Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde & Automatic Update Problems


  • This topic is locked This topic is locked
9 replies to this topic

#1 deadlydiva

deadlydiva

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 22 June 2008 - 03:55 PM

I seem to have come down with a persistent case of Virtumonde. There don't seem to be that many affected files, but I tend to err on the side of caution. On top of that, my Automatic Updates are disabling on their own. Here is my log (I hope I'm doing this right...):



Deckard's System Scanner v20071014.68
Run by Mea S on 2008-06-22 16:43:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 85% (more than 75%).
Total Physical Memory: 191 MiB (512 MiB recommended).


-- HijackThis (run as Mea S.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:44:56 PM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Mea S\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MEAS~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net
O2 - BHO: (no name) - {2A07232B-6B4C-46DF-B342-03189E5CB315} - C:\WINDOWS\system32\fccArsTK.dll (file missing)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: (no name) - {3CA60057-9277-49C0-8D64-280DBAD9C3E1} - C:\WINDOWS\system32\byXQGxXq.dll
O2 - BHO: (no name) - {46385843-1FC8-4246-8041-54C7A90039E1} - C:\WINDOWS\system32\opnnnNdE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: {a7ca707b-5d87-cdcb-daf4-0bcbdfc91258} - {85219cfd-bcb0-4fad-bcdc-78d5b707ac7a} - C:\WINDOWS\system32\nmbevgmi.dll
O2 - BHO: (no name) - {B50CDC52-BA39-4DA3-A788-70BD89F4E7D4} - C:\WINDOWS\system32\ljJBuuvu.dll (file missing)
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [b0e896b3] rundll32.exe "C:\WINDOWS\system32\tmukjwym.dll",b
O4 - HKLM\..\Run: [BMb3dba52f] Rundll32.exe "C:\WINDOWS\system32\ebahleof.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: byXQGxXq - C:\WINDOWS\SYSTEM32\byXQGxXq.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 6696 bytes

