Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection With Virtumonde


  • This topic is locked This topic is locked
6 replies to this topic

#1 Giorgio89

Giorgio89

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 13 May 2008 - 03:22 PM

Hello! I have been trying to get rid of virtumonde for a week now and nothing seems to work. I have tried spy scanner, ad aware and norton 360. Every time I delete it, it comes back after I restart and it is driving me crazy because my whole computer is lagging and I get hundrets of popups. How can I actually remove the virus for good? I am running Windows Vista Ultimate. Thank you in advance!

Giorgio

BC AdBot (Login to Remove)

 


#2 Giorgio89

Giorgio89
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 13 May 2008 - 04:24 PM

The HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:22 PM, on 5/13/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] "C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" -hidden
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKCU\..\Run: [cmds] "rundll32.exe" C:\Users\Giorgio\AppData\Local\Temp\byXoLExX.dll,c
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [d2086436] "rundll32.exe" "C:\Users\Giorgio\AppData\Local\Temp\srrkdpod.dll",b
O4 - HKCU\..\Run: [BMd13b57aa] "Rundll32.exe" "C:\Users\Giorgio\AppData\Local\Temp\lplicnir.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9531 bytes

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:29 AM

Posted 13 May 2008 - 05:05 PM

Hello Giorgio89,

Welcome to Bleeping Computer :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 Giorgio89

Giorgio89
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 13 May 2008 - 05:39 PM

Here is the combofix log:

ComboFix 08-05-12.1 - Giorgio 2008-05-14 0:31:37.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1104 [GMT 2:00]
Running from: C:\Users\Giorgio\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\mainms.vpi
C:\Windows\megavid.cdt
C:\Windows\muotr.so
C:\Windows\system32\lsprst7.dll
C:\Windows\system32\prsgrc.dll
C:\Windows\system32\sft.res

