiadap.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Alcohol 120%: [SBI $33A21B15] Images history (8 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Alcohol Soft\Alcohol 120%\Images

Alcohol 120%: [SBI $B1D42532] Image location history (7 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Alcohol Soft\Alcohol 120%\Images\Location

Internet Explorer: [SBI $1E8157BE] Typed URL list (10 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Internet Explorer\TypedURLs

Internet Explorer: [SBI $FF589D0C] Download directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Internet Explorer\Download Directory

Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [SBI $D5C3373A] AutoComplete data (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Internet Explorer\IntelliForms\SPW

MS Management Console: [SBI $ECD50EAD] Recent command list (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Microsoft Management Console\Recent File List

MS Media Player: [SBI $E48560B4] Recent file list (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\MediaPlayer\Player\RecentFileList

MS Media Player: [SBI $8E65C0EE] Last opened playlist (Registry value, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\MediaPlayer\Preferences\LastPlaylist

MS Media Player: [SBI $1BDA487B] Last selected track index (Registry value, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\MediaPlayer\Preferences\LastPlaylistIndex

MS Media Player: [SBI $5C51E349] Client ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID

MS Media Player: [SBI $5C51E349] Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\MediaPlayer\Player\Settings\Client ID

MS Media Player: [SBI $5C51E349] Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\MediaPlayer\Player\Settings\Client ID

MS Media Player: [SBI $5C51E349] Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\MediaPlayer\Player\Settings\Client ID

MS Media Player: [SBI $5C51E349] Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Player\Settings\Client ID

MS Direct3D: [SBI $7FB7B83F] Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

MS DirectInput: [SBI $9A063C91] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\DirectInput\MostRecentApplication\Name

MS DirectInput: [SBI $7B184199] Most recent application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\DirectInput\MostRecentApplication\Id

MS Paint: [SBI $07867C39] Recent file list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List

MS Regedit: [SBI $C3B62FC1] Recent open key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

MS Search Assistant: [SBI $AE0C4647] Typed search terms history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Search Assistant\ACMru

Paint Shop Pro 7: [SBI $9A5AA171] Recent file list (10 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\JASC\Paint Shop Pro 7\Recent File List

Paint Shop Pro 7: [SBI $FB631FBF] Recent GIF directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Jasc\Paint Shop Pro 7\ExportGIF\Directory

Paint Shop Pro 7: [SBI $2DC89A0E] Recent JPG directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Jasc\Paint Shop Pro 7\ExportJPG\Directory

Windows: [SBI $1E4E2003] Drivers installation paths (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources

Windows.OpenWith: [SBI $CDE7D0A6] Open with list - .ASX extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASX\OpenWithList

Windows.OpenWith: [SBI $F7204896] Open with list - .AVI extension (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList

Windows.OpenWith: [SBI $691C1B44] Open with list - .BIN extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BIN\OpenWithList

Windows.OpenWith: [SBI $A1C94E79] Open with list - .BMP extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList

Windows.OpenWith: [SBI $9E8D5C8A] Open with list - .CDA extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CDA\OpenWithList

Windows.OpenWith: [SBI $99432203] Open with list - .CFG extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CFG\OpenWithList

Windows.OpenWith: [SBI $F34FE1D0] Open with list - .CUE extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CUE\OpenWithList

Windows Explorer: [SBI $A2C7B3CD] Recent wallpaper list (501 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU

Windows Explorer: [SBI $7308A845] Run history (8 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: [SBI $AA0766B5] Stream history (11 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: [SBI $2026AFB6] User Assistant history IE (15 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: [SBI $6107D172] User Assistant history files (251 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: [SBI $B7EBA926] Last visited history (21 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

WinRAR: [SBI $0B56E92B] Recent file list (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\WinRAR\ArcHistory

WinRAR: [SBI $B84F9965] Last used directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\WinRAR\General\LastFolder

WinRAR: [SBI $B510882E] Extraction directory history (6 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-220523388-1547161642-725345543-1004\Software\WinRAR\DialogEditHistory\ExtrPath

Cookie: [SBI $49804B54] Cookie (4) (Cookie, nothing done)

Cache: [SBI $49804B54] Cache (74) (Cache, nothing done)