-- Files created between 2008-05-22 and 2008-06-22 -----------------------------

2008-06-22 16:31:28 0 d-------- C:\Program Files\Trend Micro
2008-06-22 09:03:13 0 d-------- C:\Documents and Settings\Mea S\Application Data\Spybot - Search & Destroy
2008-06-21 19:39:40 81408 --a------ C:\WINDOWS\system32\tmukjwym.dll
2008-06-21 19:36:38 99328 --a------ C:\WINDOWS\system32\nmbevgmi.dll
2008-06-21 19:35:07 90112 --a------ C:\WINDOWS\system32\ebahleof.dll
2008-06-21 11:16:58 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-21 10:14:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-21 09:53:47 0 d-------- C:\WINDOWS\Sun
2008-06-21 09:53:46 0 d-------- C:\Documents and Settings\Mea S\Application Data\Sun
2008-06-20 21:06:43 0 d-------- C:\Program Files\Java
2008-06-20 21:05:54 0 d-------- C:\Program Files\Common Files\Java
2008-06-20 19:33:40 99328 --a------ C:\WINDOWS\system32\tgkcvobb.dll
2008-06-20 19:33:19 90624 --a------ C:\WINDOWS\system32\ujqriflf.dll
2008-06-18 07:23:37 0 d-------- C:\Documents and Settings\Mea S\Application Data\PCF-VLC
2008-06-17 19:48:25 0 d-------- C:\Documents and Settings\Mea S\Application Data\Participatory Culture Foundation
2008-06-17 18:35:20 0 d-------- C:\Program Files\Lexmark Z700-P700 Series
2008-06-17 18:33:42 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-06-17 18:30:04 0 d-------- C:\Documents and Settings\Mea S\WINDOWS
2008-06-17 18:11:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-06-17 18:11:06 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-16 12:18:43 0 d-------- C:\Documents and Settings\Angela\Application Data\Identities
2008-06-16 12:13:08 0 d--h----- C:\Documents and Settings\Angela\Templates
2008-06-16 12:13:08 0 dr------- C:\Documents and Settings\Angela\Start Menu
2008-06-16 12:13:08 0 dr-h----- C:\Documents and Settings\Angela\SendTo
2008-06-16 12:13:08 0 dr-h----- C:\Documents and Settings\Angela\Recent
2008-06-16 12:13:08 0 d--h----- C:\Documents and Settings\Angela\PrintHood
2008-06-16 12:13:08 0 d--h----- C:\Documents and Settings\Angela\NetHood
2008-06-16 12:13:08 0 dr------- C:\Documents and Settings\Angela\My Documents
2008-06-16 12:13:08 0 d--h----- C:\Documents and Settings\Angela\Local Settings
2008-06-16 12:13:08 0 dr------- C:\Documents and Settings\Angela\Favorites
2008-06-16 12:13:08 0 d-------- C:\Documents and Settings\Angela\Desktop
2008-06-16 12:13:08 0 d---s---- C:\Documents and Settings\Angela\Cookies
2008-06-16 12:13:08 0 dr-h----- C:\Documents and Settings\Angela\Application Data
2008-06-16 12:13:08 0 d---s---- C:\Documents and Settings\Angela\Application Data\Microsoft
2008-06-16 12:13:07 2097152 --ah----- C:\Documents and Settings\Angela\NTUSER.DAT
2008-06-13 20:41:48 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-13 20:41:42 0 d-------- C:\Program Files\ReadMe_files
2008-06-13 20:30:20 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-13 20:22:20 750343 --ahs---- C:\WINDOWS\system32\EdNnnnpo.ini2
2008-06-13 20:22:18 322560 --a------ C:\WINDOWS\system32\opnnnNdE.dll
2008-06-13 07:51:32 98304 --a------ C:\WINDOWS\system32\gogvmdwy.dll
2008-06-12 20:27:31 688698 --ahs---- C:\WINDOWS\system32\uvuuBJjl.ini2
2008-06-12 20:07:10 0 d-------- C:\WINDOWS\CAVTemp
2008-06-12 19:17:17 0 d-------- C:\Documents and Settings\Mea S\Application Data\vlc
2008-06-11 18:25:28 679607 --ahs---- C:\WINDOWS\system32\KTsrAccf.ini2
2008-06-11 18:20:07 33792 --a------ C:\WINDOWS\system32\byXQGxXq.dll
2008-06-10 18:04:50 0 d-------- C:\Documents and Settings\Mea S\Application Data\Macromedia
2008-06-10 18:04:50 0 d-------- C:\Documents and Settings\Mea S\Application Data\Adobe
2008-06-10 18:04:38 1160 --a------ C:\WINDOWS\mozver.dat
2008-06-09 20:19:31 0 d-------- C:\Program Files\Semagic
2008-06-09 03:02:06 0 d-------- C:\Program Files\MSXML 4.0
2008-06-08 09:59:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-06-08 08:53:04 188416 --a------ C:\WINDOWS\xnetsurf.exe <Not Verified; Netsurfer, Inc.; NSUnInst Application>
2008-06-08 08:52:53 0 d-------- C:\Program Files\Optimum Online
2008-06-08 08:52:18 0 d-------- C:\SCCache
2008-06-08 08:50:19 344064 --a------ C:\Yampa.exe <Not Verified; Netsurfer, Inc.; Yampa>
2008-06-08 08:50:19 45056 --a------ C:\NetUtils.dll <Not Verified; Netsurfer, Inc.; NetUtils Dynamic Link Library>
2008-06-08 08:50:19 458752 --a------ C:\Dist32.dll <Not Verified; Netsurfer, Inc.; SoftCast Dynamic Link Library>
2008-06-08 08:50:19 135168 --a------ C:\DHCPD.exe <Not Verified; Netsurfer, Inc.; Dhcpd>
2008-06-08 08:50:18 790528 --a------ C:\setup32.exe <Not Verified; Netsurfer, Inc.; NetKit Setup>
2008-06-08 01:06:27 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-06-08 00:05:26 2560 --a------ C:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-06-08 00:05:24 0 d-------- C:\Downloads
2008-06-08 00:04:42 0 d-------- C:\Program Files\BitComet
2008-06-07 23:58:54 0 d-------- C:\Program Files\VideoLAN
2008-06-07 23:53:25 0 d-------- C:\Documents and Settings\Mea S\Application Data\CallingID
2008-06-07 23:53:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-07 23:51:35 0 d-------- C:\WINDOWS\Downloaded Installations
2008-06-07 23:51:18 0 d-------- C:\Program Files\Common Files\Scanner
2008-06-07 23:50:38 0 d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-06-07 23:50:35 0 d-------- C:\Program Files\CA
2008-06-07 23:40:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-07 23:37:01 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-07 23:36:56 0 d-------- C:\Documents and Settings\Mea S\Application Data\Mozilla
2008-06-07 23:33:42 0 d-------- C:\Documents and Settings\Mea S\Application Data\GetRightToGo
2008-06-07 23:32:05 0 d-------- C:\WINDOWS\system32\PreInstall
2008-06-07 23:26:47 0 d-------- C:\Documents and Settings\Mea S\Application Data\Identities
2008-06-07 23:26:31 0 d--h----- C:\Documents and Settings\Mea S\Templates
2008-06-07 23:26:31 0 dr------- C:\Documents and Settings\Mea S\Start Menu
2008-06-07 23:26:31 0 dr-h----- C:\Documents and Settings\Mea S\SendTo
2008-06-07 23:26:31 0 dr-h----- C:\Documents and Settings\Mea S\Recent
2008-06-07 23:26:31 0 d--h----- C:\Documents and Settings\Mea S\PrintHood
2008-06-07 23:26:31 2621440 --ah----- C:\Documents and Settings\Mea S\NTUSER.DAT
2008-06-07 23:26:31 0 d--h----- C:\Documents and Settings\Mea S\NetHood
2008-06-07 23:26:31 0 dr------- C:\Documents and Settings\Mea S\My Documents
2008-06-07 23:26:31 0 d--h----- C:\Documents and Settings\Mea S\Local Settings
2008-06-07 23:26:31 0 dr------- C:\Documents and Settings\Mea S\Favorites
2008-06-07 23:26:31 0 d-------- C:\Documents and Settings\Mea S\Desktop
2008-06-07 23:26:31 0 d---s---- C:\Documents and Settings\Mea S\Cookies
2008-06-07 23:26:31 0 dr-h----- C:\Documents and Settings\Mea S\Application Data
2008-06-07 23:24:50 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-06-07 23:23:34 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-06-07 23:23:25 0 d-------- C:\WINDOWS\Prefetch
2008-06-07 23:23:24 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-06-07 23:23:23 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-06-07 23:23:23 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-06-07 23:23:23 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-06-07 23:23:23 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-06-07 23:23:23 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-06-07 23:23:00 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-06-07 23:23:00 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-06-07 23:23:00 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-06-07 23:23:00 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-06-07 23:22:59 262144 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-06-07 23:18:52 0 d-------- C:\WINDOWS\system32\xircom
2008-06-07 23:18:52 0 d-------- C:\Program Files\microsoft frontpage
2008-06-07 23:18:35 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-06-07 23:18:30 0 d--h----- C:\WINDOWS\$hf_mig$
2008-06-07 23:18:12 0 -rahs---- C:\MSDOS.SYS
2008-06-07 23:18:12 0 -rahs---- C:\IO.SYS
2008-06-07 23:18:12 0 --a------ C:\CONFIG.SYS
2008-06-07 23:18:12 0 --a------ C:\AUTOEXEC.BAT
2008-06-07 23:16:23 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-06-07 23:16:07 0 dr------- C:\WINDOWS\Offline Web Pages
2008-06-07 23:16:06 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-06-07 23:15:50 0 d--h----- C:\Program Files\WindowsUpdate
2008-06-07 23:15:25 0 d-------- C:\WINDOWS\system32\DirectX
2008-06-07 23:14:55 0 d---s---- C:\WINDOWS\Tasks
2008-06-07 23:14:54 0 d-------- C:\Program Files\Common Files\MSSoap
2008-06-07 23:14:51 0 d-------- C:\WINDOWS\srchasst
2008-06-07 23:14:50 0 d-------- C:\WINDOWS\system32\Macromed