.
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-13 22:48 . 2008-05-13 22:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-13 16:02 . 2008-05-13 16:02 <DIR> d-------- C:\Users\Giorgio\.spss
2008-05-13 16:00 . 2008-05-13 16:00 1,024 --a------ C:\Windows\System32\grcauth2.dll
2008-05-13 16:00 . 2008-05-13 16:00 1,024 --a------ C:\Windows\System32\grcauth1.dll
2008-05-13 16:00 . 2008-05-13 16:00 114 --a------ C:\Windows\System32\prsgrc.tgz
2008-05-13 15:57 . 2008-05-13 15:57 <DIR> d-------- C:\Users\All Users\SafeNet Sentinel
2008-05-13 15:57 . 2008-05-13 15:57 <DIR> d-------- C:\ProgramData\SafeNet Sentinel
2008-05-13 15:52 . 2008-05-13 15:52 <DIR> d-------- C:\Users\All Users\SPSS
2008-05-13 15:52 . 2008-05-13 15:52 <DIR> d-------- C:\ProgramData\SPSS
2008-05-13 15:52 . 2008-05-13 15:52 <DIR> d-------- C:\Program Files\Common Files\SPSS
2008-05-13 15:51 . 2008-05-13 15:51 <DIR> d-------- C:\Program Files\SPSSInc
2008-05-13 15:50 . 2008-05-13 15:50 1,025 --a------ C:\Windows\System32\sysprs7.tgz
2008-05-13 15:50 . 2008-05-13 15:50 1,025 --a------ C:\Windows\System32\sysprs7.dll
2008-05-13 15:50 . 2008-05-13 15:50 219 --a------ C:\Windows\System32\lsprst7.tgz
2008-05-13 15:50 . 2008-05-13 15:50 16 ---h----- C:\Windows\System32\servdat.slm
2008-05-13 15:45 . 2008-05-13 15:45 0 --a------ C:\law.sp
2008-05-13 10:36 . 2008-05-13 10:37 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-05-13 10:36 . 2008-05-13 10:37 <DIR> d-------- C:\ProgramData\Lavasoft
2008-05-13 10:36 . 2008-05-13 10:36 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-13 10:35 . 2008-05-13 10:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-13 00:38 . 2008-05-13 00:38 <DIR> d-------- C:\VundoFix Backups
2008-05-12 20:08 . 2008-05-12 20:08 <DIR> d-------- C:\Users\Giorgio\AppData\Roaming\Webroot
2008-05-12 20:08 . 2008-05-12 20:08 <DIR> d-------- C:\Users\All Users\Webroot
2008-05-12 20:08 . 2008-05-12 20:08 <DIR> d-------- C:\ProgramData\Webroot
2008-05-12 20:08 . 2008-05-12 20:08 <DIR> d-------- C:\Program Files\Webroot
2008-05-12 20:08 . 2008-01-04 20:56 1,526,640 --a------ C:\Windows\WRSetup.dll
2008-05-12 20:08 . 2008-01-04 20:34 163,696 --a------ C:\Windows\System32\drivers\ssidrv.sys
2008-05-12 20:08 . 2008-01-04 20:34 23,920 --a------ C:\Windows\System32\drivers\sskbfd.sys
2008-05-12 20:08 . 2008-01-04 20:34 21,872 --a------ C:\Windows\System32\drivers\sshrmd.sys
2008-05-12 20:08 . 2008-01-04 20:34 20,336 --a------ C:\Windows\System32\drivers\SSFS0BB9.sys
2008-05-12 20:07 . 2008-05-12 20:07 164 --a------ C:\install.dat
2008-05-12 19:43 . 2008-05-08 05:49 14,720,000 --a------ C:\Spy Sweeper v5.5.7.124.exe
2008-05-12 17:40 . 2008-05-12 17:40 <DIR> d-------- C:\Windows\System32\Macromed
2008-05-12 17:26 . 2008-05-12 17:26 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-05-10 23:07 . 2008-05-10 23:07 578 --a------ C:\Windows\index.html
2008-05-10 22:59 . 2008-05-10 22:59 <DIR> d-------- C:\Users\All Users\ACD Systems
2008-05-10 22:59 . 2008-05-10 22:59 <DIR> d-------- C:\ProgramData\ACD Systems
2008-05-10 22:58 . 2008-05-10 22:59 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-05-10 22:58 . 2008-05-10 22:58 <DIR> d-------- C:\Program Files\ACD Systems
2008-05-10 21:31 . 2008-05-14 00:34 <DIR> d-------- C:\Users\Giorgio\AppData\Roaming\Skype
2008-05-10 21:26 . 2008-05-10 21:26 <DIR> d-------- C:\Users\All Users\Skype
2008-05-10 21:26 . 2008-05-10 21:26 <DIR> d-------- C:\ProgramData\Skype
2008-05-10 21:26 . 2008-05-10 21:26 <DIR> d-------- C:\Program Files\Skype
2008-05-10 21:26 . 2008-05-10 21:26 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-10 21:17 . 2008-05-12 20:09 <DIR> d-------- C:\Users\Giorgio\AppData\Roaming\uTorrent
2008-05-10 21:17 . 2008-05-10 21:17 <DIR> d-------- C:\Program Files\uTorrent
2008-05-10 16:43 . 2008-05-10 16:43 <DIR> d-------- C:\Program Files\VistaCodecPack
2008-05-10 15:07 . 2008-05-10 15:07 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-05-10 15:07 . 2008-05-10 15:07 <DIR> d-------- C:\ProgramData\WLInstaller
