BleepingComputer.com: Virtumonde (or other problems?)

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Virtumonde (or other problems?) Spybot S&D scan showed virtumonde.dll and virtumonde.cdn at bottom

#1 User is offline   bashkm 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 1
  • Joined: 07-January 10

Posted 07 January 2010 - 06:08 PM

I have been having problems since 24th December and have removed a number of malware programs.

I noticed virtumonde.dll|cdn at the bottom of SpyBot S&D during a scan last evening.

I would like your feedback on the health and possible infection of my computer.

I ran ComboFix and HijackThis last evening and am posting those logs in addition to the information requested with a post on this forum.

1.)

DDS.txt


DDS (Ver_09-12-01.01) - NTFSx86
Run by basab at 12:31:06.66 on Thu 01/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1288 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\vmnat.exe
C:\VMWare\Server\202\tomcat\bin\Tomcat6.exe
C:\VMWare\Server\202\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\VMWare\Server\202\vmware-hostd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programs\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Security\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Security\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Programs\emacs\223\bin\emacs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\basab\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\security\spybot~1\SDHelper.dll
BHO: DebugBar BHO: {69fc0024-10eb-480a-bbf2-3bf4e78e17b1} - c:\program files\core services\debugbar\DebugInfoBar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programs\java\jre\16013\bin\jp2ssv.dll
TB: DebugBar: {3e1201f4-1707-409f-bb45-a5f192381da0} - c:\program files\core services\debugbar\DebugToolBar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: DebugBar: {947e34e9-1d85-43cb-9cbf-5c492118fdd5} - c:\program files\core services\debugbar\DebugInfoBar.dll
EB: {A202B231-EF71-4A08-BDB9-4CE5AE8BDE0A} - No File
uRun: [SpybotSD TeaTimer] c:\security\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\security\superantispyware\SUPERAntiSpyware.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\security\spybot~1\SDHelper.dll
LSP: c:\vmware\server\202\vsocklib.dll
Trusted Zone: bmaulik-pc
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195595532498
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\security\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\security\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\basab\applic~1\mozilla\firefox\profiles\xu0v4c7y.firefox 3 preview\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\programs\firefox\3rc2\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\security\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\security\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2008-2-4 8576]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-10-20 54960]
R2 VMwareHostd;VMware Host Agent;c:\vmware\server\202\vmware-hostd.exe [2009-10-20 322096]
R2 VMwareServerWebAccess;VMware Server Web Access;c:\vmware\server\202\tomcat\bin\tomcat6.exe [2009-10-20 57344]
R3 SASENUM;SASENUM;c:\security\superantispyware\SASENUM.SYS [2009-12-16 7408]
S3 vmwriter;VMware VSS Writer;c:\vmware\server\202\vmVssWriter.exe [2009-10-20 29744]
S4 Apache2.2;Apache2.2;c:\programs\apache\22\bin\httpd.exe [2008-6-13 24635]
S4 Tomcat6;Apache Tomcat;c:\programs\tomcat\bin\tomcat6.exe [2007-7-19 57344]
UnknownUnknown ruuxhnq;ruuxhnq; [x]

