Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumon.c?


  • This topic is locked This topic is locked
2 replies to this topic

#1 BabyGrizzy

BabyGrizzy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 02 May 2008 - 10:25 PM

Very bad slow down, decided to run SB:S&D, it found 11 files. 7 .dll's, 2 class ID reg keys, 2 browser help objects reg keys.

ComboFix 08-05-01.3 - Scott 2008-05-02 19:53:14.1 - NTFSx86

Running from: C:\Documents and Settings\Scott\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awtUkJBT.dll
C:\WINDOWS\system32\byXQKdAP.dll
C:\WINDOWS\system32\byXRhGxx.dll
C:\WINDOWS\system32\dgOnnnnn.ini
C:\WINDOWS\system32\dgOnnnnn.ini2
C:\WINDOWS\system32\hesintyp.dll
C:\WINDOWS\system32\irutlmhl.dll
C:\WINDOWS\system32\lhmlturi.ini
C:\WINDOWS\system32\PAdKQXyb.ini
C:\WINDOWS\system32\PAdKQXyb.ini2
C:\WINDOWS\system32\stvoysii.dll
C:\WINDOWS\system32\vblcaaca.ini
C:\WINDOWS\system32\wojshmdv.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-03 to 2008-05-03 )))))))))))))))))))))))))))))))
.

