Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Virtumonde Infection


  • Please log in to reply
17 replies to this topic

#1 danthedonut

danthedonut

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 27 August 2008 - 09:01 PM

Hi,

Symptoms experienced are the screen background being hijacked with a fake security alert (says virtumonde), and av alerts. Run the two virtumonde removal programs recommended, but they advise virtumonde not found.

Ran Spybot and removed quite a few smitfraud and related viruses.

Can also remove the hijacked desktop background by fixing the following in spybot (gives back access to the display settings), but comes back on restart (Can't find the BMP file to remove it also)

Microsoft.Windows.System: [SBI $D619D565] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1659004503-1220945662-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage

Microsoft.Windows.System: [SBI $7F8E43F4] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1659004503-1220945662-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage

Ad-adware not reporting anything after some non critical stuff was removed

PANDA LOG

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-28 07:09:47
PROTECTIONS: 2
MALWARE: 19
SUSPECTS: 6
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Avira AntiVir PersonalEdition 8.0.1.27 Yes Yes
ESET NOD32 antivirus system 2.70 2.70 Yes No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00063168 spyware/dluca Spyware No 1 Yes No c:\windows\system32\sncntr.exe
00063665 adware/pacimedia Adware No 0 Yes No c:\windows\system32\psoft1.exe
00063665 adware/pacimedia Adware No 0 Yes No c:\windows\system32\psof1.exe
00063665 adware/pacimedia Adware No 0 Yes No c:\windows\system32\ps1.exe
00132710 dialer.xd Dialers No 0 Yes No c:\windows\system32\vbsys2.dll
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Admin\Cookies\admin@atdmt[2].txt
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\icon_TMP\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\system_backup\Process.exe
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\5adrq7zb.default\cookies.txt[.mediaplex.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\5adrq7zb.default\cookies.txt[.com.com/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\5adrq7zb.default\cookies.txt[.xiti.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\5adrq7zb.default\cookies.txt[.apmebf.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\5adrq7zb.default\cookies.txt[.burstnet.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\5adrq7zb.default\cookies.txt[.burstnet.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\5adrq7zb.default\cookies.txt[.burstnet.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Admin\Cookies\admin@serving-sys[1].txt
00168095 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\5adrq7zb.default\cookies.txt[.888.com/]
00168095 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\5adrq7zb.default\cookies.txt[.888.com/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\5adrq7zb.default\cookies.txt[server.iad.liveperson.net/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\5adrq7zb.default\cookies.txt[server.iad.liveperson.net/]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\5adrq7zb.default\cookies.txt[statse.webtrendslive.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Admin\Cookies\admin@ads.pointroll[2].txt
00194066 Application/Pskill.E HackTools No 0 Yes No C:\WINDOWS\system32\pskill.exe
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\5adrq7zb.default\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\5adrq7zb.default\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\5adrq7zb.default\cookies.txt[.did-it.com/]
00238695 Application/Pskill.K HackTools No 0 Yes No C:\Documents and Settings\All Users\Start Menu\Programs\SysInternals stuff\PsTools\pskill.exe
00519333 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Admin\Desktop\VirtumundoBeGone.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location X
;===================================================================================================================================================================================
No C:\WINDOWS\system32\blphcr9aj0egen.scr X
No C:\WINDOWS\system32\lphcr9aj0egen.exe X
No c:\windows\system32\lphcr9aj0egen.exe X
No C:\D\W\SE\2\PRISMSVR.EXE X
No C:\WINDOWS\system32\blphcr9aj0egen.scr X
No C:\WINDOWS\system32\lphcr9aj0egen.exe X
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description X
;===================================================================================================================================================================================
184380 MEDIUM MS08-002 X
184379 MEDIUM MS08-001 X
182048 HIGH MS07-069 X
182046 HIGH MS07-067 X
182043 HIGH MS07-064 X
179553 HIGH MS07-061 X
176382 HIGH MS07-057 X
176383 HIGH MS07-058 X
157262 HIGH MS07-022 X
150243 HIGH MS07-008 X
126087 HIGH MS06-046 X
120825 MEDIUM MS06-032 X
120823 MEDIUM MS06-030 X
108743 MEDIUM MS06-007 X
93394 HIGH MS05-050 X
93454 MEDIUM MS05-049 X
;===================================================================================================================================================================================