History: [SBI $49804B54] History (37) (History, nothing done)

Cookie: [SBI $49804B54] Cookie (712) (Cookie, nothing done)

--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-12-20 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2008-11-04 Includes\Adware.sbi (*)
2008-12-09 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-09-02 Includes\Dialer.sbi (*)
2008-09-09 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2008-12-16 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2008-12-16 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2008-12-16 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2008-12-16 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-12-16 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-12-10 Includes\Spyware.sbi (*)
2008-12-10 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti (*)
2008-11-04 Includes\Trojans.sbi (*)
2008-12-16 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

----- END OF SPYBOT FILE -----

ComboFix 08-12-26.03 - electrochemic° 2008-12-28 8:21:53.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1611 [GMT -5:00]
Running from: c:\documents and settings\electrochemic°\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\electrochemic°\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\drivers\ulfpbziy.sys
c:\windows\system32\urqQigee.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ulfpbziy.sys
c:\windows\system32\urqQigee.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 )))))))))))))))))))))))))))))))
.

2008-12-27 17:48 . 2008-12-28 07:22 <DIR> d-------- c:\documents and settings\electrochemic°\Application Data\uTorrent
2008-12-27 08:48 . 2008-12-27 08:48 <DIR> d-------- c:\program files\TrayMin
2008-12-27 08:47 . 1997-01-18 11:40 299,520 --a------ c:\windows\uninst.exe
2008-12-26 10:02 . 2008-12-26 10:03 1,407 --a------ c:\windows\ATICIM.INI
2008-12-26 09:59 . 2008-12-26 09:59 <DIR> d-------- C:\ATI
2008-12-25 22:56 . 2008-12-25 22:56 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Softland
2008-12-25 20:08 . 2008-12-27 14:20 <DIR> d-------- c:\program files\Fighter Ace Anniversary Edition
2008-12-25 15:27 . 2008-12-25 15:27 0 --a------ c:\windows\ativpsrm.bin
2008-12-25 15:18 . 2008-12-25 15:18 <DIR> d-------- c:\program files\Common Files\ATI Technologies
2008-12-25 15:16 . 2008-06-02 21:05 593,920 --a------ c:\windows\system32\ati2sgag.exe
2008-12-25 12:40 . 2008-12-26 10:12 <DIR> d-------- c:\program files\ATI Technologies
2008-12-22 06:47 . 2008-12-28 08:05 <DIR> d-------- c:\program files\Absolute Poker
2008-12-22 06:47 . 2008-12-22 06:47 <DIR> d-------- c:\program files\_uninstallation_info
2008-12-20 13:14 . 2008-12-20 13:14 153 --a------ c:\windows\wininit.ini
2008-12-20 12:06 . 2008-12-20 12:10 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-20 12:06 . 2008-12-20 14:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-19 10:59 . 2008-12-19 10:59 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-19 10:41 . 2008-12-19 10:41 <DIR> d-------- c:\windows\Sun
2008-12-19 10:26 . 2008-12-19 10:26 <DIR> d-------- c:\program files\Security Task Manager
2008-12-19 10:26 . 2008-12-23 15:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-19 06:09 . 2008-12-19 06:09 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Softland
2008-12-19 06:06 . 2008-12-19 06:06 <DIR> d-------- c:\program files\Softland
2008-12-19 06:06 . 2008-12-02 12:11 20,632 --a------ c:\windows\system32\dopdfmn6.dll
2008-12-19 06:06 . 2008-12-02 12:11 18,072 --a------ c:\windows\system32\dopdfmi6.dll
2008-12-19 06:06 . 2008-10-13 15:23 7,533 --a------ c:\windows\system32\dopdf6.ctm
2008-12-19 05:49 . 2008-12-19 05:49 <DIR> d-------- C:\Archive
2008-12-19 02:14 . 2008-12-19 02:16 43 --a------ c:\windows\gswin32.ini
2008-12-16 06:30 . 2008-12-16 06:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Syscan
2008-12-13 07:06 . 2008-12-13 07:06 <DIR> d-------- c:\program files\ratDVD
2008-12-09 15:42 . 2008-12-09 15:42 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-09 07:08 . 2008-12-09 07:08 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-12-08 20:45 . 2008-12-08 20:45 <DIR> d-------- c:\documents and settings\electrochemic°\Application Data\OpenOffice.org
2008-12-08 20:43 . 2008-12-08 20:43 <DIR> d-------- c:\program files\OpenOffice.org 3
2008-12-08 20:43 . 2008-12-08 20:43 <DIR> d-------- c:\program files\JRE