=============== Created Last 30 ================

2010-01-07 11:19:18 0 d-sha-r- C:\cmdcons
2009-12-31 09:07:26 0 d-----w- c:\docume~1\basab\applic~1\Malwarebytes
2009-12-31 09:07:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 09:07:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-31 09:07:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 08:20:43 98816 ----a-w- c:\windows\sed.exe
2009-12-31 08:20:43 77312 ----a-w- c:\windows\MBR.exe
2009-12-31 08:20:43 261632 ----a-w- c:\windows\PEV.exe
2009-12-31 08:20:43 161792 ----a-w- c:\windows\SWREG.exe
2009-12-31 08:14:43 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-31 08:14:29 0 d-----w- c:\docume~1\basab\applic~1\SUPERAntiSpyware.com
2009-12-31 08:11:26 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-31 08:06:44 326192 ----a-w- c:\windows\system32\vmnetdhcp.exe
2009-12-31 08:06:42 399920 ----a-w- c:\windows\system32\vmnat.exe
2009-12-31 08:06:41 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2009-12-31 08:06:31 723504 ----a-w- c:\windows\system32\vnetlib.dll
2009-12-31 08:03:22 0 d-----w- c:\program files\VMware
2009-12-31 05:40:59 9216 ----a-w- c:\windows\system32\ffnd.exe
2009-12-26 13:14:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-12-26 12:56:26 0 d-----w- C:\Security
2009-12-26 01:33:22 0 d-----w- c:\docume~1\basab\applic~1\FreeFixer
2009-12-26 00:32:27 0 d-----w- c:\windows\pss
2009-12-20 07:44:10 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-12-20 07:14:20 539160 ----a-r- c:\windows\system32\LVUI2RC.dll
2009-12-20 07:14:19 539160 ----a-r- c:\windows\system32\LVUI2.dll
2009-12-20 07:14:19 416280 ----a-r- c:\windows\system32\lvcodec2.dll
2009-12-20 07:14:19 266828 ----a-r- c:\windows\system32\drivers\LVAFT.cfg
2009-12-20 07:14:18 6754712 ----a-r- c:\windows\system32\drivers\lvuvc.sys
2009-12-20 07:13:25 34068 ----a-r- c:\windows\system32\Repository.reg
2009-12-20 07:13:24 82289 ----a-r- c:\windows\system32\lvcoinst.ini
2009-12-20 07:13:24 265496 ----a-r- c:\windows\system32\drivers\lvrs.sys
2009-12-20 07:13:24 199192 ----a-r- c:\windows\system32\lvci1201278.dll
2009-12-20 07:13:23 114712 ----a-r- c:\windows\system32\drivers\lvpopflt.sys
2009-12-20 07:12:30 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-12-20 07:12:26 23832 ----a-r- c:\windows\system32\drivers\lvuvcflt.sys
2009-12-20 07:09:11 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2009-12-20 07:09:11 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2009-12-20 07:09:05 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2009-12-20 07:09:05 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2009-12-20 07:09:02 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2009-12-20 07:09:02 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2009-12-20 07:09:01 16384 -c--a-w- c:\windows\system32\dllcache\ipsink.ax
2009-12-20 07:09:01 16384 ----a-w- c:\windows\system32\ipsink.ax
2009-12-20 06:31:55 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-12-09 09:56:10 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 23:21:06 55856 ----a-w- c:\windows\system32\vnetinst.dll
2009-10-20 23:21:06 50736 ----a-w- c:\windows\system32\vmnetbridge.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2008-06-26 21:17:59 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062620080627\index.dat

============= FINISH: 12:31:30.70 ===============

2.)


This is the log from running HijackThis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:29 AM, on 1/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\vmnat.exe
C:\VMWare\Server\202\tomcat\bin\Tomcat6.exe
C:\VMWare\Server\202\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\VMWare\Server\202\vmware-hostd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programs\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Security\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Security\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Security\SPYBOT~1\SDHelper.dll
O2 - BHO: DebugBar BHO - {69FC0024-10EB-480A-BBF2-3BF4E78E17B1} - C:\Program Files\Core Services\DebugBar\DebugInfoBar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programs\Java\jre\16013\bin\jp2ssv.dll
O3 - Toolbar: DebugBar - {3E1201F4-1707-409F-BB45-A5F192381DA0} - C:\Program Files\Core Services\DebugBar\DebugToolBar.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Security\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Security\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Security\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Security\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\vmware\server\202\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\vmware\server\202\vsocklib.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195595532498
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574} (VMware Remote Console Plug-in 2.5.0.00000) -
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Security\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Programs\MySQL\5045\bin\mysqld-nt (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\VMWare\Server\202\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VMware Host Agent (VMwareHostd) - Unknown owner - C:\VMWare\Server\202\vmware-hostd.exe
O23 - Service: VMware Server Web Access (VMwareServerWebAccess) - Apache Software Foundation - C:\VMWare\Server\202\tomcat\bin\Tomcat6.exe
O23 - Service: VMware VSS Writer (vmwriter) - VMware, Inc. - C:\VMWare\Server\202\vmVssWriter.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6987 bytes

3. ) ComboFix Log

ComboFix 10-01-04.01 - basab 01/07/2010 3:37.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1526 [GMT -8:00]
Running from: c:\security\ComboFix\ComboFix.exe
Command switches used :: c:\security\ComboFix\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\nvDrv.sy
c:\windows\system32\drivers\ruuxhnq.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ruuxhnq
-------\Service_ruuxhnq


((((((((((((((((((((((((( Files Created from 2009-12-07 to 2010-01-07 )))))))))))))))))))))))))))))))
.