2008-06-07 23:14:48 203096 --a------ C:\WINDOWS\system32\wuweb.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-07 23:14:48 325976 --a------ C:\WINDOWS\system32\wucltui.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-07 23:14:48 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-07 23:14:47 33624 --a------ C:\WINDOWS\system32\wups.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-07 23:14:47 53080 --a------ C:\WINDOWS\system32\wuauclt.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-07 23:14:47 549720 --a------ C:\WINDOWS\system32\wuapi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-07 23:14:43 0 d-------- C:\Program Files\Movie Maker
2008-06-07 23:14:37 0 d-------- C:\WINDOWS\system32\Restore
2008-06-07 23:13:36 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-07 23:13:18 0 d-------- C:\WINDOWS\Registration
2008-06-07 23:13:08 0 d-------- C:\Program Files\Online Services
2008-06-07 23:12:59 0 d-------- C:\Program Files\Messenger
2008-06-07 23:12:56 0 d-------- C:\Program Files\MSN Gaming Zone
2008-06-07 23:12:21 0 d-------- C:\Program Files\Windows NT
2008-06-07 23:12:19 0 d-------- C:\WINDOWS\system32\MsDtc
2008-06-07 23:12:17 0 d-------- C:\WINDOWS\system32\Com
2008-06-07 19:05:12 0 d--hs---- C:\WINDOWS\Installer
2008-06-07 19:05:11 0 d-------- C:\Program Files\Common Files\ODBC
2008-06-07 19:05:08 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-06-07 19:05:07 0 dr------- C:\Program Files
2008-06-07 19:05:07 0 d-------- C:\Program Files\Common Files
2008-06-07 19:04:42 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-06-07 19:04:42 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-06-07 19:04:42 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-06-07 19:04:42 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-06-07 19:04:42 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-06-07 19:04:42 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-06-07 19:04:42 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-06-07 19:04:42 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-06-07 19:04:42 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-06-07 19:04:42 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-06-07 19:04:42 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-06-07 19:04:42 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-06-07 19:04:42 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-06-07 19:04:42 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-06-07 19:04:42 0 dr------- C:\Documents and Settings\All Users\Documents
2008-06-07 19:04:42 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-06-07 19:04:25 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-06-07 19:04:25 0 d-------- C:\WINDOWS\system32\CatRoot
2008-06-07 19:04:20 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-06-07 19:04:20 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-06-07 19:04:20 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-06-07 19:04:20 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-06-07 19:03:53 0 d--hs---- C:\System Volume Information
2008-06-07 19:03:53 0 d-------- C:\Documents and Settings
2008-06-07 18:29:16 0 d-------- C:\WINDOWS
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\WinSxS
2008-06-07 18:29:16 0 dr------- C:\WINDOWS\Web
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\twain_32
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\wins
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\wbem
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\usmt
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\spool
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\ShellExt
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\Setup
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\ras
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\oobe
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\npp
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\mui
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\inetsrv
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\IME
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\icsxml
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\ias
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\export
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\drivers
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-06-07 18:29:16 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\dhcp
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\config
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\3076
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\2052
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\1054
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\1042
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\1041
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\1037
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\1033
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\1031
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\1028
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system32\1025
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\system
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\security
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\Resources
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\repair
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\Provisioning
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\PeerNet
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\pchealth
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\mui
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\msapps
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\msagent
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\Media
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\java
2008-06-07 18:29:16 0 d--h----- C:\WINDOWS\inf
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\ime
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\Help
2008-06-07 18:29:16 0 dr--s---- C:\WINDOWS\Fonts
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\ehome
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\Driver Cache
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\Debug
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\Cursors
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\Connection Wizard
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\Config
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\AppPatch
2008-06-07 18:29:16 0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2008-06-07 19:04:42 62 --ahs---- C:\Documents and Settings\Mea S\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A07232B-6B4C-46DF-B342-03189E5CB315}]
C:\WINDOWS\system32\fccArsTK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CA60057-9277-49C0-8D64-280DBAD9C3E1}]
06/11/2008 06:20 PM 33792 --a------ C:\WINDOWS\system32\byXQGxXq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46385843-1FC8-4246-8041-54C7A90039E1}]
06/13/2008 08:22 PM 322560 --a------ C:\WINDOWS\system32\opnnnNdE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85219cfd-bcb0-4fad-bcdc-78d5b707ac7a}]
06/21/2008 07:36 PM 99328 --a------ C:\WINDOWS\system32\nmbevgmi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B50CDC52-BA39-4DA3-A788-70BD89F4E7D4}]
C:\WINDOWS\system32\ljJBuuvu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [06/07/2008 11:59 PM]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [06/13/2008 08:31 PM]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe" [06/07/2008 11:52 PM]
"cafw"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [04/04/2008 03:46 PM]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [04/04/2008 03:46 PM]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [04/04/2008 03:46 PM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [02/28/2006 08:00 AM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [02/28/2006 08:00 AM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [02/28/2006 08:00 AM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [02/28/2006 08:00 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"b0e896b3"="C:\WINDOWS\system32\tmukjwym.dll" [06/21/2008 07:39 PM]
"BMb3dba52f"="C:\WINDOWS\system32\ebahleof.dll" [06/21/2008 07:35 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\LinkAdvisor\CIDLinkAdvisor.dll [10/15/2007 09:40 PM 1373624]
"{3CA60057-9277-49C0-8D64-280DBAD9C3E1}"= C:\WINDOWS\system32\byXQGxXq.dll [06/11/2008 06:20 PM 33792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXQGxXq]
byXQGxXq.dll 06/11/2008 06:20 PM 33792 C:\WINDOWS\system32\byXQGxXq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 05/18/2007 01:30 PM 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\opnnnNdE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b488a218-350a-11dd-bf2f-00142a67609c}]
AutoRun\command- E:\wd_windows_tools\setup.exe