2008-12-08 20:43 . 2008-12-09 15:42 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-08 20:42 . 2008-12-09 15:42 <DIR> d-------- c:\program files\Java
2008-12-08 20:42 . 2008-12-08 20:42 <DIR> d-------- c:\program files\Common Files\Java
2008-12-06 23:03 . 2008-12-06 23:03 91,632 --a------ c:\windows\system32\dsofile.dll
2008-12-06 22:53 . 2008-12-06 22:53 <DIR> d-------- c:\documents and settings\electrochemic°\Application Data\KALiNKOsoft
2008-12-06 22:48 . 2008-12-06 22:48 <DIR> d-------- c:\program files\KALiNKOsoft
2008-12-06 20:19 . 2008-12-10 02:48 <DIR> d-------- c:\program files\Sauerbraten
2008-12-05 03:18 . 2008-12-05 03:18 <DIR> d-------- c:\program files\Yahoo!
2008-12-05 03:18 . 2008-12-05 03:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-05 03:14 . 2008-12-05 03:14 <DIR> d-------- c:\documents and settings\default
2008-12-04 21:21 . 2008-12-04 21:24 <DIR> d-------- c:\program files\Microsoft Streets & Trips 2009
2008-12-04 21:19 . 2008-12-04 21:19 <DIR> d-------- c:\program files\MSECache
2008-12-03 19:19 . 2008-12-03 19:19 <DIR> d-------- C:\97914e1baa146da91f977c89fc7be2d0
2008-12-03 19:18 . 2008-12-03 19:19 <DIR> d-------- C:\ecc3bbfb26245cd3fd5f96eb1e
2008-12-03 17:56 . 2008-12-03 17:56 <DIR> d-------- c:\documents and settings\electrochemic°\Application Data\j2 Global
2008-12-03 17:54 . 2008-12-03 17:54 <DIR> d-------- c:\documents and settings\electrochemic°\Application Data\j2 Messenger
2008-12-03 17:54 . 2008-12-03 17:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\j2 Messenger 4.4 Output
2008-12-03 17:54 . 2008-12-03 17:54 0 --a------ c:\windows\system32\jConnect_4_4_Port
2008-12-03 17:53 . 2008-12-03 17:54 <DIR> d-------- c:\program files\j2 Messenger 4.4
2008-12-03 02:08 . 2008-04-13 20:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-03 02:08 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-03 02:08 . 2008-04-13 14:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-03 02:08 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-01 22:42 . 2008-12-01 22:42 <DIR> d-------- c:\program files\Pidgin
2008-12-01 16:02 . 2008-04-13 14:45 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2008-11-28 22:29 . 2008-11-28 22:57 <DIR> d-------- c:\windows\system32\Defaults
2008-11-28 22:29 . 2000-12-05 09:11 4,174,814 --a------ c:\windows\system32\CT4MGM.SF2
2008-11-28 22:17 . 2008-11-28 22:18 <DIR> d--h----- c:\program files\Creative Installation Information
2008-11-28 22:17 . 2008-11-28 22:17 <DIR> d-------- c:\program files\Common Files\Creative
2008-11-28 22:17 . 1999-12-13 01:01 44,032 --a------ c:\windows\system32\CTSVCCDA.EXE
2008-11-28 22:17 . 1999-11-18 01:00 25,088 --a------ c:\windows\system32\CTSVCCTL.EXE
2008-11-28 21:05 . 2008-12-11 04:43 <DIR> d-------- c:\program files\Bodog Poker
2008-11-28 01:20 . 2008-11-28 01:20 <DIR> d-------- c:\program files\Syscan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 13:19 --------- d-----w c:\documents and settings\electrochemic°\Application Data\.purple
2008-12-27 22:12 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-27 15:24 53,248 ----a-w c:\windows\system32\zlib.dll
2008-12-25 20:19 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 02:06 --------- d-----w c:\documents and settings\electrochemic°\Application Data\vlc
2008-12-02 03:41 --------- d-----w c:\program files\Common Files\GTK
2008-11-29 06:07 361,600 ----a-w c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2008-11-29 06:07 361,600 ----a-w c:\windows\system32\drivers\TCPIP.SYS
2008-11-29 03:20 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-11-29 03:17 --------- d-----w c:\program files\Creative
2008-11-28 06:26 --------- d-----w c:\program files\Common Files\Adobe
2008-11-28 06:20 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-26 08:18 32 --sha-w c:\windows\{D3FB4103-4A4A-4968-AA94-68E0D6F76E4C}.dat
2008-09-26 08:18 32 --sha-w c:\windows\system32\{8D0A2401-5F60-430C-B7E3-558C05FB2A7A}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-09-26 4608]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Pinnacle Game Profiler"="c:\program files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" [2008-12-06 2535424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-09-21 54976]
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-09-21 38592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]
"SmartGuardian"="c:\program files\SOYO\HW Monitor\ITESmart.exe" [2002-05-24 163840]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

