Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Virus - Tried Everything!


  • Please log in to reply
4 replies to this topic

#1 boomdust

boomdust

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 19 December 2007 - 04:45 AM

My computer is infected and i cant seem to get to the root of the problem. I have been on all the forums trying out the various fixes but it seems to be resistant to it all. The symptoms are a pop-up style window which appears in the system tray as 'windows security balloon' then when you click on it the pop-up window comes up titled 'Personal Security Center' which lists their 'Security Essentials' which are 'Ultimate Defender' and 'Ultimate Cleaner'. These are trying to get you to download some software to get rid of viruses! The other problem is that on start-up there are around 15 *.dll missing notifications which i have to click 'ok' to. This has only started happening over the last few weeks since the virus has been on the computer.

Virtumonde is always found when i run a spybot scan every day which i repeatedly fix (delete) but it always returns. I have run ad-aware 2007, ad-aware SE personal, ad-aware 6.0, malwaredestroyer, fixwareout, smitfraudfix, trojankiller, virtumundobegone & panda online virus scanner but still no luck.

This is the latest log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:43:12, on 19/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\SecCenter\scprot4.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\home\Desktop\HiJackThis.exe

R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {08C525F4-2EBD-396D-B12A-005661A8CF95} - (no file)
O2 - BHO: (no name) - {16975C1E-950B-F58A-B187-08ED8F89A6B0} - C:\Program Files\Vngligpw\bqryhzze.dll
O2 - BHO: (no name) - {2037842F-B6FC-94F5-49E2-04A07E581D4A} - C:\Program Files\Mvsuvccl\gtmfbhnu.dll
O2 - BHO: (no name) - {20D6C2D7-E959-9F1A-DF2D-02BDF96BE4F6} - (no file)
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)
O2 - BHO: (no name) - {245A6CD4-5EA9-B9EB-791A-06F67243094D} - C:\Program Files\Hsrkyjde\necjjhom.dll
O2 - BHO: (no name) - {2D628D87-D0A3-6203-4E86-09D91C6DD614} - C:\Program Files\Osyjovzz\dduvboxc.dll
O2 - BHO: (no name) - {316B6BFD-AE4C-6AF6-21B0-0B58D034C3C3} - C:\Program Files\Eyenvysj\raishfng.dll
O2 - BHO: (no name) - {35BFEF80-9814-0F5F-9961-0444D2412BD9} - C:\Program Files\Rrzyqnkh\qiaittqe.dll
O2 - BHO: (no name) - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)
O2 - BHO: (no name) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - (no file)
O2 - BHO: (no name) - {581A08E1-5AE0-3116-311F-04D4D9BEF94D} - C:\Program Files\Zwecpopr\axkuliyg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [oxotohqz] rundll32.exe "C:\Program Files\oxotohqz\abavctcr.dll",Init
O4 - HKLM\..\Run: [ovizkjuz] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ovizkjuz.dll"
O4 - HKLM\..\Run: [eluzyryb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\eluzyryb.dll"
O4 - HKLM\..\Run: [janobixq] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\janobixq.dll"
O4 - HKLM\..\Run: [zynkpsfs] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\zynkpsfs.dll"
O4 - HKLM\..\Run: [olyrwvaz] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\olyrwvaz.dll"
O4 - HKLM\..\Run: [tcdgxczk] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\tcdgxczk.dll"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ktszwbiv] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ktszwbiv.dll"
O4 - HKLM\..\Run: [nqdersjg] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\nqdersjg.dll"
O4 - HKLM\..\Run: [utezafcb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\utezafcb.dll"
O4 - HKLM\..\Run: [dufknutc] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\dufknutc.dll"
O4 - HKLM\..\Run: [wzkbilgp] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\wzkbilgp.dll"
O4 - HKLM\..\Run: [xmjstopo] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\xmjstopo.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [ahcpkxyf] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ahcpkxyf.dll"
O4 - HKLM\..\Run: [fqdqdiby] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\fqdqdiby.dll"
O4 - HKLM\..\Run: [rqbqlwby] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\rqbqlwby.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11358 bytes


Any help much appreciated!

BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:39 PM

Posted 19 December 2007 - 10:18 AM

Hi, Wellcome to Bleeping Computer Forums!