-- End of Deckard's System Scanner: finished at 2008-06-22 16:48:33 ------------

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:34 PM

Posted 23 June 2008 - 04:34 PM

Hello Deadlydiva and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 deadlydiva

deadlydiva
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 23 June 2008 - 06:56 PM

Please don't beat me!! I can't get to my MBAM log. (I realize now I should have saved it before I ran ComboFix.) I tried to open the program to go to the log tab, but I keep getting a runtime error.

Here are the other logs:

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:38 PM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {2A07232B-6B4C-46DF-B342-03189E5CB315} - C:\WINDOWS\system32\fccArsTK.dll (file missing)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: {ba0758d7-8f52-3ef9-24a4-517ba2ef4885} - {5884fe2a-b715-4a42-9fe3-25f87d8570ab} - C:\WINDOWS\system32\cfoywnye.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B50CDC52-BA39-4DA3-A788-70BD89F4E7D4} - C:\WINDOWS\system32\ljJBuuvu.dll (file missing)
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [BMb3dba52f] Rundll32.exe "C:\WINDOWS\system32\xetgmmhd.dll",s
O4 - HKLM\..\Run: [b0e896b3] rundll32.exe "C:\WINDOWS\system32\glivvxea.dll",b
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 6379 bytes


COMBOFIX

ComboFix 08-06-20.4 - Mea S 2008-06-23 19:26:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.64 [GMT -4:00]
Running from: C:\Documents and Settings\Mea S\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMb3dba52f.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\byXQGxXq.dll
C:\WINDOWS\system32\cdekrtnl.ini
C:\WINDOWS\system32\cpnjvvtg.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\EdNnnnpo.ini
C:\WINDOWS\system32\gogvmdwy.dll
C:\WINDOWS\system32\jngyeggu.ini
C:\WINDOWS\system32\KTsrAccf.ini
C:\WINDOWS\system32\KTsrAccf.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\opnnnNdE.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\qnwrjpgs.ini
C:\WINDOWS\system32\swbmprga.ini
C:\WINDOWS\system32\ulmjnous.ini
C:\WINDOWS\system32\uvuuBJjl.ini
C:\WINDOWS\system32\uvuuBJjl.ini2
C:\WINDOWS\system32\xmcdqrkx.ini
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-23 to 2008-06-23 )))))))))))))))))))))))))))))))
.