c:\documents and settings\electrochemicø\Start Menu\Programs\Startup\
Dialog Box Assistant.lnk - c:\program files\OSDEx\OSDEx.exe [2002-07-13 176128]

c:\documents and settings\electrochemicø\Start Menu\Programs\Startup\
Dialog Box Assistant.lnk - c:\program files\OSDEx\OSDEx.exe [2002-07-13 176128]

c:\documents and settings\electrochemicø\Start Menu\Programs\Startup\
Dialog Box Assistant.lnk - c:\program files\OSDEx\OSDEx.exe [2002-07-13 176128]

c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\
Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2008-10-19 45603]
TrayMin.lnk - c:\program files\TrayMin\traymin.exe [2008-12-27 45056]
WordWeb Pro.lnk - c:\program files\WordWeb\wweb32.exe [2008-09-26 19968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-26 16:37 133104 c:\documents and settings\electrochemic°\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j2 4.4]
--a------ 2008-10-07 16:53 95744 c:\program files\j2 Messenger 4.4\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
--a------ 2003-03-11 15:24 86016 c:\program files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSnD]
-rahs---- 2008-07-07 09:42 4891472 c:\program files\Spybot - Search & Destroy\SpybotSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RegistryMechanic"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"x:\\Software Downloads\\Data.Integrity\\utorrent.exe"=

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\DRIVERS\SI3112r.sys [2007-08-29 116264]
R2 ccPxySvc;Symantec Proxy Service;"c:\program files\Norton Personal Firewall\ccPxySvc.exe" [2002-09-21 34496]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-12-25 93696]
R3 ctgame;Game Port;c:\windows\system32\DRIVERS\ctgame.sys [2002-12-30 18840]
R3 iteio;iteio;\??\c:\windows\system32\drivers\iteio.sys [2008-09-25 3680]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]
S3 itsernum;itsernum Filter ÅX°Êµ{¦¡;c:\windows\system32\DRIVERS\itsernum.sys [2008-09-25 20133]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2008-09-27 112384]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-12-28 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\electrochemic []

2008-09-26 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 08:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local

c:\windows\Downloaded Program Files\CTSUEng.ocx - c:\windows\Downloaded Program Files\CTSUEngn.ocx
O16 -: {6C269571-C6D7-4818-BCA4-32A035E8C884}
hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
c:\windows\Downloaded Program Files\CTSUEng.inf
FF - ProfilePath - c:\documents and settings\electrochemic°\Application Data\Mozilla\Firefox\Profiles\i7eprqrr.default\
FF - prefs.js: browser.search.selectedEngine - IMDB
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\electrochemic°\Application Data\Mozilla\Firefox\Profiles\i7eprqrr.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 08:22:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-28 8:23:29
ComboFix-quarantined-files.txt 2008-12-28 13:23:25
ComboFix2.txt 2008-12-27 22:14:49
ComboFix3.txt 2008-12-27 16:06:55

Pre-Run: 51,523,424,256 bytes free
Post-Run: 51,509,407,744 bytes free

215 --- E O F --- 2008-12-09 12:08:16

Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 3

12/28/2008 10:02:00 AM
mbam-log-2008-12-28 (10-02-00).txt

Scan type: Full Scan (C:\|D:\|F:\|X:\|)
Objects scanned: 227401
Time elapsed: 1 hour(s), 30 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 55