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:39 PM

Posted 19 December 2007 - 01:44 PM

Hello

Your log doesn't show an antivirus software running. :thumbsup:
This is somewhat suicidal in today's digital world. If you have disabled your antivirus software, please re-enable it or you need to install an antivirus program as soon as you can and run a complete scan of the computer.
Please download and install one of these good (and free) products:

Avira Antivir
BitDefender
AVG


Install just one of these products and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Note: I do not recommend that you have more than one anti virus product installed and running on your computer at a time.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Download ComboFix from Here or Here to your Desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.

Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 boomdust

boomdust
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 19 December 2007 - 07:06 PM

ola & thanks for the response! the computer has zone alarm which has its own antivirus program running (i hope) but if its not showing on the hjt log this could be a problem no?!! i have run combofix and this is the log from that after restarting:

ComboFix 07-12-19.2 - home 2007-12-19 23:48:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.234 [GMT 0:00]
Running from: C:\Documents and Settings\home\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.\documents\setup.exe
C:\Program Files\oxotohqz
C:\Program Files\oxotohqz\abavctcr.dll
C:\Program Files\SecCenter
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\ecurit~1
C:\WINDOWS\system32\ecurit~1\?ecurity\

.
((((((((((((((((((((((((( Files Created from 2007-11-19 to 2007-12-19 )))))))))))))))))))))))))))))))
.