2009-12-31 09:07 . 2009-12-31 09:07 -------- d-----w- c:\documents and settings\basab\Application Data\Malwarebytes
2009-12-31 09:07 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 09:07 . 2009-12-31 09:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-31 09:07 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 08:14 . 2009-12-31 08:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-31 08:14 . 2009-12-31 08:14 -------- d-----w- c:\documents and settings\basab\Application Data\SUPERAntiSpyware.com
2009-12-31 08:11 . 2009-12-31 08:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-31 08:06 . 2009-10-20 23:21 326192 ----a-w- c:\windows\system32\vmnetdhcp.exe
2009-12-31 08:06 . 2009-10-20 23:22 399920 ----a-w- c:\windows\system32\vmnat.exe
2009-12-31 08:06 . 2009-10-20 23:22 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2009-12-31 08:06 . 2009-10-20 23:21 723504 ----a-w- c:\windows\system32\vnetlib.dll
2009-12-31 08:03 . 2009-12-31 08:03 -------- d-----w- c:\program files\VMware
2009-12-31 05:40 . 2007-08-14 21:04 9216 ----a-w- c:\windows\system32\ffnd.exe
2009-12-26 13:14 . 2009-12-26 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-26 12:56 . 2009-12-31 09:03 -------- d-----w- C:\Security
2009-12-26 01:33 . 2009-12-26 07:28 -------- d-----w- c:\documents and settings\basab\Application Data\FreeFixer
2009-12-26 01:33 . 2009-12-26 01:33 -------- d-----w- c:\documents and settings\basab\Local Settings\Application Data\FreeFixer
2009-12-20 13:03 . 2009-12-20 13:03 -------- d-sh--w- c:\documents and settings\anu\IECompatCache
2009-12-20 07:58 . 2009-12-20 07:59 -------- d-----w- c:\documents and settings\anu\Local Settings\Application Data\Microsoft
2009-12-20 07:58 . 2007-11-25 07:34 -------- d-----w- c:\documents and settings\anu\Local Settings\Application Data\Microsoft Help
2009-12-20 07:58 . 2009-12-20 13:03 -------- d-----w- c:\documents and settings\anu
2009-12-20 07:15 . 2009-12-20 07:15 -------- d-----w- c:\documents and settings\basab\Local Settings\Application Data\LogiShrd
2009-12-20 07:14 . 2009-12-20 07:14 -------- d-----w- c:\documents and settings\basab\Application Data\Leadertech
2009-12-20 07:14 . 2009-04-30 23:02 539160 ----a-r- c:\windows\system32\LVUI2RC.dll
2009-12-20 07:14 . 2009-04-30 23:02 539160 ----a-r- c:\windows\system32\LVUI2.dll
2009-12-20 07:14 . 2009-04-30 22:57 416280 ----a-r- c:\windows\system32\lvcodec2.dll
2009-12-20 07:14 . 2009-04-30 23:03 6754712 ----a-r- c:\windows\system32\drivers\lvuvc.sys
2009-12-20 07:13 . 2009-04-30 22:39 34068 ----a-r- c:\windows\system32\Repository.reg
2009-12-20 07:13 . 2009-04-30 23:01 265496 ----a-r- c:\windows\system32\drivers\lvrs.sys
2009-12-20 07:13 . 2009-04-30 22:57 199192 ----a-r- c:\windows\system32\lvci1201278.dll
2009-12-20 07:13 . 2009-04-30 23:00 114712 ----a-r- c:\windows\system32\drivers\lvpopflt.sys
2009-12-20 07:12 . 2009-04-30 23:03 23832 ----a-r- c:\windows\system32\drivers\lvuvcflt.sys
2009-12-20 07:10 . 2009-12-21 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-12-20 07:10 . 2009-12-20 07:14 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-12-20 07:10 . 2009-12-20 07:15 -------- d-----w- c:\program files\Logitech
2009-12-20 07:09 . 2008-04-13 19:39 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2009-12-20 07:09 . 2008-04-13 19:39 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2009-12-20 07:09 . 2008-04-13 19:46 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2009-12-20 07:09 . 2008-04-13 19:46 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2009-12-20 07:09 . 2008-04-13 19:46 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2009-12-20 07:09 . 2008-04-13 19:46 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2009-12-20 06:31 . 2009-12-20 06:31 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-12-20 06:31 . 2010-01-03 01:43 -------- d-----w- c:\documents and settings\basab\Application Data\skypePM
2009-12-20 06:23 . 2010-01-03 15:58 -------- d-----w- c:\documents and settings\basab\Application Data\Skype
2009-12-20 06:05 . 2009-12-20 06:05 -------- d-----w- c:\program files\Common Files\Skype
2009-12-20 06:04 . 2009-12-20 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-12-20 05:58 . 2009-12-20 05:58 -------- d-----w- c:\documents and settings\basab\Local Settings\Application Data\Deployment
2009-12-09 09:56 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-07 11:45 . 2009-04-27 22:48 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2010-01-07 11:45 . 2009-03-05 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-01-06 00:22 . 2009-03-05 03:47 -------- d-----w- c:\documents and settings\basab\Application Data\VMware