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\SecTaskMan\eetbuk.dll.q_804F001_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\mqoiyyvv.dll.q_8041E01_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\xrppat.dll.q_804EE01_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\arpqzt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\duxohnvn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dyhslt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fbeuoxev.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fccaWqqr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jjohsifj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lcvwftkp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\migdnhkj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ncdcwfsq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nuystygd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\okhwfgfl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\powamahe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\qvjfvb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\reibiu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vwgihh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wtyeqegc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wvUljHYr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\xxyyvvUl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yvjyoyhu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ulfpbziy.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP25\A0004336.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP27\A0004339.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP31\A0004499.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP40\A0004751.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP46\A0004813.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP46\A0004812.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP52\A0011415.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP52\A0011399.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP52\A0011400.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP52\A0011401.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP52\A0011403.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP52\A0011404.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP52\A0011408.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP52\A0011411.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP52\A0011412.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP52\A0011414.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP52\A0011417.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP52\A0011419.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP52\A0011420.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP52\A0011426.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP52\A0011427.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP52\A0011428.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP52\A0011429.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP52\A0011431.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP53\A0012452.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP54\A0012562.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
D:\Software Downloads\Data.Integrity\Max.Half.EvID4226Patch223d-en\EvID4226Patch.exe (Adware.Agent) -> Quarantined and deleted successfully.
D:\Software Downloads\Windows\Keygen, Serials, Cracks\Keygens\keygenerator_win_xp_pro.exe (Malware.Tool) -> Quarantined and deleted successfully.
D:\Software Downloads\Windows\Keygen, Serials, Cracks\Keygens\windows.xp.keygenerator.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
X:\Software Downloads\Windows\Keygen, Serials, Cracks\Keygens\keygenerator_win_xp_pro.exe (Malware.Tool) -> Quarantined and deleted successfully.
X:\Software Downloads\Windows\Keygen, Serials, Cracks\Keygens\windows.xp.keygenerator.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
X:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP30\A0004474.exe (Adware.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:12 AM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SOYO\HW Monitor\ITESmart.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\TrayMin\traymin.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\OSDEx\OSDEx.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
X:\TorrentialRain\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\SOYO\HW Monitor\ITESmart.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pinnacle Game Profiler] "C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" -atboottime
O4 - S-1-5-18 Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: E-mail.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: Shortcut to tclock.lnk = X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe (User 'Default user')
O4 - .DEFAULT Startup: E-mail.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: Shortcut to tclock.lnk = X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe (User 'Default user')
O4 - Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe
O4 - Startup: E-mail.lnk = ?
O4 - Startup: Shortcut to tclock.lnk = X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe
O4 - Global Startup: Pidgin.lnk = C:\Program Files\Pidgin\pidgin.exe
O4 - Global Startup: TrayMin.lnk = C:\Program Files\TrayMin\traymin.exe
O4 - Global Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\electrochemic°\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\electrochemic°\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222471195500
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 7641 bytes

Blade81 · Dec 28, 2008

Hi

Fix those two Spybot findings.

Are you now able to access Kaspersky web site?

We need to execute an OTMoveIt3 script

Please download OTMoveIt3 by OldTimer and save it to your desktop.
Double click theOTMoveIt3 icon on your desktop.

Paste the following code under the Paste Fix Here area. Do not include the word
Code
.

Code:

:Files
c:\documents and settings\electrochemic°\Application Data\uTorrent
C:\Archive
D:\Software Downloads\Windows\Keygen, Serials, Cracks
X:\Software Downloads\Windows\Keygen, Serials, Cracks

Push the large MoveIt button.
OTMI3 may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the Results line here in your next reply with a fresh hjt log.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

eigerzoom · Dec 28, 2008

starting to think i should just install a fresh copy of windows

i'm getting an invalid tcp options attack from kaspersky.com ip address
this is a warning generated by norton personal firewall 2003
i cannot navigate to the website...it does not load at all...no 404...nothing

spybot is unable to fix virtumonde.generic because process is loaded in memory
tried running the scan from startup and still the same issue
however i do see a setting option to fix problems automatically
maybe that would help during a boot...?