2007-12-19 15:36 . 2007-12-19 15:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-19 15:35 . 2007-12-19 19:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-19 15:35 . 2007-12-19 15:35 <DIR> d-------- C:\Documents and Settings\home\Application Data\SUPERAntiSpyware.com
2007-12-17 22:12 . 2007-12-17 22:12 <DIR> d-------- C:\WINDOWS\system32\pvdiirbs
2007-12-17 22:11 . 2007-12-19 19:13 <DIR> d-------- C:\Program Files\Eyenvysj
2007-12-16 22:17 . 2007-12-19 19:06 <DIR> d-------- C:\Program Files\Doidxntl
2007-12-13 17:17 . 2007-12-19 15:33 <DIR> d-------- C:\WINDOWS\system32\swprpnlg
2007-12-13 17:17 . 2007-12-19 19:06 <DIR> d-------- C:\Program Files\Jxutfjvg
2007-12-10 13:22 . 2007-12-16 20:50 <DIR> d-------- C:\WINDOWS\system32\mhqckswn
2007-12-10 13:22 . 2007-12-19 19:13 <DIR> d-------- C:\Program Files\Zwecpopr
2007-12-09 19:31 . 2007-12-11 17:43 <DIR> d-------- C:\Program Files\EMCO Malware Destroyer
2007-12-09 19:26 . 2007-12-09 19:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-09 19:25 . 2007-12-19 15:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-09 19:21 . 2007-12-09 19:21 <DIR> d-------- C:\Program Files\Trojan Killer
2007-12-09 18:32 . 2007-12-09 19:05 <DIR> d-------- C:\Program Files\XoftSpySE
2007-12-09 16:48 . 2007-12-09 16:48 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-09 00:53 . 2007-12-12 19:09 <DIR> d-------- C:\Program Files\Iqbyawny
2007-12-08 12:53 . 2007-12-12 20:07 <DIR> d-------- C:\Program Files\Dngfzojz
2007-12-07 20:56 . 2007-12-16 20:51 <DIR> d-------- C:\WINDOWS\system32\sqnueidq
2007-12-07 20:56 . 2007-12-12 20:10 <DIR> d-------- C:\Program Files\Tjjfeero
2007-11-29 10:03 . 2007-12-16 20:48 <DIR> d-------- C:\WINDOWS\system32\bwbkcnad
2007-11-29 10:03 . 2007-12-19 19:13 <DIR> d-------- C:\Program Files\Hsrkyjde
2007-11-28 05:57 . 2007-12-16 20:50 <DIR> d-------- C:\WINDOWS\system32\jobkremw
2007-11-28 05:56 . 2007-12-19 19:13 <DIR> d-------- C:\Program Files\Rrzyqnkh
2007-11-27 20:19 . 2007-11-20 22:52 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-26 20:07 . 2001-08-17 13:28 771,581 --a------ C:\WINDOWS\system32\dllcache\winacisa.sys
2007-11-26 20:06 . 2001-08-17 13:28 687,999 --a------ C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2007-11-26 20:05 . 2001-08-17 13:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2007-11-26 20:04 . 2001-08-17 22:36 525,568 --a------ C:\WINDOWS\system32\dllcache\tridxp.dll
2007-11-26 20:03 . 2004-08-10 05:00 571,392 --a------ C:\WINDOWS\system32\dllcache\tintlgnt.ime
2007-11-26 20:02 . 2001-08-17 12:18 285,760 --a------ C:\WINDOWS\system32\dllcache\stlnata.sys
2007-11-26 20:01 . 2004-08-10 05:00 456,704 --a------ C:\WINDOWS\system32\dllcache\smtpsvc.dll
2007-11-26 20:00 . 2004-08-03 22:41 404,990 --a------ C:\WINDOWS\system32\dllcache\slntamr.sys
2007-11-26 19:59 . 2004-08-10 05:00 2,178,131 --a------ C:\WINDOWS\system32\dllcache\shvlres.dll
2007-11-26 19:58 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll
2007-11-26 19:57 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2007-11-26 19:56 . 2004-08-10 05:00 482,304 --a------ C:\WINDOWS\system32\dllcache\pintlgnt.ime
2007-11-26 19:55 . 2001-08-17 14:05 351,616 --a------ C:\WINDOWS\system32\dllcache\ovcodek2.sys
2007-11-26 19:54 . 2004-08-10 05:00 226,816 --a------ C:\WINDOWS\system32\dllcache\npdrmv2.dll
2007-11-26 19:53 . 2004-08-04 00:56 1,737,856 --a------ C:\WINDOWS\system32\dllcache\mtxparhd.dll
2007-11-26 19:52 . 2004-08-10 05:00 1,875,968 --a------ C:\WINDOWS\system32\dllcache\msir3jp.lex
2007-11-26 19:51 . 2004-08-10 05:00 1,158,818 --a------ C:\WINDOWS\system32\dllcache\korwbrkr.lex
2007-11-26 19:50 . 2004-08-10 05:00 811,064 --a------ C:\WINDOWS\system32\dllcache\imjp81k.dll
2007-11-26 19:49 . 2004-08-10 05:00 13,463,552 --a------ C:\WINDOWS\system32\dllcache\hwxjpn.dll
2007-11-26 19:48 . 2004-08-10 05:00 1,175,635 --a------ C:\WINDOWS\system32\dllcache\hrtzres.dll
2007-11-26 19:47 . 2001-08-17 14:56 1,733,120 --a------ C:\WINDOWS\system32\dllcache\g400d.dll
2007-11-26 19:46 . 2001-08-17 12:17 629,952 --a------ C:\WINDOWS\system32\dllcache\eqn.sys
2007-11-26 19:45 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\system32\dllcache\diwan.sys
2007-11-26 19:44 . 2001-08-17 22:36 614,429 --a------ C:\WINDOWS\system32\dllcache\digiview.exe
2007-11-26 19:43 . 2004-08-10 05:00 1,677,824 --a------ C:\WINDOWS\system32\dllcache\chsbrkr.dll
2007-11-26 19:42 . 2004-08-10 05:00 1,817,687 --a------ C:\WINDOWS\system32\dllcache\bckgres.dll
2007-11-26 19:41 . 2004-08-04 00:56 870,784 --a------ C:\WINDOWS\system32\dllcache\ati3d1ag.dll