2008-05-02 16:55 . 2008-05-02 16:51 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-02 16:55 . 2008-05-02 16:55 2,549 --a------ C:\WINDOWS\unins000.dat
2008-05-02 14:29 . 2008-05-02 15:46 109,747 --a------ C:\WINDOWS\BMe355544f.xml
2008-05-01 23:07 . 2008-05-01 23:07 <DIR> d-------- C:\Program Files\Outsim
2008-05-01 17:54 . 2008-05-01 17:54 <DIR> d-------- C:\Program Files\PowerISO
2008-04-30 22:44 . 2008-05-01 13:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-30 22:44 . 2008-04-30 22:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-27 18:06 . 2008-05-01 22:36 <DIR> d-------- C:\Program Files\CrossLoop
2008-04-26 21:10 . 2008-04-26 21:10 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Thinstall
2008-04-25 23:54 . 2008-04-25 23:54 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-04-25 21:20 . 2008-04-25 21:20 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2008-04-25 19:17 . 2008-04-25 19:17 24 --a------ C:\url_history.xml
2008-04-22 19:56 . 2008-03-03 20:05 436,784 --a------ C:\WINDOWS\system32\vnetlib.dll
2008-04-22 19:56 . 2008-03-03 20:06 150,064 --a------ C:\WINDOWS\system32\vmnat.exe
2008-04-22 19:56 . 2008-03-03 20:06 121,392 --a------ C:\WINDOWS\system32\vmnetdhcp.exe
2008-04-22 19:56 . 2008-03-03 19:12 50,992 -ra------ C:\WINDOWS\system32\vmnetbridge.dll
2008-04-22 19:56 . 2008-03-03 19:12 28,592 -ra------ C:\WINDOWS\system32\drivers\vmnetbridge.sys
2008-04-22 19:56 . 2008-03-03 20:06 25,136 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys
2008-04-22 19:56 . 2008-03-03 20:06 20,912 --a------ C:\WINDOWS\system32\drivers\VMkbd.sys
2008-04-22 19:56 . 2008-03-03 19:12 17,712 -ra------ C:\WINDOWS\system32\drivers\vmnet.sys
2008-04-22 19:56 . 2008-03-03 19:12 16,816 -ra------ C:\WINDOWS\system32\drivers\vmnetadapter.sys
2008-04-22 19:56 . 2008-03-03 19:12 13,104 -ra------ C:\WINDOWS\system32\vnetinst.dll
2008-04-22 19:55 . 2008-04-22 19:55 <DIR> d-------- C:\Program Files\VMware
2008-04-22 19:55 . 2008-04-22 19:55 <DIR> d-------- C:\Program Files\Common Files\VMware
2008-04-14 20:31 . 2008-04-14 20:31 <DIR> d-------- C:\Program Files\DVD Decrypter
2008-04-14 14:51 . 2008-04-14 14:52 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-04-14 14:51 . 2008-04-14 14:51 307,968 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-04-14 14:51 . 2008-02-27 13:15 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-04-13 16:33 . 2008-04-13 16:33 <DIR> d-------- C:\Program Files\MonoCalendar
2008-04-10 15:24 . 2008-04-10 15:24 <DIR> d-------- C:\Program Files\Common Files\OverDrive Shared
2008-04-08 19:15 . 2008-04-08 19:18 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-07 19:29 . 2008-04-07 19:29 78,240 --a------ C:\WINDOWS\system32\drivers\FILEM701.SYS
2008-04-07 14:53 . 2008-04-07 14:53 <DIR> d-------- C:\Program Files\Common Files\Napster Shared
2008-04-07 14:52 . 2008-04-07 20:22 <DIR> d-------- C:\Program Files\Napster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-03 03:01 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\VMware
2008-05-03 03:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-05-03 03:00 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-05-03 02:59 0 ----a-w C:\WINDOWS\system32\drivers\logiflt.iad
2008-05-03 02:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-03 01:59 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-03 01:55 --------- d-----w C:\Documents and Settings\Scott\Application Data\Skype
2008-05-03 01:55 --------- d-----w C:\Documents and Settings\Scott\Application Data\.purple
2008-05-03 01:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-03 01:30 --------- d-----w C:\Documents and Settings\Scott\Application Data\skypePM
2008-05-02 23:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-02 06:10 --------- d-----w C:\Program Files\Image-Line
2008-05-02 06:09 --------- d-----w C:\Program Files\VstPlugins
2008-05-02 05:08 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-02 00:38 --------- d-----w C:\Documents and Settings\Scott\Application Data\gtk-2.0
2008-05-01 22:54 --------- d-----w C:\Documents and Settings\Scott\Application Data\VMware
2008-05-01 05:47 --------- d-----w C:\Program Files\DivX
2008-04-27 04:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-25 21:48 --------- d-----w C:\Program Files\SecondLife
2008-04-23 05:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-23 02:57 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-04-22 01:08 --------- d-----w C:\Documents and Settings\Scott\Application Data\Audacity
2008-04-22 00:13 --------- d-----w C:\Documents and Settings\Scott\Application Data\tor
2008-04-22 00:12 --------- d-----w C:\Documents and Settings\Scott\Application Data\Vidalia
2008-04-20 02:04 87,312 ----a-w C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-04-20 02:04 23,824 ----a-w C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-04-14 21:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-14 07:49 --------- d-----w C:\Program Files\SpeedFan
2008-04-12 00:41 --------- d-----w C:\Program Files\Pidgin
2008-04-12 00:30 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-12 00:30 --------- d-----w C:\Program Files\TuneXP
2008-04-12 00:30 --------- d-----w C:\Program Files\RGB
2008-04-12 00:30 --------- d-----w C:\Program Files\NetWaiting
2008-04-12 00:30 --------- d-----w C:\Program Files\Microsoft Works
2008-04-12 00:30 --------- d-----w C:\Program Files\GemMaster
2008-04-12 00:30 --------- d-----w C:\Program Files\EnglishOtto
2008-04-11 05:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-08 22:28 --------- d-----w C:\Program Files\Winamp
2008-04-08 22:28 --------- d-----w C:\Documents and Settings\Scott\Application Data\Winamp
2008-04-08 03:34 --------- d-----w C:\Program Files\Yahoo!
2008-04-08 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-07 21:53 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-04-07 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-04-03 01:42 --------- d-----w C:\Program Files\PowerQuest
2008-03-25 00:54 --------- d-----w C:\Documents and Settings\Scott\Application Data\Nexon
2008-03-25 00:53 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-03-23 08:56 --------- d--h--w C:\Documents and Settings\Scott\Application Data\yahoo!
2008-03-23 08:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-12 03:54 --------- d-----w C:\Documents and Settings\Scott\Application Data\SystemRequirementsLab
2008-03-10 23:24 --------- d-----w C:\Documents and Settings\Scott\Application Data\Tonium
2008-03-07 22:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-03-07 04:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 04:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 04:32 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-03-07 01:06 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-03-07 01:03 --------- d-----w C:\Program Files\Common Files\HP
2008-03-07 00:52 --------- d-----w C:\Program Files\Hewlett-Packard
2008-03-06 17:21 --------- d-----w C:\Program Files\Vidalia
2008-03-06 17:21 --------- d-----w C:\Program Files\Tor
2008-03-06 17:21 --------- d-----w C:\Program Files\Privoxy