honestly this is taking forever...over a week now...
windows takes a few hours tops with backing up pertinent data
any idea of the scope of my total problem and time frame....???
thank you again for your time

========== FILES ==========
c:\documents and settings\electrochemic°\Application Data\uTorrent moved successfully.
C:\Archive moved successfully.
D:\Software Downloads\Windows\Keygen, Serials, Cracks\Serials moved successfully.
D:\Software Downloads\Windows\Keygen, Serials, Cracks\Keygens\(app) windows xp KeyGens & Cracks & Appz\Text Files moved successfully.
D:\Software Downloads\Windows\Keygen, Serials, Cracks\Keygens\(app) windows xp KeyGens & Cracks & Appz moved successfully.
D:\Software Downloads\Windows\Keygen, Serials, Cracks\Keygens moved successfully.
D:\Software Downloads\Windows\Keygen, Serials, Cracks moved successfully.
X:\Software Downloads\Windows\Keygen, Serials, Cracks\Serials moved successfully.
X:\Software Downloads\Windows\Keygen, Serials, Cracks\Keygens\(app) windows xp KeyGens & Cracks & Appz\Text Files moved successfully.
X:\Software Downloads\Windows\Keygen, Serials, Cracks\Keygens\(app) windows xp KeyGens & Cracks & Appz moved successfully.
X:\Software Downloads\Windows\Keygen, Serials, Cracks\Keygens moved successfully.
X:\Software Downloads\Windows\Keygen, Serials, Cracks moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12282008_161710

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:38 PM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SOYO\HW Monitor\ITESmart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe
C:\Program Files\TrayMin\traymin.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\OSDEx\OSDEx.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Pidgin\pidgin.exe
C:\WINDOWS\system32\NOTEPAD.EXE
X:\TorrentialRain\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\SOYO\HW Monitor\ITESmart.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pinnacle Game Profiler] "C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" -atboottime
O4 - S-1-5-18 Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: E-mail.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: Shortcut to tclock.lnk = X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe (User 'Default user')
O4 - .DEFAULT Startup: E-mail.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: Shortcut to tclock.lnk = X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe (User 'Default user')
O4 - Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe
O4 - Startup: E-mail.lnk = ?
O4 - Startup: Shortcut to tclock.lnk = X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe
O4 - Global Startup: Pidgin.lnk = C:\Program Files\Pidgin\pidgin.exe
O4 - Global Startup: TrayMin.lnk = C:\Program Files\TrayMin\traymin.exe
O4 - Global Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\electrochemic°\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\electrochemic°\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222471195500
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 7719 bytes

Blade81 · Dec 29, 2008

Hi

Some cases just takes more time than others. It's quite difficult to give any time estimations beforehand.

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file & a fresh hjt log in your next reply.

eigerzoom · Dec 30, 2008

Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 3

12/29/2008 11:55:48 PM
mbam-log-2008-12-29 (23-55-48).txt

Scan type: Full Scan (C:\|D:\|F:\|X:\|)
Objects scanned: 230050
Time elapsed: 1 hour(s), 33 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
D:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP54\A0012602.exe (Adware.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP54\A0012603.exe (Malware.Tool) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP54\A0012604.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
X:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP54\A0012605.exe (Malware.Tool) -> Quarantined and deleted successfully.
X:\System Volume Information\_restore{B607BB40-5BB9-4516-A3F9-17E8582A3A8E}\RP54\A0012606.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:22 AM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SOYO\HW Monitor\ITESmart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\TrayMin\traymin.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\OSDEx\OSDEx.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
X:\TorrentialRain\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\SOYO\HW Monitor\ITESmart.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pinnacle Game Profiler] "C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" -atboottime
O4 - S-1-5-18 Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: E-mail.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: Shortcut to tclock.lnk = X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe (User 'Default user')
O4 - .DEFAULT Startup: E-mail.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: Shortcut to tclock.lnk = X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe (User 'Default user')
O4 - Startup: Dialog Box Assistant.lnk = C:\Program Files\OSDEx\OSDEx.exe
O4 - Startup: E-mail.lnk = ?
O4 - Startup: Shortcut to tclock.lnk = X:\Software Downloads\Essential\tclocklight-040702-3\tclock.exe
O4 - Global Startup: Pidgin.lnk = C:\Program Files\Pidgin\pidgin.exe
O4 - Global Startup: TrayMin.lnk = C:\Program Files\TrayMin\traymin.exe
O4 - Global Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\electrochemic°\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\electrochemic°\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222471195500
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 7763 bytes

Blade81 · Dec 30, 2008

Hi

Latest logs look ok. Does Spybot still detect something?

eigerzoom · Dec 31, 2008

virtumonde generic is still found by spybot
unable to remove or fix as its loaded in memory

Blade81 · Jan 1, 2009

Hi

Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.