2008-06-23 18:18 . 2008-06-23 18:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-23 18:18 . 2008-06-23 18:18 <DIR> d-------- C:\Documents and Settings\Mea S\Application Data\Malwarebytes
2008-06-23 18:18 . 2008-06-23 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-23 18:18 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-23 18:18 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-22 21:00 . 2008-06-23 18:40 80,384 --------- C:\WINDOWS\system32\glivvxea.dll
2008-06-22 20:59 . 2008-06-22 20:59 99,328 --a------ C:\WINDOWS\system32\cfoywnye.dll
2008-06-22 20:59 . 2008-06-23 18:40 90,624 --------- C:\WINDOWS\system32\xetgmmhd.dll
2008-06-22 16:31 . 2008-06-22 16:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-22 09:03 . 2008-06-22 09:03 <DIR> d-------- C:\Documents and Settings\Mea S\Application Data\Spybot - Search & Destroy
2008-06-21 19:36 . 2008-06-21 19:36 99,328 --a------ C:\WINDOWS\system32\nmbevgmi.dll
2008-06-21 19:35 . 2008-06-21 19:35 90,112 --a------ C:\WINDOWS\system32\ebahleof.dll
2008-06-21 10:14 . 2008-06-21 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-21 09:53 . 2008-06-21 09:53 <DIR> d-------- C:\WINDOWS\Sun
2008-06-21 09:01 . 2008-06-21 09:01 <DIR> d-------- C:\Deckard
2008-06-20 21:26 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-20 21:06 . 2008-06-20 21:25 <DIR> d-------- C:\Program Files\Java
2008-06-20 21:05 . 2008-06-20 21:05 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-20 19:33 . 2008-06-20 19:33 99,328 --a------ C:\WINDOWS\system32\tgkcvobb.dll
2008-06-20 19:33 . 2008-06-20 19:33 90,624 --a------ C:\WINDOWS\system32\ujqriflf.dll
2008-06-18 07:23 . 2008-06-18 07:23 <DIR> d-------- C:\Documents and Settings\Mea S\Application Data\PCF-VLC
2008-06-17 19:48 . 2008-06-17 19:48 <DIR> d-------- C:\Documents and Settings\Mea S\Application Data\Participatory Culture Foundation
2008-06-17 18:39 . 2008-06-23 19:12 262 --a------ C:\WINDOWS\lexstat.ini
2008-06-17 18:35 . 2008-06-17 18:35 <DIR> d-------- C:\Program Files\Lexmark Z700-P700 Series
2008-06-17 18:34 . 2002-07-19 07:10 983,101 --a------ C:\WINDOWS\system32\LXBLGF.DLL
2008-06-17 18:34 . 2003-03-26 10:27 544,768 --a------ C:\WINDOWS\system32\LXBLLSNT.EXE
2008-06-17 18:34 . 2003-03-26 10:24 286,720 --a------ C:\WINDOWS\system32\LXBLPMNT.DLL
2008-06-17 18:34 . 2003-03-26 10:25 217,088 --a------ C:\WINDOWS\system32\LXBLLCNT.DLL
2008-06-17 18:34 . 2003-03-26 10:22 126,976 --a------ C:\WINDOWS\system32\LXBLCFG.EXE
2008-06-17 18:34 . 2003-09-09 23:11 90,112 --a------ C:\WINDOWS\system32\LXBLCUR.DLL
2008-06-17 18:34 . 2003-03-26 10:19 77,824 --a------ C:\WINDOWS\system32\LXBLLCNP.DLL
2008-06-17 18:34 . 2003-09-09 23:24 69,632 --a------ C:\WINDOWS\system32\LXBLCU.DLL
2008-06-17 18:34 . 2001-01-19 11:50 40,960 --a------ C:\WINDOWS\system32\INSTMON.EXE
2008-06-17 18:33 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
2008-06-17 18:30 . 2008-06-17 18:30 <DIR> d-------- C:\Documents and Settings\Mea S\WINDOWS
2008-06-17 18:11 . 2008-06-17 18:11 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-17 14:54 . 2008-06-17 14:58 1,014 --ahs---- C:\WINDOWS\system32\mqegxsri.ini
2008-06-16 12:13 . 2008-06-16 12:20 <DIR> d-------- C:\Documents and Settings\Angela
2008-06-13 20:41 . 2008-06-13 20:41 <DIR> d-------- C:\Program Files\ReadMe_files
2008-06-13 20:41 . 2008-06-13 20:42 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-13 20:30 . 2008-06-13 20:30 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-13 07:50 . 2008-06-13 07:54 0 --a------ C:\WINDOWS\system32\jngyeggu.tmp
2008-06-13 07:44 . 2008-06-13 07:46 153 --a------ C:\WINDOWS\wininit.ini
2008-06-12 20:07 . 2008-06-22 16:43 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-06-12 19:17 . 2008-06-12 19:17 <DIR> d-------- C:\Documents and Settings\Mea S\Application Data\vlc
2008-06-11 18:21 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 18:21 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 18:04 . 2008-06-10 18:04 1,160 --a------ C:\WINDOWS\mozver.dat
2008-06-09 20:19 . 2008-06-16 19:42 <DIR> d-------- C:\Program Files\Semagic
2008-06-09 03:02 . 2008-06-09 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-06-08 21:13 . 2006-02-28 08:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-06-08 21:12 . 2006-02-28 08:00 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2008-06-08 21:11 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-06-08 11:17 . 2008-06-08 11:17 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-06-08 09:11 . 2008-06-23 19:31 88,702 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-06-08 09:11 . 2008-06-23 19:31 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-06-08 09:11 . 2008-06-23 19:31 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-06-08 09:11 . 2008-06-23 19:31 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-06-08 09:11 . 2008-06-23 19:31 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-06-08 09:11 . 2008-06-23 19:31 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-06-08 09:11 . 2008-06-23 19:31 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-06-08 09:11 . 2008-06-23 19:31 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-06-08 08:53 . 2008-06-08 08:53 188,416 --a------ C:\WINDOWS\xnetsurf.exe
2008-06-08 08:52 . 2008-06-08 08:52 <DIR> d-------- C:\SCCache
2008-06-08 08:52 . 2008-06-08 09:24 <DIR> d-------- C:\Program Files\Optimum Online
2008-06-08 08:52 . 2008-06-08 08:52 0 --a------ C:\SoftCast.ini
2008-06-08 08:52 . 2008-06-08 08:52 0 --a------ C:\SoftCast.fl
2008-06-08 08:50 . 2008-06-08 08:50 790,528 --a------ C:\setup32.exe
2008-06-08 08:50 . 2008-06-08 08:50 458,752 --a------ C:\Dist32.dll
2008-06-08 08:50 . 2008-06-08 08:50 344,064 --a------ C:\Yampa.exe
2008-06-08 08:50 . 2008-06-08 08:50 135,168 --a------ C:\DHCPD.exe
2008-06-08 08:50 . 2008-06-08 08:50 45,056 --a------ C:\NetUtils.dll
2008-06-08 08:50 . 2008-06-08 08:50 67 --a------ C:\ns_info.ini
2008-06-08 00:05 . 2008-06-21 19:56 <DIR> d-------- C:\Downloads
2008-06-08 00:05 . 2008-06-08 00:05 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-06-08 00:04 . 2008-06-08 00:10 <DIR> d-------- C:\Program Files\BitComet
2008-06-08 00:03 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-07 19:07 . 2004-08-03 18:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-06-07 19:07 . 2001-08-17 08:13 27,165 --a------ C:\WINDOWS\system32\drivers\fetnd5.sys
2008-06-07 19:06 . 2004-08-03 18:41 1,041,536 --a------ C:\WINDOWS\system32\drivers\HSFDPSP2.sys
2008-06-07 19:06 . 2004-08-03 18:41 685,056 --a------ C:\WINDOWS\system32\drivers\HSFCXTS2.sys
2008-06-07 19:06 . 2004-08-03 18:41 220,032 --a------ C:\WINDOWS\system32\drivers\HSFBS2S2.sys
2008-06-07 19:06 . 2004-07-17 18:55 129,045 --a------ C:\WINDOWS\system32\drivers\cxthsfS2.cty
2008-06-07 19:06 . 2004-08-03 20:56 86,016 --a------ C:\WINDOWS\system32\mdmxsdk.dll
2008-06-07 19:06 . 2004-08-03 20:56 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2008-06-07 19:06 . 2004-08-03 19:07 44,672 --a------ C:\WINDOWS\system32\drivers\UAGP35.SYS
2008-06-07 19:06 . 2004-08-03 20:56 32,285 --a------ C:\WINDOWS\system32\HSFCISP2.dll
2008-06-07 19:06 . 2004-08-03 18:41 11,868 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys
2008-06-07 19:04 . 2008-06-23 19:33 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-06-07 19:04 . 2008-06-07 23:14 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-06-07 19:03 . 2008-06-07 23:26 <DIR> d--h----- C:\Documents and Settings\Default User
2008-06-07 19:03 . 2008-06-07 23:16 <DIR> d-------- C:\Documents and Settings\All Users
2008-06-07 19:03 . 2008-06-16 12:13 <DIR> d-------- C:\Documents and Settings
2008-06-07 19:03 . 2008-06-07 23:22 261 --a------ C:\WINDOWS\system32\$winnt$.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 13:20 --------- d-----w C:\Documents and Settings\Mea S\Application Data\CallingID
2008-06-21 15:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-14 00:32 91,376 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-06-14 00:32 32,240 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-06-14 00:32 26,352 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-06-14 00:32 21,488 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-06-14 00:32 21,104 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-06-08 04:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-06-08 03:59 880,560 ----a-w C:\WINDOWS\system32\drivers\vetefile.sys
2008-06-08 03:59 108,368 ----a-w C:\WINDOWS\system32\drivers\veteboot.sys
2008-06-08 03:58 --------- d-----w C:\Program Files\VideoLAN
2008-06-08 03:51 --------- d-----w C:\Program Files\Common Files\Scanner
2008-06-08 03:51 --------- d-----w C:\Program Files\CA
2008-06-08 03:48 --------- d-----w C:\Documents and Settings\Mea S\Application Data\GetRightToGo
2008-06-08 03:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-08 03:18 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2001-10-19 18:20 586 ----a-w C:\Program Files\layout.bin
2001-10-19 18:20 57,009 ----a-w C:\Program Files\data1.hdr
2001-10-19 18:20 516 ----a-w C:\Program Files\Setup.ini
2001-10-19 18:20 138,898 ----a-w C:\Program Files\setup.inx
2001-10-19 18:20 1,595,778 ----a-w C:\Program Files\data1.cab
2001-10-19 18:20 1,160,954 ----a-w C:\Program Files\data2.cab
2001-10-19 16:26 61,440 ----a-w C:\Program Files\IvSetup.exe
2001-10-18 03:56 1,664 ----a-w C:\Program Files\default.rge
2001-10-15 20:21 19,471 ----a-w C:\Program Files\ReadMe.html
2001-10-14 16:33 12,840 ----a-w C:\Program Files\bkground.bmp
2001-09-19 15:29 1,138 ----a-w C:\Program Files\default.ini
2001-09-14 23:06 420,056 ----a-w C:\Program Files\Setup.bmp
2001-09-14 12:49 13,072 ----a-w C:\Program Files\license.txt
2001-09-05 08:24 344,923 ----a-w C:\Program Files\ikernel.ex_
2001-07-02 23:07 4,176 ----a-w C:\Program Files\icon.bmp
.