2010-01-06 00:22 . 2009-03-05 03:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-03 15:17 . 2009-12-20 07:44 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-01-03 15:16 . 2009-12-20 07:12 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-01-01 09:58 . 2008-02-11 07:42 -------- d-----w- c:\program files\Core Services
2010-01-01 09:17 . 2009-03-05 02:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-12-28 22:31 . 2007-11-24 01:31 -------- d-----w- c:\documents and settings\basab\Application Data\JDeveloper
2009-12-25 03:55 . 2009-12-25 03:55 28 ----a-w- c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat
2009-12-20 21:36 . 2007-12-27 21:20 -------- d-----w- c:\program files\Google
2009-12-20 21:33 . 2007-11-23 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-20 21:33 . 2007-11-27 06:21 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-12-20 19:30 . 2009-12-20 08:02 -------- d-----w- c:\documents and settings\anu\Application Data\Skype
2009-12-20 08:04 . 2009-12-20 08:04 -------- d-----w- c:\documents and settings\anu\Application Data\skypePM
2009-12-09 06:35 . 2007-11-21 22:18 75432 ----a-w- c:\documents and settings\basab\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 15:51 . 2003-07-16 16:17 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:45 . 2006-06-23 19:33 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 23:22 . 2009-10-20 23:22 857520 ----a-w- c:\windows\system32\drivers\vmx86.sys
2009-10-20 23:22 . 2009-10-20 23:22 54960 ----a-w- c:\windows\system32\drivers\vmci.sys
2009-10-20 23:22 . 2009-10-20 23:22 32304 ----a-w- c:\windows\system32\drivers\hcmon.sys
2009-10-20 23:21 . 2009-10-20 23:21 55856 ----a-w- c:\windows\system32\vnetinst.dll
2009-10-20 23:21 . 2009-10-20 23:21 50736 ----a-w- c:\windows\system32\vmnetbridge.dll
2009-10-20 23:21 . 2009-10-20 23:21 31280 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys
2009-10-20 23:21 . 2009-10-20 23:21 18736 ----a-w- c:\windows\system32\drivers\vmnet.sys
2009-10-20 23:21 . 2009-10-20 23:21 16560 ----a-w- c:\windows\system32\drivers\vmnetadapter.sys
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2006-05-14 09:13 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2003-07-16 16:36 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2003-07-16 16:36 79872 ----a-w- c:\windows\system32\raschap.dll
2008-08-24 07:12 . 2007-11-20 23:20 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-08-24 07:12 . 2007-11-20 23:20 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-08-24 07:12 . 2007-11-20 23:20 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-08-24 07:12 . 2007-11-20 23:20 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-08-24 07:12 . 2007-11-20 23:20 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\security\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
"SUPERAntiSpyware"="c:\security\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-07 2002160]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-27 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\security\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\security\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^basab^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\basab\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 03:51 39792 ----a-w- c:\programs\Adobe\Reader\811\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApacheTomcatMonitor]
2007-07-20 02:20 98304 ----a-w- c:\programs\Tomcat\bin\tomcat6w.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-05-08 18:35 2780432 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2004-10-26 20:01 4632576 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2004-10-26 20:01 921600 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-24 02:42 148888 ----a-w- c:\programs\Java\jre\16013\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-12-27 21:22 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Tomcat6"=3 (0x3)
"TapiSrv"=3 (0x3)
"SMTPSVC"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"ImapiService"=3 (0x3)
"IISADMIN"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"aspnet_state"=3 (0x3)
"Apache2.2"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\VMWare\\Server\\202\\vmware-authd.exe"=
"c:\\VMWare\\Server\\202\\vmware-hostd.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programs\\Skype\\Phone\\Skype.exe"=
"c:\\Programs\\Skype\\Plugin Manager\\skypePM.exe"=