2008-03-04 03:06 925,104 ----a-w C:\WINDOWS\system32\drivers\vmx86.sys
2008-03-04 03:06 34,864 ----a-w C:\WINDOWS\system32\drivers\hcmon.sys
2008-03-04 01:08 --------- d-----w C:\Program Files\PQDVD
2008-03-04 00:58 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-04 00:45 --------- d-----w C:\Program Files\Red Kawa
2008-03-03 23:56 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-03 23:56 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-03 23:56 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-03 23:56 --------- d-----w C:\Program Files\Symantec
2008-03-03 23:38 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-17 00:39 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-01-29 02:40 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-06-29 23:46 430 ------w C:\Documents and Settings\Scott\Application Data\wklnhst.dat
2007-08-09 21:08 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 21:10 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll
2006-05-03 10:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2007-12-17 13:43 27,648 --sha-w C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 20:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-03-03 16:54 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll" [2007-08-24 20:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 20:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 21:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 21:56 64512]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-09-27 17:10 7585792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-09-27 17:10 86016]
"nwiz"="nwiz.exe" [2006-09-27 17:10 1617920 C:\WINDOWS\system32\nwiz.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 22:01 761946]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-11 21:55 102400]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-09 11:43 184320]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 16:02 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 10:23 1187840]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 14:44 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2006-09-21 05:20 127036]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"HPMVTray"="C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\HPMVTray.exe" [2007-02-15 09:58 964248]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-04-19 19:03 1572608]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 12:01 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 21:53 714608]
"VMware hqtray"="C:\Program Files\VMware\VMware Player\hqtray.exe" [2008-03-03 20:05 55856]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 17:05 200704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXRhGxx]
byXRhGxx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"msacm.l3codec"= l3codecp.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=C:\WINDOWS\pss\Privoxy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=C:\WINDOWS\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Scott^Start Menu^Programs^StartUp^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Scott\Start Menu\Programs\StartUp\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Scott^Start Menu^Programs^StartUp^SLON Startup.lnk]
path=C:\Documents and Settings\Scott\Start Menu\Programs\StartUp\SLON Startup.lnk
backup=C:\WINDOWS\pss\SLON Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Scott^Start Menu^Programs^StartUp^Stardock ObjectDock.lnk]
path=C:\Documents and Settings\Scott\Start Menu\Programs\StartUp\Stardock ObjectDock.lnk
backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Scott^Start Menu^Programs^StartUp^Xfire.lnk]
path=C:\Documents and Settings\Scott\Start Menu\Programs\StartUp\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2006-09-14 08:55 61440 C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anonymizer]
C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
--------- 2006-09-04 18:18 700416 C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeathAdder]
--a------ 2007-05-07 18:40 159744 C:\Program Files\Razer\DeathAdder\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2007-04-02 05:24 113400 C:\Program Files\Sonic\Product\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 14:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-10-25 17:33 563984 C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-10-25 17:37 2178832 C:\Program Files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
--a------ 2007-12-10 14:35 323216 C:\Program Files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 17:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 16:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shadow]
--a------ 2007-02-14 18:09 513536 C:\Program Files\NewTech Infosystems\NTI Shadow 3\Shadow.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vmount2"=2 (0x2)
"vmserverdWin32"=2 (0x2)
"VMware NAT Service"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"AdobeActiveFileMonitor5.0"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"hpWirelessAssistant"=C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Common Files\\InstallShield\\engine\\6\\Intel 32\\Ikernel.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPEZBkup.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVCheck.exe"=
"C:\\Program Files\\NewTech Infosystems\\NTI Shadow 3\\Shadow.exe"=
"C:\\Program Files\\NewTech Infosystems\\NTI DriveBackup! 4\\CDDIB32.exe"=
"C:\\Program Files\\NewTech Infosystems\\NTI DriveBackup! 4\\DIBExplor.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-03 03:01:02 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
"2008-04-22 00:53:03 C:\WINDOWS\Tasks\HPCeeSchedule.job"
- C:\Program Files\Hewlett-Packard\SDP\Ceement\HPCEE.exe
"2008-05-03 00:32:16 C:\WINDOWS\Tasks\Mantenimiento con 1 clic.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-04-22 06:26:37 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Scott.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 20:01:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ????o??????Y?@?????<?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-05-02 20:07:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-03 03:07:36

Pre-Run: 36,792,676,352 bytes free
Post-Run: 37,555,089,408 bytes free

391 --- E O F --- 2008-04-12 07:53:22

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:00 PM

Posted 11 May 2008 - 12:30 PM

Hello BabyGrizzy,

Looks like you did not read the the Forum Guidelines at the top of the page.
It states "DO NOT post a ComboFix log unless requested to."




You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!



Please visit this webpage for instructions for downloading and running Recovery Console
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

It is a simple procedure that will only take a few moments of your time.

You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.


After you have installed Recovery Console, then run ComboFix and post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:00 PM

Posted 20 May 2008 - 09:20 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users