------- Sigcheck -------

2005-03-01 20:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 05:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2006-02-28 08:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 20:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 04:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 04:38 2057600 0f015590507c839158aab354630f17a2 C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 04:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A07232B-6B4C-46DF-B342-03189E5CB315}]
C:\WINDOWS\system32\fccArsTK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5884fe2a-b715-4a42-9fe3-25f87d8570ab}]
2008-06-22 20:59 99328 --a------ C:\WINDOWS\system32\cfoywnye.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B50CDC52-BA39-4DA3-A788-70BD89F4E7D4}]
C:\WINDOWS\system32\ljJBuuvu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-06-07 23:59 181512]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-06-13 20:31 234736]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe" [2008-06-07 23:52 14088]
"cafw"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-04-04 15:46 771336]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-04-04 15:46 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-04-04 15:46 259336]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 08:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 08:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 08:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 08:00 455168]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"BMb3dba52f"="C:\WINDOWS\system32\xetgmmhd.dll" [2008-06-23 18:40 90624]
"b0e896b3"="C:\WINDOWS\system32\glivvxea.dll" [2008-06-23 18:40 80384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\LinkAdvisor\CIDLinkAdvisor.dll [2007-10-15 21:40 1373624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 13:30 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15811:TCP"= 15811:TCP:BitComet 15811 TCP
"15811:UDP"= 15811:UDP:BitComet 15811 UDP

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-10-18 10:24]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 13:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 13:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-10-18 14:21]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-10-18 10:24]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-11-02 12:09]
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-10-18 10:24]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-10-18 10:24]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 13:30]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-09-13 15:15]
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-04-10 10:39]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 19:34:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
.
**************************************************************************
.
Completion time: 2008-06-23 19:38:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-23 23:37:22

Pre-Run: 75,141,210,112 bytes free
Post-Run: 75,116,818,432 bytes free

257 --- E O F --- 2008-06-20 22:58:35

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:34 PM

Posted 24 June 2008 - 12:24 PM

Hello Deadlydiva,

I'm not in the habit of beating someone. :thumbsup:

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/153694/virtumonde-automatic-update-problems/
Collect::[9]
C:\WINDOWS\system32\glivvxea.dll
C:\WINDOWS\system32\cfoywnye.dll
C:\WINDOWS\system32\xetgmmhd.dll
C:\WINDOWS\system32\nmbevgmi.dll
C:\WINDOWS\system32\ebahleof.dll
File::
C:\WINDOWS\system32\tgkcvobb.dll
C:\WINDOWS\system32\ujqriflf.dll
C:\WINDOWS\system32\mqegxsri.ini
C:\WINDOWS\system32\jngyeggu.tmp
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A07232B-6B4C-46DF-B342-03189E5CB315}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5884fe2a-b715-4a42-9fe3-25f87d8570ab}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B50CDC52-BA39-4DA3-A788-70BD89F4E7D4}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMb3dba52f"=-
"b0e896b3"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file [9]-Submit_Date_Time.zip.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 deadlydiva

deadlydiva
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 24 June 2008 - 05:53 PM

One quick question before I start --

What am I supposed to do with this file: [9]-Submit_Date_Time.zip?

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:34 PM

Posted 24 June 2008 - 06:07 PM

Hello Deadlydiva,

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file [9]-Submit_Date_Time.zip.


If that doesn't work for you, you can upload the zipped file to :

http://www.bleepingcomputer.com/submit-malware.php?channel=9

How ? : 1. In the first window (Link to topic where this file was requested:) copy and past this link :http://www.bleepingcomputer.com/forums/t/153694/virtumonde-automatic-update-problems/
2. In the second window (Browse to the file you want to submit: ) browse to the [9]-Submit_Date_Time.zip file

3. Click the Send file button :thumbsup:
[/list]Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 deadlydiva

deadlydiva
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 24 June 2008 - 07:31 PM

Hey there,

Thanks your you continued patience. My PC is running better. I just want to make sure that she's as clean as can be. I uploaded the file and here are the logs.

COMBOFIX

ComboFix 08-06-20.4 - Mea S 2008-06-24 20:08:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.52 [GMT -4:00]
Running from: C:\Documents and Settings\Mea S\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mea S\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\jngyeggu.tmp
C:\WINDOWS\system32\mqegxsri.ini
C:\WINDOWS\system32\tgkcvobb.dll
C:\WINDOWS\system32\ujqriflf.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cfoywnye.dll
C:\WINDOWS\system32\ebahleof.dll
C:\WINDOWS\system32\glivvxea.dll
C:\WINDOWS\system32\jngyeggu.tmp
C:\WINDOWS\system32\mqegxsri.ini
C:\WINDOWS\system32\nmbevgmi.dll
C:\WINDOWS\system32\tgkcvobb.dll
C:\WINDOWS\system32\ujqriflf.dll
C:\WINDOWS\system32\xetgmmhd.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-24 to 2008-06-24 )))))))))))))))))))))))))))))))
.