Code:

REGEDIT4

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]

It should look like this ->

Doubleclick fix.reg, press Yes and ok.

Reboot and run Spybot scan again.

eigerzoom · Jan 1, 2009

still found and locked in memory

Virtumonde.generic: [SBI $6C003E72] User settings (Registry key, fixing failed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde.generic: [SBI $6C003E72] User settings (Registry key, fixing failed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Blade81 · Jan 1, 2009

Hi

Please create following fix.reg registry file (like you did before):

Code:

REGEDIT4

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]

[-HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]

Then reboot into safe mode and run registry fix there.

Reboot back into normal mode and see if Spybot still finds those.

eigerzoom · Jan 1, 2009

i thought it worked at first...
visual theme turned on
but scan found it again

i'd like to say that i think i may still not be administrator of my machine
when logging in to safe mode i am given the choice of administrator or electrochemic°
only electrochemic° though when switching in normal mode
just mentioning it...

this is the new virtumond.generic results from spybot
look the same to me

Virtumonde.generic: [SBI $6C003E72] User settings (Registry key, fixing failed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Virtumonde.generic: [SBI $6C003E72] User settings (Registry key, fixing failed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

Blade81 · Jan 1, 2009

i'd like to say that i think i may still not be administrator of my machine
when logging in to safe mode i am given the choice of administrator or electrochemic°
only electrochemic° though when switching in normal mode
just mentioning it...

That's normal. administrator account appears only in safe mode.

I wonder if Norton or something brings those entries back there.

Generate an Uninstall List

* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it on your next reply.

eigerzoom · Jan 1, 2009

again...thanks for all your help

Acrobat.com
Acrobat.com
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Adobe SVG Viewer 3.0
Aspell English Dictionary-0.50-2
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
BitLord 1.1
Bodog Poker Version 2.16.2.3
Casper XP
Catalyst Control Center - Branding
Catalyst Control Center - Branding
Creative MediaSource 5
Dialog Box Assistant 1.1
doPDF 6.1 printer
Driver Sweeper 1.5.5
Fighter Ace Anniversary Edition
GNU Aspell 0.50-3
Google Gears
GTK+ Runtime 2.12.12 rev a (remove only)
HighPoint ATA RAID Management Software
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
ITE Smart Accessories
Java(TM) 6 Update 11
Java(TM) 6 Update 7
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft English TTS Engine
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Access database engine 2007 (English)
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Streets & Trips 2009
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Motorola Driver Installation
Mozilla Firefox (3.0.5)
Norton Personal Firewall
OnDemand5
OpenOffice.org 3.0
Paint Shop Pro 7
Pidgin
Pinnacle Game Profiler
ratDVD 0.78.1444
Registry Mechanic 7.0
SAPI Wrapper
SATARaid
Sauerbraten
Security Task Manager 1.7d
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Skype™ Beta 4.0
SOYO HW Monitor
Spybot - Search & Destroy
TravelScan 464
TrayMin
Tremulous 1.1.0
TTS Wrapper
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VLC media player 0.9.2
Windows Imaging Component
Windows Internet Explorer 7
Windows Live installer
Windows Live Mail
Windows Live Photo Gallery
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR
WordWeb Pro
Yahoo! Messenger

Blade81 · Jan 1, 2009

Hi

Uninstall vulnerable Java(TM) 6 Update 7 version. Remove also BitLord 1.1.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
c:\windows\{D3FB4103-4A4A-4968-AA94-68E0D6F76E4C}.dat
c:\windows\system32\{8D0A2401-5F60-430C-B7E3-558C05FB2A7A}.dat

Registry::
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]

[-HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log. Reboot. Does Spybot still find the entries?

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

virtumonde strikes again

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus