Virtumonde virus

[gjnalder]

Hello again, scan done and report attached! complicated business heh!

ComboFix 10-02-27.04 - Owner 02/03/2010 16:59:14.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2046.1440 [GMT 9.5:30]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\101aasg\Arcade\3D Pickman\RegTest.exe"
"c:\101cbg\Card\Card Game 1001\Card Game 1001.exe"
"c:\documents and settings\Owner\My Documents\Incomplete\Preview-T-3303539-Righteous Brothers - Youll never walk alone.mp3"
"c:\documents and settings\Owner\My Documents\Incomplete\Preview-T-4614913-fallen hard.wma"
"c:\documents and settings\Owner\My Documents\Incomplete\Preview-T-5873259-songs for longing.au"
"c:\documents and settings\Owner\My Documents\Incomplete\T-5873259-songs for longing.au"
"c:\documents and settings\Owner\My Documents\My Documents\Incomplete\Preview-T-3303539-Righteous Brothers - Youll never walk alone.mp3"
"c:\documents and settings\Owner\My Documents\My Documents\My Music\dagda.mp3"
"c:\documents and settings\Owner\My Documents\My Documents\My Music\gary bennett MTV.mp3"
"c:\documents and settings\Owner\My Documents\My Documents\My Music\once in red moon (best quality).mp3"
"c:\documents and settings\Owner\My Documents\My Documents\My Music\serenade to spring secret [cd rip].mp3"
"c:\documents and settings\Owner\My Documents\My Documents\My Music\serenade to spring.mp3"
"c:\documents and settings\Owner\My Documents\My Documents\My Music\windancer secret garden - greatest hits.mp3"
"c:\documents and settings\Owner\My Documents\My Music\dagda.mp3"
"c:\documents and settings\Owner\My Documents\My Music\fallen hard.wma"
"c:\documents and settings\Owner\My Documents\My Music\gary bennett MTV.mp3"
"c:\documents and settings\Owner\My Documents\My Music\once in red moon (best quality).mp3"
"c:\documents and settings\Owner\My Documents\My Music\serenade to spring secret [cd rip].mp3"
"c:\documents and settings\Owner\My Documents\My Music\serenade to spring.mp3"
"c:\documents and settings\Owner\My Documents\My Music\songs for longing.wma"
"c:\documents and settings\Owner\My Documents\My Music\windancer secret garden - gre"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\101aasg\Arcade\3D Pickman\RegTest.exe
c:\101cbg\Card\Card Game 1001\Card Game 1001.exe
c:\documents and settings\Owner\My Documents\Incomplete\Preview-T-3303539-Righteous Brothers - Youll never walk alone.mp3
c:\documents and settings\Owner\My Documents\Incomplete\Preview-T-4614913-fallen hard.wma
c:\documents and settings\Owner\My Documents\Incomplete\Preview-T-5873259-songs for longing.au
c:\documents and settings\Owner\My Documents\Incomplete\T-5873259-songs for longing.au
c:\documents and settings\Owner\My Documents\My Documents\Incomplete\Preview-T-3303539-Righteous Brothers - Youll never walk alone.mp3
c:\documents and settings\Owner\My Documents\My Documents\My Music\dagda.mp3
c:\documents and settings\Owner\My Documents\My Documents\My Music\gary bennett MTV.mp3
c:\documents and settings\Owner\My Documents\My Documents\My Music\once in red moon (best quality).mp3
c:\documents and settings\Owner\My Documents\My Documents\My Music\serenade to spring secret [cd rip].mp3
c:\documents and settings\Owner\My Documents\My Documents\My Music\serenade to spring.mp3
c:\documents and settings\Owner\My Documents\My Documents\My Music\windancer secret garden - greatest hits.mp3
c:\documents and settings\Owner\My Documents\My Music\dagda.mp3
c:\documents and settings\Owner\My Documents\My Music\fallen hard.wma
c:\documents and settings\Owner\My Documents\My Music\gary bennett MTV.mp3
c:\documents and settings\Owner\My Documents\My Music\once in red moon (best quality).mp3
c:\documents and settings\Owner\My Documents\My Music\serenade to spring secret [cd rip].mp3
c:\documents and settings\Owner\My Documents\My Music\serenade to spring.mp3
c:\documents and settings\Owner\My Documents\My Music\songs for longing.wma