2008-06-23 18:18 . 2008-06-23 18:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-23 18:18 . 2008-06-23 18:18 <DIR> d-------- C:\Documents and Settings\Mea S\Application Data\Malwarebytes
2008-06-23 18:18 . 2008-06-23 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-23 18:18 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-23 18:18 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-22 16:31 . 2008-06-22 16:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-22 09:03 . 2008-06-22 09:03 <DIR> d-------- C:\Documents and Settings\Mea S\Application Data\Spybot - Search & Destroy
2008-06-21 10:14 . 2008-06-21 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-21 09:53 . 2008-06-21 09:53 <DIR> d-------- C:\WINDOWS\Sun
2008-06-21 09:01 . 2008-06-21 09:01 <DIR> d-------- C:\Deckard
2008-06-20 21:26 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-20 21:06 . 2008-06-20 21:25 <DIR> d-------- C:\Program Files\Java
2008-06-20 21:05 . 2008-06-20 21:05 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-18 07:23 . 2008-06-18 07:23 <DIR> d-------- C:\Documents and Settings\Mea S\Application Data\PCF-VLC
2008-06-17 19:48 . 2008-06-17 19:48 <DIR> d-------- C:\Documents and Settings\Mea S\Application Data\Participatory Culture Foundation
2008-06-17 18:39 . 2008-06-23 19:12 262 --a------ C:\WINDOWS\lexstat.ini
2008-06-17 18:35 . 2008-06-17 18:35 <DIR> d-------- C:\Program Files\Lexmark Z700-P700 Series
2008-06-17 18:34 . 2002-07-19 07:10 983,101 --a------ C:\WINDOWS\system32\LXBLGF.DLL
2008-06-17 18:34 . 2003-03-26 10:27 544,768 --a------ C:\WINDOWS\system32\LXBLLSNT.EXE
2008-06-17 18:34 . 2003-03-26 10:24 286,720 --a------ C:\WINDOWS\system32\LXBLPMNT.DLL
2008-06-17 18:34 . 2003-03-26 10:25 217,088 --a------ C:\WINDOWS\system32\LXBLLCNT.DLL
2008-06-17 18:34 . 2003-03-26 10:22 126,976 --a------ C:\WINDOWS\system32\LXBLCFG.EXE
2008-06-17 18:34 . 2003-09-09 23:11 90,112 --a------ C:\WINDOWS\system32\LXBLCUR.DLL
2008-06-17 18:34 . 2003-03-26 10:19 77,824 --a------ C:\WINDOWS\system32\LXBLLCNP.DLL
2008-06-17 18:34 . 2003-09-09 23:24 69,632 --a------ C:\WINDOWS\system32\LXBLCU.DLL
2008-06-17 18:34 . 2001-01-19 11:50 40,960 --a------ C:\WINDOWS\system32\INSTMON.EXE
2008-06-17 18:33 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
2008-06-17 18:30 . 2008-06-17 18:30 <DIR> d-------- C:\Documents and Settings\Mea S\WINDOWS
2008-06-17 18:11 . 2008-06-17 18:11 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-16 12:13 . 2008-06-16 12:20 <DIR> d-------- C:\Documents and Settings\Angela
2008-06-13 20:41 . 2008-06-13 20:41 <DIR> d-------- C:\Program Files\ReadMe_files
2008-06-13 20:41 . 2008-06-13 20:42 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-13 20:30 . 2008-06-13 20:30 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-13 07:44 . 2008-06-13 07:46 153 --a------ C:\WINDOWS\wininit.ini
2008-06-12 20:07 . 2008-06-22 16:43 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-06-12 19:17 . 2008-06-12 19:17 <DIR> d-------- C:\Documents and Settings\Mea S\Application Data\vlc
2008-06-11 18:21 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 18:21 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 18:04 . 2008-06-10 18:04 1,160 --a------ C:\WINDOWS\mozver.dat
2008-06-09 20:19 . 2008-06-23 21:10 <DIR> d-------- C:\Program Files\Semagic
2008-06-09 03:02 . 2008-06-09 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-06-08 21:13 . 2006-02-28 08:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-06-08 21:12 . 2006-02-28 08:00 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2008-06-08 21:11 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-06-08 11:17 . 2008-06-08 11:17 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-06-08 09:11 . 2008-06-23 19:31 88,702 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-06-08 09:11 . 2008-06-23 19:31 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-06-08 09:11 . 2008-06-23 19:31 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-06-08 09:11 . 2008-06-23 19:31 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-06-08 09:11 . 2008-06-23 19:31 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-06-08 09:11 . 2008-06-23 19:31 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-06-08 09:11 . 2008-06-23 19:31 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-06-08 09:11 . 2008-06-23 19:31 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-06-08 08:53 . 2008-06-08 08:53 188,416 --a------ C:\WINDOWS\xnetsurf.exe
2008-06-08 08:52 . 2008-06-08 08:52 <DIR> d-------- C:\SCCache
2008-06-08 08:52 . 2008-06-08 09:24 <DIR> d-------- C:\Program Files\Optimum Online
2008-06-08 08:52 . 2008-06-08 08:52 0 --a------ C:\SoftCast.ini
2008-06-08 08:52 . 2008-06-08 08:52 0 --a------ C:\SoftCast.fl
2008-06-08 08:50 . 2008-06-08 08:50 790,528 --a------ C:\setup32.exe
2008-06-08 08:50 . 2008-06-08 08:50 458,752 --a------ C:\Dist32.dll
2008-06-08 08:50 . 2008-06-08 08:50 344,064 --a------ C:\Yampa.exe
2008-06-08 08:50 . 2008-06-08 08:50 135,168 --a------ C:\DHCPD.exe
2008-06-08 08:50 . 2008-06-08 08:50 45,056 --a------ C:\NetUtils.dll
2008-06-08 08:50 . 2008-06-08 08:50 67 --a------ C:\ns_info.ini
2008-06-08 00:05 . 2008-06-21 19:56 <DIR> d-------- C:\Downloads
2008-06-08 00:05 . 2008-06-08 00:05 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-06-08 00:04 . 2008-06-08 00:10 <DIR> d-------- C:\Program Files\BitComet
2008-06-08 00:03 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-07 19:07 . 2004-08-03 18:59 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-06-07 19:07 . 2001-08-17 08:13 27,165 --a------ C:\WINDOWS\system32\drivers\fetnd5.sys
2008-06-07 19:06 . 2004-08-03 18:41 1,041,536 --a------ C:\WINDOWS\system32\drivers\HSFDPSP2.sys
2008-06-07 19:06 . 2004-08-03 18:41 685,056 --a------ C:\WINDOWS\system32\drivers\HSFCXTS2.sys
2008-06-07 19:06 . 2004-08-03 18:41 220,032 --a------ C:\WINDOWS\system32\drivers\HSFBS2S2.sys
2008-06-07 19:06 . 2004-07-17 18:55 129,045 --a------ C:\WINDOWS\system32\drivers\cxthsfS2.cty
2008-06-07 19:06 . 2004-08-03 20:56 86,016 --a------ C:\WINDOWS\system32\mdmxsdk.dll
2008-06-07 19:06 . 2004-08-03 20:56 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2008-06-07 19:06 . 2004-08-03 19:07 44,672 --a------ C:\WINDOWS\system32\drivers\UAGP35.SYS
2008-06-07 19:06 . 2004-08-03 20:56 32,285 --a------ C:\WINDOWS\system32\HSFCISP2.dll
2008-06-07 19:06 . 2004-08-03 18:41 11,868 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys
2008-06-07 19:04 . 2008-06-23 19:33 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-06-07 19:04 . 2008-06-07 23:14 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-06-07 19:03 . 2008-06-07 23:26 <DIR> d--h----- C:\Documents and Settings\Default User
2008-06-07 19:03 . 2008-06-07 23:16 <DIR> d-------- C:\Documents and Settings\All Users
2008-06-07 19:03 . 2008-06-16 12:13 <DIR> d-------- C:\Documents and Settings
2008-06-07 19:03 . 2008-06-07 23:22 261 --a------ C:\WINDOWS\system32\$winnt$.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 13:20 --------- d-----w C:\Documents and Settings\Mea S\Application Data\CallingID
2008-06-21 15:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-14 00:32 91,376 ----a-w C:\WINDOWS\system32\isafprod.dll
2008-06-14 00:32 32,240 ----a-w C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-06-14 00:32 26,352 ----a-w C:\WINDOWS\system32\drivers\vet-filt.sys
2008-06-14 00:32 21,488 ----a-w C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-06-14 00:32 21,104 ----a-w C:\WINDOWS\system32\drivers\vet-rec.sys
2008-06-08 04:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-06-08 03:59 880,560 ----a-w C:\WINDOWS\system32\drivers\vetefile.sys
2008-06-08 03:59 108,368 ----a-w C:\WINDOWS\system32\drivers\veteboot.sys
2008-06-08 03:58 --------- d-----w C:\Program Files\VideoLAN
2008-06-08 03:51 --------- d-----w C:\Program Files\Common Files\Scanner
2008-06-08 03:51 --------- d-----w C:\Program Files\CA
2008-06-08 03:48 --------- d-----w C:\Documents and Settings\Mea S\Application Data\GetRightToGo
2008-06-08 03:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-08 03:18 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2001-10-19 18:20 586 ----a-w C:\Program Files\layout.bin
2001-10-19 18:20 57,009 ----a-w C:\Program Files\data1.hdr
2001-10-19 18:20 516 ----a-w C:\Program Files\Setup.ini
2001-10-19 18:20 138,898 ----a-w C:\Program Files\setup.inx
2001-10-19 18:20 1,595,778 ----a-w C:\Program Files\data1.cab
2001-10-19 18:20 1,160,954 ----a-w C:\Program Files\data2.cab
2001-10-19 16:26 61,440 ----a-w C:\Program Files\IvSetup.exe
2001-10-18 03:56 1,664 ----a-w C:\Program Files\default.rge
2001-10-15 20:21 19,471 ----a-w C:\Program Files\ReadMe.html
2001-10-14 16:33 12,840 ----a-w C:\Program Files\bkground.bmp
2001-09-19 15:29 1,138 ----a-w C:\Program Files\default.ini
2001-09-14 23:06 420,056 ----a-w C:\Program Files\Setup.bmp
2001-09-14 12:49 13,072 ----a-w C:\Program Files\license.txt
2001-09-05 08:24 344,923 ----a-w C:\Program Files\ikernel.ex_
2001-07-02 23:07 4,176 ----a-w C:\Program Files\icon.bmp
.