2007-11-26 19:40 . 2004-08-10 05:00 2,134,528 --a------ C:\WINDOWS\system32\dllcache\smtpsnap.dll
2007-11-26 19:26 . 2007-12-12 23:54 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-11-24 20:32 . 2007-12-19 23:45 1,276 --a------ C:\rollback.ini
2007-11-24 20:30 . 2007-12-03 12:22 <DIR> d-------- C:\Documents and Settings\home\Application Data\MailFrontier
2007-11-24 20:27 . 2007-12-19 23:51 9,280,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-24 20:27 . 2007-12-19 23:22 125,060 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-24 20:11 . 2007-12-03 12:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-24 20:07 . 2007-12-19 19:13 <DIR> d-------- C:\Program Files\Vngligpw
2007-11-21 18:50 . 2007-11-21 18:57 <DIR> d-------- C:\Program Files\Octoshape Streaming Services
2007-11-21 18:30 . 2007-12-19 19:06 <DIR> d-------- C:\Program Files\Qlvlcckr
2007-11-20 21:53 . 2007-12-19 19:06 <DIR> d-------- C:\VundoFix Backups
2007-11-20 18:26 . 2007-12-16 20:51 <DIR> d-------- C:\WINDOWS\system32\vgfddwtv
2007-11-20 18:06 . 2007-12-19 19:06 <DIR> d-------- C:\Program Files\Scsisrqw
2007-11-19 18:32 . 2007-12-16 20:51 <DIR> d-------- C:\WINDOWS\system32\qfovkrbl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-19 19:13 --------- d-----w C:\Program Files\Osyjovzz
2007-12-19 19:13 --------- d-----w C:\Program Files\Mvsuvccl
2007-12-19 19:06 --------- d-----w C:\Program Files\Tltzsmpa
2007-12-19 19:06 --------- d-----w C:\Program Files\Taxwhuzw
2007-12-19 19:06 --------- d-----w C:\Program Files\Mzcknbau
2007-12-19 19:06 --------- d-----w C:\Program Files\Myhlectv
2007-12-19 19:06 --------- d-----w C:\Program Files\Mwwzrcii
2007-12-19 19:06 --------- d-----w C:\Program Files\Exhgloyt
2007-12-19 19:06 --------- d-----w C:\Program Files\Bzsrdvfq
2007-12-19 09:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-17 18:11 6,844 ----a-w C:\WINDOWS\system32\tmp.reg
2007-12-09 19:26 --------- d-----w C:\Program Files\Lavasoft
2007-12-07 22:50 69,304 ----a-w C:\Documents and Settings\home\Application Data\GDIPFONTCACHEV1.DAT
2007-11-27 00:05 --------- d-----w C:\Documents and Settings\home\Application Data\uTorrent
2007-11-21 18:58 --------- d-----w C:\Program Files\SopCast
2007-11-20 18:26 --------- d-----w C:\Program Files\Rdxgejlm
2007-11-14 16:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-14 16:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 20:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\iWin Games
2007-11-03 19:32 150 ----a-w C:\temp2.bat
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 --s-a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-03-04 23:28 131,575 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_03_20_21_52_small.dmp.zip
2006-11-09 13:38 311,696 ----a-w C:\Program Files\VideoEggPublisher.exe
2006-09-19 10:51 35,710 ----a-w C:\WINDOWS\Internet Logs\Mediahub_2nd_2006_09_18_12_05_23_small.dmp.zip
2006-06-05 12:11 86,431 ----a-w C:\WINDOWS\Internet Logs\Explorer_2nd_2006_06_04_22_57_27_small.dmp.zip
2006-05-09 13:29 72,329 ----a-w C:\WINDOWS\Internet Logs\Explorer_2nd_2006_05_08_19_44_33_small.dmp.zip
2006-04-18 14:39 110,956 ----a-w C:\WINDOWS\Internet Logs\Explorer_2nd_2006_04_17_18_43_18_small.dmp.zip
2006-04-07 16:07 87,455 ----a-w C:\WINDOWS\Internet Logs\explorer_2nd_2006_04_05_22_50_42_small.dmp.zip
2006-03-09 22:16 113,666 ----a-w C:\WINDOWS\Internet Logs\Explorer_2nd_2006_03_09_18_46_34_small.dmp.zip
2006-03-06 19:12 78,151 ----a-w C:\WINDOWS\Internet Logs\explorer_2nd_2006_03_05_21_13_58_small.dmp.zip
2006-02-19 18:35 110,785 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_02_19_16_18_40_small.dmp.zip
2006-01-30 23:17 56 --sh--r C:\WINDOWS\system32\91807E51CC.sys
2006-03-30 16:01 56 --sh--r C:\WINDOWS\system32\F3C5AF8F70.sys
2006-10-26 16:46 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2037842F-B6FC-94F5-49E2-04A07E581D4A}]
C:\Program Files\Mvsuvccl\gtmfbhnu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{245A6CD4-5EA9-B9EB-791A-06F67243094D}]
C:\Program Files\Hsrkyjde\necjjhom.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D628D87-D0A3-6203-4E86-09D91C6DD614}]
C:\Program Files\Osyjovzz\dduvboxc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{316B6BFD-AE4C-6AF6-21B0-0B58D034C3C3}]
C:\Program Files\Eyenvysj\raishfng.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35BFEF80-9814-0F5F-9961-0444D2412BD9}]
C:\Program Files\Rrzyqnkh\qiaittqe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{581A08E1-5AE0-3116-311F-04D4D9BEF94D}]
C:\Program Files\Zwecpopr\axkuliyg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutoCAD Digital Signatures Icon Overlay Handler]
@={36A21736-36C2-4C11-8ACB-D4136F2B57BD}