HIJACK THIS LOG


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:26:28, on 28/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20627)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nwlmtmhs\pghkjyxa.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
D:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\WINDOWS\system32\lphcr9aj0egen.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\RocketDock\RocketDock.exe
E:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\DOCUME~1\Admin\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wincustomize.com/skins.asp?library=32
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - E:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [COMODO Firewall Pro] "E:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "D:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [lphcr9aj0egen] C:\WINDOWS\system32\lphcr9aj0egen.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [mntsrv] C:\WINDOWS\system32\idgzibmd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [qXeVSupjbm] C:\Documents and Settings\All Users\Application Data\nwlmtmhs\pghkjyxa.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Shortcut to autorun.exe.lnk = D:\autorun.exe
O4 - Global Startup: Shortcut to RocketDock.lnk = C:\Program Files\RocketDock\RocketDock.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: ส่&งออกไปยัง Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: ???????? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Admin\WINDOWS\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C8F58E8-9DB3-4C68-8ADD-E0B82F5D821A}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O21 - SSODL: smartmonhlp - {5207CB13-9EFA-CAA6-78F2-06C897464DD3} - C:\Program Files\yhgrmhe\smartmonhlp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - E:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - D:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - D:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Admin\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Usbest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 14154 bytes


latest AntiVir alerts -

Virus or unwanted program 'TR/FakeScanner.F [trojan]'
detected in file 'C:\Documents and Settings\Admin\Local Settings\Temp\.ttD0.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/FakeScanner.F [trojan]'
detected in file 'C:\Documents and Settings\Admin\Local Settings\Temp\.ttCE.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/FakeScanner.F [trojan]'
detected in file 'C:\Documents and Settings\Admin\Local Settings\Temp\.ttCE.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/FakeScanner.F [trojan]'
detected in file 'C:\Documents and Settings\Admin\Local Settings\Temp\.ttCA.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/FakeScanner.F [trojan]'
detected in file 'C:\Documents and Settings\Admin\Local Settings\Temp\.ttC8.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/FakeScanner.F [trojan]'
detected in file 'C:\Documents and Settings\Admin\Local Settings\Temp\.ttC5.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/FakeScanner.F [trojan]'
detected in file 'C:\Documents and Settings\Admin\Local Settings\Temp\.ttC5.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/FakeScanner.F [trojan]'
detected in file 'C:\Documents and Settings\Admin\Local Settings\Temp\.ttC3.tmp.
Action performed: Deny access

Virus or unwanted program 'TR/FakeScanner.F [trojan]'
detected in file 'C:\Documents and Settings\Admin\Local Settings\Temp\.ttC1.tmp.
Action performed: Deny access

Virus or unwanted program 'VBS/Agent.1002 [virus]'
detected in file 'C:\Documents and Settings\Admin\Local Settings\Temp\.tt4.tmp.vbs.
Action performed: Deny access

Virus or unwanted program 'VBS/Agent.1002 [virus]'
detected in file 'C:\Documents and Settings\Admin\Local Settings\Temp\.tt3.tmp.vbs.
Action performed: Deny access

Virus or unwanted program 'VBS/Agent.1002 [virus]'
detected in file 'C:\Documents and Settings\Admin\Local Settings\Temp\.tt2.tmp.vbs.
Action performed: Deny access

Virus or unwanted program 'VBS/Agent.1002 [virus]'
detected in file 'C:\Documents and Settings\Admin\Local Settings\Temp\.tt1.tmp.vbs.
Action performed: Deny access

Virus or unwanted program 'TR/FakeScanner.F [trojan]'
detected in file 'C:\Documents and Settings\Admin\Local Settings\Temp\.ttBF.tmp.
Action performed: Deny access


Thanks

D

BC AdBot (Login to Remove)

 


#2 danthedonut

danthedonut
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 29 August 2008 - 08:29 PM

Hi, Sorry,

Just wanted to add the results of my AV software scan (Avira)