2008-05-10 15:07 . 2008-05-10 15:47 <DIR> d-------- C:\Program Files\Windows Live
2008-05-10 15:07 . 2008-05-10 15:15 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-10 15:06 . 2008-05-10 15:06 <DIR> d-------- C:\Users\Giorgio\AppData\Roaming\Apple Computer
2008-05-10 15:05 . 2008-05-10 15:05 <DIR> d-------- C:\Program Files\iTunes
2008-05-10 15:05 . 2008-05-10 15:05 <DIR> d-------- C:\Program Files\iPod
2008-05-10 15:05 . 2008-05-10 15:05 <DIR> d-------- C:\Program Files\Bonjour
2008-05-10 15:04 . 2008-05-10 15:05 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-05-10 15:04 . 2008-05-10 15:05 <DIR> d-------- C:\ProgramData\Apple Computer
2008-05-10 15:04 . 2008-05-10 15:04 <DIR> d-------- C:\Program Files\QuickTime
2008-05-10 15:04 . 2008-05-10 15:04 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-10 15:03 . 2008-05-10 15:03 <DIR> d-------- C:\Users\All Users\Apple
2008-05-10 15:03 . 2008-05-10 15:03 <DIR> d-------- C:\ProgramData\Apple
2008-05-10 15:03 . 2008-05-10 15:03 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-10 14:03 . 2008-05-10 14:05 <DIR> d-------- C:\ASP
2008-05-10 14:02 . 2008-05-10 14:02 <DIR> d-------- C:\Users\Giorgio\AppData\Roaming\Symantec
2008-05-10 13:44 . 2006-10-26 19:56 32,592 --a------ C:\Windows\System32\msonpmon.dll
2008-05-10 13:42 . 2008-05-10 13:42 <DIR> d-------- C:\Program Files\Microsoft Works
2008-05-10 13:41 . 2008-05-10 13:41 <DIR> d-------- C:\Windows\PCHEALTH
2008-05-10 13:41 . 2008-05-10 13:41 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-10 13:38 . 2008-05-10 13:38 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-10 13:37 . 2008-05-10 14:37 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-05-10 13:37 . 2008-05-10 14:37 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-05-10 13:36 . 2008-05-10 13:36 <DIR> dr-h----- C:\MSOCache
2008-05-10 13:33 . 2008-05-10 13:33 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-10 12:46 . 2008-03-06 21:32 23,904 --a------ C:\Windows\System32\drivers\COH_Mon.sys
2008-05-10 12:46 . 2008-03-06 21:32 10,537 --a------ C:\Windows\System32\drivers\COH_Mon.cat
2008-05-10 12:46 . 2008-03-06 21:32 706 --a------ C:\Windows\System32\drivers\COH_Mon.inf
2008-05-10 09:00 . 2008-05-10 08:07 <DIR> d-------- C:\Windows\Panther
2008-05-10 09:00 . 2008-05-09 23:55 <DIR> d--hs---- C:\Boot
2008-05-10 09:00 . 2008-01-18 23:45 333,203 -rahs---- C:\bootmgr
2008-05-10 09:00 . 2008-05-10 09:00 8,192 -ra-s---- C:\BOOTSECT.BAK
2008-05-10 08:59 . 2008-05-10 08:59 <DIR> d-------- C:\Windows\System32\OEM
2008-05-10 08:59 . 2007-03-16 18:40 59 -ra------ C:\Windows\DELL_VERSION
2008-05-10 08:04 . 2008-05-14 00:16 12 --a------ C:\Windows\bthservsdp.dat
2008-05-10 08:03 . 2008-05-10 01:33 <DIR> d-------- C:\Windows\Debug
2008-05-10 08:01 . 2008-05-10 08:01 524,288 --ahs---- C:\Windows\System32\config\systemprofile\ntuser.dat{83718e2f-1e56-11dd-8465-806e6f6e6963}.TMContainer00000000000000000002.regtrans-ms
2008-05-10 08:01 . 2008-05-14 00:31 524,288 --ahs---- C:\Windows\System32\config\systemprofile\ntuser.dat{83718e2f-1e56-11dd-8465-806e6f6e6963}.TMContainer00000000000000000001.regtrans-ms
2008-05-10 08:01 . 2008-05-14 00:31 65,536 --ahs---- C:\Windows\System32\config\systemprofile\ntuser.dat{83718e2f-1e56-11dd-8465-806e6f6e6963}.TM.blf
2008-05-10 01:17 . 2008-02-29 09:11 988,216 --a------ C:\Windows\System32\winload.exe
2008-05-10 01:17 . 2008-02-29 09:11 927,288 --a------ C:\Windows\System32\winresume.exe
2008-05-10 01:17 . 2008-02-22 07:05 615,992 --a------ C:\Windows\System32\ci.dll
2008-05-10 01:17 . 2008-02-29 08:53 378,368 --a------ C:\Windows\System32\srcore.dll
2008-05-10 01:17 . 2008-02-29 06:12 318,464 --a------ C:\Windows\System32\rstrui.exe
2008-05-10 01:17 . 2008-02-29 08:53 46,592 --a------ C:\Windows\System32\setbcdlocale.dll
2008-05-10 01:17 . 2008-02-29 08:53 40,960 --a------ C:\Windows\System32\srclient.dll
2008-05-10 01:17 . 2008-02-29 09:14 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-05-10 01:17 . 2008-02-29 06:12 14,848 --a------ C:\Windows\System32\srdelayed.exe