[HKEY_CLASSES_ROOT\CLSID\{36A21736-36C2-4C11-8ACB-D4136F2B57BD}]
2005-03-28 21:49 136312 --a------ C:\WINDOWS\system32\AcSignIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-06-06 10:07]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-26 16:25]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-02-10 19:33]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 16:38]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 17:20 C:\WINDOWS\stsystra.exe]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 09:46]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 10:34]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 10:33]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2002-09-11 18:01]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-06-06 10:07]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 05:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-30 22:04:05]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-28 21:47:32]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-01-26 16:20:27]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-20 14:44:56]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 12:12]
S3 rtl8029;Realtek RTL8029(AS)-based PCI Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\RTL8029.SYS [2001-08-17 12:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-19 23:51:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-19 23:52:15
.
2007-12-12 23:55:55 --- E O F ---



I disabled zonealarm & superantispyware before i ran combofix...
This is the new hjt log for the computer:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:01:46, on 20/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\home\Desktop\HiJackThis.exe

R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2037842F-B6FC-94F5-49E2-04A07E581D4A} - C:\Program Files\Mvsuvccl\gtmfbhnu.dll (file missing)
O2 - BHO: (no name) - {245A6CD4-5EA9-B9EB-791A-06F67243094D} - C:\Program Files\Hsrkyjde\necjjhom.dll (file missing)
O2 - BHO: (no name) - {2D628D87-D0A3-6203-4E86-09D91C6DD614} - C:\Program Files\Osyjovzz\dduvboxc.dll (file missing)
O2 - BHO: (no name) - {316B6BFD-AE4C-6AF6-21B0-0B58D034C3C3} - C:\Program Files\Eyenvysj\raishfng.dll (file missing)
O2 - BHO: (no name) - {35BFEF80-9814-0F5F-9961-0444D2412BD9} - C:\Program Files\Rrzyqnkh\qiaittqe.dll (file missing)
O2 - BHO: (no name) - {581A08E1-5AE0-3116-311F-04D4D9BEF94D} - C:\Program Files\Zwecpopr\axkuliyg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8704 bytes





thanks for the help so far lusitano - please let us know what we need to do next..

e feliz natal! muita obrigadissimo's

#5 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:39 PM

Posted 28 December 2007 - 05:05 AM

Hello and sorry for the long wait!

the computer has zone alarm which has its own antivirus program running (i hope)


Can you please tell me what version of ZoneAlarm do you have? Is it ZoneAlarmŽ Internet Security Suite, ZoneAlarm Pro, or some other version?


Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\WINDOWS\system32\pvdiirbs
C:\Program Files\Eyenvysj
C:\Program Files\Doidxntl
C:\WINDOWS\system32\swprpnlg
C:\Program Files\Jxutfjvg
C:\WINDOWS\system32\mhqckswn
C:\Program Files\Zwecpopr
C:\Program Files\Iqbyawny
C:\Program Files\Dngfzojz
C:\WINDOWS\system32\sqnueidq
C:\Program Files\Tjjfeero
C:\WINDOWS\system32\bwbkcnad
C:\Program Files\Hsrkyjde
C:\WINDOWS\system32\jobkremw
C:\Program Files\Rrzyqnkh
C:\Program Files\Vngligpw
C:\Program Files\Qlvlcckr
C:\VundoFix Backups
C:\WINDOWS\system32\vgfddwtv
C:\Program Files\Scsisrqw
C:\WINDOWS\system32\qfovkrbl
C:\Program Files\Osyjovzz
C:\Program Files\Mvsuvccl
C:\Program Files\Tltzsmpa
C:\Program Files\Taxwhuzw
C:\Program Files\Mzcknbau
C:\Program Files\Myhlectv
C:\Program Files\Mwwzrcii
C:\Program Files\Exhgloyt
C:\Program Files\Bzsrdvfq
C:\Program Files\Rdxgejlm

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2037842F-B6FC-94F5-49E2-04A07E581D4A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{245A6CD4-5EA9-B9EB-791A-06F67243094D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D628D87-D0A3-6203-4E86-09D91C6DD614}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{316B6BFD-AE4C-6AF6-21B0-0B58D034C3C3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35BFEF80-9814-0F5F-9961-0444D2412BD9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{581A08E1-5AE0-3116-311F-04D4D9BEF94D}]

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Please update and do a scan with your SUPERAntiSpyware
  • Update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users