.
((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-02 07:17 . 2010-03-02 07:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-01 08:08 . 2010-03-01 08:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-03-01 08:08 . 2010-01-07 06:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-01 08:08 . 2010-03-01 08:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-01 08:08 . 2010-01-07 06:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-01 08:08 . 2010-03-01 08:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-01 07:53 . 2010-03-01 07:53 -------- d-----w- c:\program files\Common Files\Java
2010-03-01 07:53 . 2010-03-01 07:53 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4751202f-n\msvcp71.dll
2010-03-01 07:53 . 2010-03-01 07:53 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4751202f-n\jmc.dll
2010-03-01 07:53 . 2010-03-01 07:53 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4751202f-n\msvcr71.dll
2010-03-01 07:53 . 2010-03-01 07:53 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7483c383-n\decora-sse.dll
2010-03-01 07:53 . 2010-03-01 07:53 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7483c383-n\decora-d3d.dll
2010-02-25 06:06 . 2010-02-25 06:07 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2010-02-20 07:03 . 2010-02-20 07:03 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-20 07:03 . 2010-02-20 07:03 -------- d-----w- c:\program files\TrendMicro
2010-02-20 07:01 . 2010-02-20 07:01 -------- d-----w- c:\program files\ERUNT
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-19 08:23 . 2010-02-19 08:23 -------- d-----w- C:\VundoFix Backups
2010-02-08 07:57 . 2010-03-02 07:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 07:07 . 2009-02-17 07:14 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2010-03-01 08:00 . 2008-11-16 01:21 -------- d-----w- c:\program files\CCleaner
2010-03-01 07:53 . 2008-11-16 08:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-27 07:57 . 2010-01-14 00:30 301872 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-25 01:14 . 2008-11-21 09:45 -------- d-----w- c:\documents and settings\Owner\Application Data\ZoomBrowser EX
2010-02-23 08:03 . 2008-11-15 02:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-20 06:27 . 2010-01-09 08:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-17 07:38 . 2009-03-16 07:55 -------- d-----w- c:\documents and settings\Owner\Application Data\TuneUpMedia
2010-02-08 07:57 . 2008-11-16 02:12 -------- d-----w- c:\program files\Canon
2010-01-30 08:01 . 2008-11-16 01:17 -------- d-----w- c:\program files\Google
2010-01-23 08:08 . 2008-11-11 10:52 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-20 08:01 . 2010-01-20 07:59 23123 ----a-w- c:\windows\hpqins15.dat
2010-01-20 07:21 . 2008-12-07 08:04 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-09 08:47 . 2008-11-11 12:16 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-09 08:47 . 2008-11-11 12:16 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-09 08:47 . 2008-11-11 12:16 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-09 08:46 . 2008-11-11 12:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-09 08:45 . 2008-11-11 12:16 -------- d-----w- c:\program files\AVG
2010-01-02 13:33 . 2009-01-04 07:33 -------- d-----w- c:\program files\MpcStar
2010-01-02 13:32 . 2010-01-02 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-01 08:30 . 2009-08-27 08:01 -------- d-----w- c:\documents and settings\Owner\Application Data\HpUpdate
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-20 07:50 . 2008-11-11 10:45 172200 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-18 09:03 . 2009-12-17 09:05 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-12-18 09:03 . 2009-12-17 09:05 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-12-18 08:52 . 2009-12-17 09:05 88 --sh--r- c:\documents and settings\All Users\Application Data\B9BA940FD4.sys
2009-12-18 08:52 . 2009-12-17 09:05 88 --sh--r- c:\documents and settings\All Users\Application Data\B9BA940FD4.sys
2009-12-18 07:47 . 2009-12-18 07:44 77349 ----a-w- c:\windows\hpqins05.dat
2009-12-16 18:43 . 2008-11-11 10:36 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-04 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-04-27 09:04 . 2008-12-24 09:55 88 --sh--r- c:\windows\system32\B9BA940FD4.sys
2009-04-27 09:12 . 2008-12-24 09:55 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-02-25_07.10.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-02 07:34 . 2010-03-02 07:34 16384 c:\windows\temp\Perflib_Perfdata_544.dat
+ 2010-03-01 07:53 . 2010-03-01 07:53 153376 c:\windows\system32\javaws.exe
+ 2010-03-01 07:53 . 2010-03-01 07:53 145184 c:\windows\system32\javaw.exe
+ 2010-03-01 07:53 . 2010-03-01 07:53 145184 c:\windows\system32\java.exe
+ 2010-03-01 07:53 . 2010-03-01 07:53 180224 c:\windows\Installer\22191.msi
+ 2010-03-01 07:53 . 2010-03-01 07:53 577536 c:\windows\Installer\2218c.msi
+ 2010-03-02 00:46 . 2010-03-02 00:46 802304 c:\windows\Installer\1b19f0.msi
+ 2010-03-02 00:46 . 2010-03-02 00:46 295606 c:\windows\Installer\{AC76BA86-7AD7-5464-3428-900000000004}\ARPPRODUCTICON.exe