R1 SASDIFSV;SASDIFSV;c:\security\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\security\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2/4/2008 9:53 PM 8576]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/20/2009 3:22 PM 54960]
R2 VMwareHostd;VMware Host Agent;c:\vmware\Server\202\vmware-hostd.exe [10/20/2009 3:21 PM 322096]
R2 VMwareServerWebAccess;VMware Server Web Access;c:\vmware\Server\202\tomcat\bin\tomcat6.exe [10/20/2009 1:27 PM 57344]
R3 SASENUM;SASENUM;c:\security\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S3 vmwriter;VMware VSS Writer;c:\vmware\Server\202\vmVssWriter.exe [10/20/2009 3:22 PM 29744]
S4 Apache2.2;Apache2.2;c:\programs\Apache\22\bin\httpd.exe [6/13/2008 3:05 AM 24635]
S4 Tomcat6;Apache Tomcat;c:\programs\Tomcat\bin\tomcat6.exe [7/19/2007 6:20 PM 57344]
.
Contents of the 'Scheduled Tasks' folder

2010-01-07 c:\windows\Tasks\User_Feed_Synchronization-{4A4E5F10-2AB0-4064-B999-26D7AFEDD4EE}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

2010-01-07 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-11 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\vmware\Server\202\vsocklib.dll
Trusted Zone: bmaulik-pc
DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}
FF - ProfilePath - c:\documents and settings\basab\Application Data\Mozilla\Firefox\Profiles\xu0v4c7y.Firefox 3 Preview\
FF - plugin: c:\documents and settings\basab\Application Data\Mozilla\Firefox\Profiles\xu0v4c7y.Firefox 3 Preview\extensions\VMwareVMRC@vmware.com\plugins\np-vmware-vmrc-2.5.0-122581.dll
FF - plugin: c:\programs\Adobe\Reader\811\Reader\browser\nppdf32.dll
FF - plugin: c:\programs\Java\jre\16013\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\programs\Java\jre\16013\bin\new_plugin\npjp2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-07 03:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\programs\MySQL\5045\bin\mysqld-nt\" --defaults-file=\"c:\programs\MySQL\5045\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\security\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(5316)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\programs\TortoiseSVN\bin\tortoisesvn.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\programs\TortoiseSVN\bin\intl3_svn.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\vmnat.exe
c:\vmware\Server\202\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\system32\wscntfy.exe
c:\programs\TortoiseSVN\bin\TSVNCache.exe
c:\windows\BCMSMMSG.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2010-01-07 03:56:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-07 11:56
ComboFix2.txt 2009-12-31 08:46

Pre-Run: 4,742,574,080 bytes free
Post-Run: 4,741,701,632 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - C6E37AB1389C8521664D136A7B3FE8B3


I look forward to your feedback and advice.

Thank you for your help!

Attached File(s)

  • Attached File  Attach.txt (13.2K)
    Number of downloads: 1
  • Attached File  ark.txt (5.24K)
    Number of downloads: 1

#2 User is offline   pwgib 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,848
  • Joined: 14-February 05
  • Gender:Male
  • Location:God's Country

Posted 14 January 2010 - 12:03 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#3 User is offline   SpySentinel 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Staff Emeritus
  • Posts: 2,090
  • Joined: 23-February 07
  • Gender:Male
  • Location:The United States

Posted 19 January 2010 - 02:51 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact me or another staff member.

Everyone else please start a new topic.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users