------- Sigcheck -------

2005-03-01 20:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 05:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2006-02-28 08:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 20:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 04:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 04:38 2057600 0f015590507c839158aab354630f17a2 C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 04:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-06-07 23:59 181512]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-06-13 20:31 234736]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe" [2008-06-07 23:52 14088]
"cafw"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-04-04 15:46 771336]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-04-04 15:46 173320]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-04-04 15:46 259336]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 08:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 08:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 08:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 08:00 455168]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\LinkAdvisor\CIDLinkAdvisor.dll [2007-10-15 21:40 1373624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 13:30 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15811:TCP"= 15811:TCP:BitComet 15811 TCP
"15811:UDP"= 15811:UDP:BitComet 15811 UDP

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-10-18 10:24]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 13:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 13:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-10-18 14:21]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-10-18 10:24]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-11-02 12:09]
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-10-18 10:24]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-10-18 10:24]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 13:30]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-09-13 15:15]
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2008-04-10 10:39]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 20:18:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-24 20:21:47
ComboFix-quarantined-files.txt 2008-06-25 00:21:17
ComboFix2.txt 2008-06-23 23:38:39

Pre-Run: 75,063,996,416 bytes free
Post-Run: 75,054,374,912 bytes free

222 --- E O F --- 2008-06-20 22:58:35


HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:48 PM, on 6/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Semagic\LiveJournalU.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\WebsiteInspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 5864 bytes

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:34 PM

Posted 25 June 2008 - 03:32 AM

Hello Deadlydiva,

Your logs look fine now. :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Any problems left ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 deadlydiva

deadlydiva
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 25 June 2008 - 05:54 AM

My PC seems back to normal. Thanks for all your help.

Warm regards,

Deadlydiva

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:34 PM

Posted 25 June 2008 - 06:52 AM

Glad we could help, Deadlydiva :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users