+ 2010-02-28 00:26 . 2010-02-28 00:26 393216 c:\windows\ERDNT\AutoBackup\28-02-2010\Users\00000002\UsrClass.dat
+ 2010-02-28 00:26 . 2005-10-20 02:32 163328 c:\windows\ERDNT\AutoBackup\28-02-2010\ERDNT.EXE
+ 2010-02-27 01:42 . 2010-02-27 01:42 393216 c:\windows\ERDNT\AutoBackup\27-02-2010\Users\00000002\UsrClass.dat
+ 2010-02-27 01:42 . 2005-10-20 02:32 163328 c:\windows\ERDNT\AutoBackup\27-02-2010\ERDNT.EXE
+ 2010-02-25 22:33 . 2010-02-25 22:33 393216 c:\windows\ERDNT\AutoBackup\26-02-2010\Users\00000002\UsrClass.dat
+ 2010-02-25 22:33 . 2005-10-20 02:32 163328 c:\windows\ERDNT\AutoBackup\26-02-2010\ERDNT.EXE
+ 2010-03-02 00:40 . 2010-03-02 00:40 393216 c:\windows\ERDNT\AutoBackup\2-03-2010\Users\00000002\UsrClass.dat
+ 2010-03-02 00:40 . 2005-10-20 02:32 163328 c:\windows\ERDNT\AutoBackup\2-03-2010\ERDNT.EXE
+ 2010-03-01 01:06 . 2010-03-01 01:06 393216 c:\windows\ERDNT\AutoBackup\1-03-2010\Users\00000002\UsrClass.dat
+ 2010-03-01 01:06 . 2005-10-20 02:32 163328 c:\windows\ERDNT\AutoBackup\1-03-2010\ERDNT.EXE
+ 2010-02-25 00:28 . 2010-02-25 00:28 5527040 c:\windows\Installer\1b19eb.msp
+ 2009-10-27 11:04 . 2009-10-27 11:04 5009408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\authplay.dll
+ 2010-02-28 00:26 . 2010-02-28 00:26 10465280 c:\windows\ERDNT\AutoBackup\28-02-2010\Users\00000001\ntuser.dat
+ 2010-02-27 01:42 . 2010-02-27 01:42 10465280 c:\windows\ERDNT\AutoBackup\27-02-2010\Users\00000001\ntuser.dat
+ 2010-02-25 22:33 . 2010-02-25 22:33 10465280 c:\windows\ERDNT\AutoBackup\26-02-2010\Users\00000001\ntuser.dat
+ 2010-03-02 00:40 . 2010-03-02 00:40 10465280 c:\windows\ERDNT\AutoBackup\2-03-2010\Users\00000001\ntuser.dat
+ 2010-03-01 01:06 . 2010-03-01 01:06 10465280 c:\windows\ERDNT\AutoBackup\1-03-2010\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-16 39408]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-01-27 251264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-12 30192]
"QuickTime Task"="c:\program files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe" [2010-01-02 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-09 08:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hiro-Media Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Hiro-Media Client.lnk
backup=c:\windows\pss\Hiro-Media Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PHOTOfunSTUDIO.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PHOTOfunSTUDIO.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuruIII]
2006-03-23 02:11 417792 ----a-w- c:\program files\ABIT\uGuru\uGuru.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 06:27 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-21 16:27 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2008-04-17 04:44 98616 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJLaunchEXE]
2002-03-14 00:11 630784 ----a-w- c:\program files\Canon\BJCard\BJLaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-05-14 16:01 644696 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-14 11:47 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 01:24 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 06:45 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 06:45 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 06:41 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 13:25 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
2005-03-10 03:31 28160 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2002-07-25 05:20 28672 ----a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 20:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 06:27 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 02:32 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-01-02 13:32 413696 ----a-w- c:\program files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 05:40 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-05-04 07:59 16206848 ------r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-04-24 07:20 1448960 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-24 23:33 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 02:47 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector v2]
2005-05-23 00:27 90112 ------w- c:\program files\Common Files\Ulead Systems\Autodetector\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WireLessMouse]
2005-11-30 03:18 94208 ----a-w- c:\program files\Office mouse driver\StartAutorun.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [11/11/2008 9:06 PM 14592]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/11/2008 9:46 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/11/2008 9:46 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [9/01/2010 6:15 PM 285392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/01/2010 5:31 PM 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [19/12/2008 5:15 PM 30192]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Owner\Desktop\SysProt\SysProtDrv.sys [25/02/2010 10:06 AM 44288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 08:01]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 08:01]