2008-05-10 01:17 . 2008-02-29 08:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-05-10 01:13 . 2008-02-29 06:21 2,032,128 --a------ C:\Windows\System32\win32k.sys
2008-05-10 01:13 . 2008-02-22 04:50 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-05-10 01:13 . 2008-02-22 07:01 826,880 --a------ C:\Windows\System32\wininet.dll
2008-05-10 01:08 . 2008-05-10 01:08 16 --a------ C:\Windows\System32\coh.cache
2008-05-10 00:56 . 2008-05-10 01:29 <DIR> d-------- C:\Program Files\Symantec
2008-05-10 00:56 . 2008-05-13 21:10 <DIR> d-------- C:\Program Files\Norton 360
2008-05-10 00:56 . 2008-05-10 01:29 123,952 --a------ C:\Windows\System32\drivers\SYMEVENT.SYS
2008-05-10 00:56 . 2008-05-10 01:29 10,740 --a------ C:\Windows\System32\drivers\SYMEVENT.CAT
2008-05-10 00:56 . 2008-05-10 01:29 805 --a------ C:\Windows\System32\drivers\SYMEVENT.INF
2008-05-10 00:55 . 2008-05-11 21:16 <DIR> d-------- C:\Users\All Users\Symantec
2008-05-10 00:55 . 2008-05-11 21:16 <DIR> d-------- C:\ProgramData\Symantec
2008-05-10 00:55 . 2008-05-10 01:28 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-10 00:55 . 2008-02-22 06:57 295,936 --a------ C:\Windows\System32\gdi32.dll
2008-05-10 00:52 . 2008-05-10 00:52 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-05-10 00:50 . 2008-05-10 00:50 <DIR> d-------- C:\Users\Giorgio\AppData\Roaming\DAEMON Tools
2008-05-10 00:50 . 2008-05-10 00:50 717,296 --a------ C:\Windows\System32\drivers\sptd.sys
2008-05-10 00:35 . 2008-05-10 00:35 <DIR> d-------- C:\Users\Giorgio\Bluetooth Software
2008-05-10 00:33 . 2008-05-10 00:33 <DIR> d-------- C:\Program Files\Synaptics
2008-05-10 00:33 . 2008-05-10 00:33 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01000.Wdf
2008-05-10 00:30 . 2008-05-10 00:30 <DIR> d-------- C:\Windows\System32\es-MX
2008-05-10 00:30 . 2008-05-10 00:30 <DIR> d-------- C:\Windows\System32\es-AR
2008-05-10 00:30 . 2008-05-10 00:30 <DIR> d-------- C:\Program Files\WIDCOMM
2008-05-10 00:30 . 2007-09-18 13:12 233,472 --a------ C:\Windows\System32\BtwRSupport.dll
2008-05-10 00:30 . 2007-09-18 13:12 80,936 --a------ C:\Windows\System32\drivers\btwavdt.sys
2008-05-10 00:30 . 2007-09-18 13:12 80,424 --a------ C:\Windows\System32\drivers\btwaudio.sys
2008-05-10 00:30 . 2007-09-18 13:12 16,168 --a------ C:\Windows\System32\drivers\btwrchid.sys
2008-05-10 00:27 . 2007-07-25 12:48 172,032 --a------ C:\Windows\System32\rixdicon.dll
2008-05-10 00:27 . 2004-09-04 03:00 90,112 --a------ C:\Windows\System32\snymsico.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 11:42 --------- d-----w C:\Program Files\MSBuild
2008-05-09 23:37 --------- d-----w C:\Program Files\Windows Mail
2008-05-09 22:25 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-05-09 22:25 315,392 ----a-w C:\Windows\HideWin.exe
2008-05-09 21:55 174 --sha-w C:\Program Files\desktop.ini
2008-05-09 21:50 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-09 21:50 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-05-09 21:50 --------- d-----w C:\Program Files\Windows Journal
2008-05-09 21:50 --------- d-----w C:\Program Files\Windows Defender
2008-05-09 21:50 --------- d-----w C:\Program Files\Windows Collaboration
2008-05-09 21:50 --------- d-----w C:\Program Files\Windows Calendar
2008-05-09 21:43 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-05-09 21:43 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-15 17:07 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2008-03-06 22:29 966,656 ----a-w C:\Windows\System32\VSFilter.dll
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-18 23:33 1233920]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 17:36 455968]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-03-21 10:30 486856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
"Device Detector"="DevDetect.exe" []
"cmds"="rundll32.exe" [2006-11-02 11:45 44544 C:\Windows\System32\rundll32.exe]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 23:33 202240]