2010-03-02 c:\windows\Tasks\User_Feed_Synchronization-{C615DD69-9C13-415F-9DAA-F1CD921C4510}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 19:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ninemsn.com.au/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Add animation to IncrediMail Style Box - c:\program files\IncrediMail\bin\resources\WebMenuImg.htm
IE: &Search - ?p=ZKxdm011YYAU
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Handler: hiro - {50BA1131-168F-4c08-A69B-4012273F222E} - c:\program files\Hiro-Media\HiroClient\OldHiroProtocolHandler.dll
Handler: hirodownload - {77F2FF4C-CEDD-4c71-8ABF-DF7CC05EFC63} - c:\program files\Hiro-Media\HiroClient\HiroProtocolHandler.dll
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 17:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4008)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\IncrediMail\bin\B4ImApp.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Canon\BJCard\Bjmcmng.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\program files\IncrediMail\bin\IMApp.exe
.
**************************************************************************
.
Completion time: 2010-03-02 17:10:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-02 07:40
ComboFix2.txt 2010-03-01 01:30
ComboFix3.txt 2010-02-25 07:11

Pre-Run: 98,919,239,680 bytes free
Post-Run: 98,903,093,248 bytes free

- - End Of File - - F7B6FC395B36D3F578C6C7B3A0E1AC48

 

[km2357]

It looks like ComboFix removed what we wanted it to remove.

How is your computer doing now, notice any problems while using it/browsing the web?

 

[gjnalder]

Ran Spybot and AVG and both of them found no bugs so looking good now.
Seems to running well, no hickups at the moment. Will monitor and let u know if anything goes amuck. Many thanks for ALL your help, you are a wizard. cheers Janine

 

[km2357]

Let's do this, use your computer as you normally would until this upcoming Friday. If there are no problems, go ahead and post back on Friday saying so and I'll give you my "All-Clean" post/speech.

If something does come up between now and Friday, post about that as well and we'll look into it.

 

[gjnalder]

No problems so far, so all good.

cheers
J:

 

[km2357]

That's good to hear.

Since there are no more problems, you are good to go.

You can delete the following off of your computer:

DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
SysProt.zip
SysProt.exe
The SysProt Log


To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /Uninstall & click OK

Empty your Recycle Bin.


Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point

• Go to Start > All Programs > Accessories > System Tools > System Restore
• Select Create a restore point, and Ok it.
• Next, go to Start > Run and type in cleanmgr
• Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
• Select the More options tab
• Choose the option to clean up system restore and OK it.
• This will remove all restore points except the new one you just created.

.

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.


Make your Internet Explorer more secure This can be done by following these simple instructions:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it asks you if you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

Set correct settings for files that should be hidden in Windows XP

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please checkHide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

• Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
• Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
• Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
  Computer Safety on line Anti Malware
• Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  • Click the start button on the task bar at the bottom of your screen
  • Click run
  • In the dialog box, type services.msc
  • hit enter, then locate dns client
  • Highlight it, then doubleclick it.
  • On the dropdown box, change the setting from automatic to manual.
  • Click ok..
• Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
• Please read Tony Klein's excellent article: How I got Infected in the First Place
• Please read Understanding Spyware, Browser Hijackers, and Dialers
• Please read Simple and easy ways to keep your computer safe and secure on the Internet
• If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
  Opera.
  If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
• Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
• If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.

Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

If your computer is running slow, click here for instructions on how to help speed up your computer.

Good luck!

Please reply one last time so that I know you have read my post and this thread can be closed.

 

[gjnalder]

Farewell and many thanks again.
:thanks:

 

[km2357]

You're welcome. I'm glad I was able to help you out.

Good luck and safe surfing!