"d2086436"="rundll32.exe" [2006-11-02 11:45 44544 C:\Windows\System32\rundll32.exe]
"BMd13b57aa"="Rundll32.exe" [2006-11-02 11:45 44544 C:\Windows\System32\rundll32.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-18 23:38 1008184]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 14:13 202032]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-09 15:59 4702208 C:\Windows\RtHDVCpl.exe]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 19:29 102400]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 07:59 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"NvCplDaemon"="RUNDLL32.exe" [2006-11-02 11:45 44544 C:\Windows\System32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-11-02 11:45 44544 C:\Windows\System32\rundll32.exe]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-09-05 13:09:54 727592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"= {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9FB70FC5-303F-4A5B-A9A4-170A0BE0B320}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{1093F141-4799-433F-80C4-EE305361C5ED}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{258FEAC1-0011-4833-A9DB-0AB1B5A6B235}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{E601F75A-A075-4F42-9F96-CA7EA6C1886F}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1D501E6F-864E-4426-A1C1-E84A77F2F7BA}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{17846FD7-AD89-4A70-AB42-C41F46768416}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{6D9ECA19-DF9C-428C-A1A6-DC84D0764523}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{FDD321AA-E959-402E-BC22-3576E05FF90D}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{38F43D8C-A5F4-4FFA-885B-251669BDEF7C}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{CF9FCDDF-8B1C-4505-BDAF-F7BE36E9B420}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{EFA22648-C315-4CCD-A768-F2ECD67E1451}"= Disabled:UDP:C:\Program Files\SPSSInc\SPSS16\spss.exe:SPSS 16.0 for Windows (1033:exe)
"{B64D942E-1E85-4C10-A331-1C69A3C46DBF}"= Disabled:UDP:C:\Program Files\SPSSInc\SPSS16\SPSSWinWrapIDE.exe:SPSS Basic Script Editor (1033)
"{18DB58B6-D0EE-48E7-A6C3-4AD10100A0D8}"= Disabled:TCP:C:\Program Files\SPSSInc\SPSS16\spss.exe:SPSS 16.0 for Windows (1033:exe)
"{67803BCE-672B-4433-9800-5FAD7FE6F9EA}"= Disabled:TCP:C:\Program Files\SPSSInc\SPSS16\SPSSWinWrapIDE.exe:SPSS Basic Script Editor (1033)
"{90A47045-606F-409E-AB77-95FA46BEDCA1}"= Disabled:UDP:C:\Program Files\SPSSInc\SPSS16\spss.com:SPSS 16.0 for Windows (1033:com)
"{66ED2454-2CB0-45DD-BB0D-7022F429C938}"= Disabled:TCP:C:\Program Files\SPSSInc\SPSS16\spss.com:SPSS 16.0 for Windows (1033:com)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080508.002\IDSvix86.sys [2008-04-04 18:48]
R3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2007-09-18 13:12]
R3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2007-09-18 13:12]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-09-18 13:12]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-10 00:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dea4a90-1e1a-11dd-b755-001a6bdf853a}]
\shell\AutoRun\command - F:\setup.exe /autorun

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 00:34:52
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-14 0:35:55
ComboFix-quarantined-files.txt 2008-05-13 22:35:49

Pre-Run: 59,370,840,064 bytes free
Post-Run: 59,270,610,944 bytes free

265 --- E O F --- 2008-05-10 12:38:04

#5 Giorgio89

Giorgio89
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 13 May 2008 - 05:41 PM

And the new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:27 AM, on 5/14/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] "C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" -hidden
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9154 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:29 AM

Posted 13 May 2008 - 06:39 PM

Hello,

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:29 AM

Posted 23 May 2008 - 08:00 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users