Avira AntiVir Personal
Report file date: 30 August 2008 07:34

Scanning for 1577074 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: USER

Version information:
BUILD.DAT : 8.1.0.331 16934 Bytes 12/8/2551 11:46:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 20/7/2551 09:34:05
AVSCAN.DLL : 8.1.4.0 40705 Bytes 20/7/2551 09:34:05
LUKE.DLL : 8.1.4.5 164097 Bytes 20/7/2551 09:34:06
LUKERES.DLL : 8.1.4.0 12033 Bytes 20/7/2551 09:34:06
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/7/2550 08:27:15
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 24/6/2551 19:03:13
ANTIVIR2.VDF : 7.0.6.60 2802176 Bytes 24/8/2551 13:20:56
ANTIVIR3.VDF : 7.0.6.80 114688 Bytes 27/8/2551 14:47:27
Engineversion : 8.1.1.23
AEVDF.DLL : 8.1.0.5 102772 Bytes 16/4/2551 22:10:18
AESCRIPT.DLL : 8.1.0.68 315770 Bytes 19/8/2551 22:36:15
AESCN.DLL : 8.1.0.23 119156 Bytes 15/7/2551 15:29:39
AERDL.DLL : 8.1.0.20 418165 Bytes 25/4/2551 08:10:21
AEPACK.DLL : 8.1.2.1 364917 Bytes 15/7/2551 15:29:38
AEOFFICE.DLL : 8.1.0.22 192890 Bytes 19/8/2551 22:36:12
AEHEUR.DLL : 8.1.0.50 1388918 Bytes 19/8/2551 22:36:08
AEHELP.DLL : 8.1.0.15 115063 Bytes 30/5/2551 08:51:49
AEGEN.DLL : 8.1.0.36 315764 Bytes 19/8/2551 22:35:57
AEEMU.DLL : 8.1.0.7 430452 Bytes 31/7/2551 23:01:47
AECORE.DLL : 8.1.1.8 172406 Bytes 31/7/2551 23:01:46
AEBB.DLL : 8.1.0.1 53617 Bytes 20/7/2551 09:34:06
AVWINLL.DLL : 1.0.0.12 15105 Bytes 20/7/2551 09:34:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 20/7/2551 09:34:05
AVREP.DLL : 8.0.0.2 98344 Bytes 31/7/2551 23:01:45
AVREG.DLL : 8.0.0.1 33537 Bytes 20/7/2551 09:34:05
AVARKT.DLL : 1.0.0.23 307457 Bytes 16/4/2551 22:10:17
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 20/7/2551 09:34:05
SQLITE3.DLL : 3.3.17.1 339968 Bytes 16/4/2551 22:10:18
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 20/7/2551 09:34:06
NETNT.DLL : 8.0.0.1 7937 Bytes 16/4/2551 22:10:18
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 20/7/2551 09:34:03
RCTEXT.DLL : 8.0.52.0 86273 Bytes 20/7/2551 09:34:03

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:, E:, F:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 30 August 2008 07:34

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'CPSHelpRunner10.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'sidebar.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexingService.exe' - '1' Module(s) have been scanned
Scan process 'UTSCSI.EXE' - '1' Module(s) have been scanned
Scan process 'ULCDRSvr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sqlwriter.exe' - '1' Module(s) have been scanned
Scan process 'skypePM.exe' - '1' Module(s) have been scanned
Scan process 'RichVideo.exe' - '1' Module(s) have been scanned
Scan process 'IoctlSvc.exe' - '1' Module(s) have been scanned
Scan process 'NBService.exe' - '1' Module(s) have been scanned
Scan process 'RtkBtMnt.exe' - '1' Module(s) have been scanned
Scan process 'Styler.exe' - '1' Module(s) have been scanned
Scan process 'igfxext.exe' - '1' Module(s) have been scanned
Scan process 'RocketDock.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'BTTray.exe' - '1' Module(s) have been scanned
Scan process 'cmdagent.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'agrsmsvc.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'daemon.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexStoreSvr.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'Skype.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'sidebar.exe' - '1' Module(s) have been scanned
Scan process 'lphcr9aj0egen.exe' - '1' Module(s) have been scanned
Scan process 'DMXLauncher.exe' - '1' Module(s) have been scanned
Scan process 'RoxWatchTray10.exe' - '1' Module(s) have been scanned
Scan process 'PWRISOVM.EXE' - '1' Module(s) have been scanned
Scan process 'cfp.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
Scan process 'winampa.exe' - '1' Module(s) have been scanned
Scan process 'reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'QtZgAcer.EXE' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'pghkjyxa.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'btwdins.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
68 processes with 68 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '82' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Admin\Local Settings\Temp\.tt1.tmp.vbs
[DETECTION] Contains recognition pattern of the VBS/Agent.1002 VBS script virus
[NOTE] The file was moved to '492c998f.qua'!
C:\Documents and Settings\Admin\Local Settings\Temp\.tt2.tmp.vbs
[DETECTION] Contains recognition pattern of the VBS/Agent.1002 VBS script virus
[NOTE] The file was moved to '492c9995.qua'!
C:\Documents and Settings\Admin\Local Settings\Temp\.tt3.tmp.vbs
[DETECTION] Contains recognition pattern of the VBS/Agent.1002 VBS script virus
[NOTE] The file was moved to '492c9997.qua'!
C:\Documents and Settings\Admin\Local Settings\Temp\.tt4.tmp.vbs
[DETECTION] Contains recognition pattern of the VBS/Agent.1002 VBS script virus
[NOTE] The file was moved to '492c999b.qua'!
C:\WINDOWS\system32\phcr9aj0egen.bmp
[DETECTION] Is the TR/Fakealert.AAF Trojan
[NOTE] The file was moved to '491b9fc7.qua'!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'D:\' <DISK1_VOL2>
Begin scan in 'E:\' <DISK1_VOL3>
Begin scan in 'F:\' <DISK1_VOL4>


End of the scan: 30 August 2008 08:25
Used time: 51:33 Minute(s)

The scan has been done completely.

17629 Scanning directories
577448 Files were scanned
5 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
5 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
577440 Files not concerned
2120 Archives were scanned
3 Warnings
5 Notes

thx

#3 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:04:23 AM

Posted 30 August 2008 - 07:39 PM

Hi,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

-screen317

#4 danthedonut

danthedonut
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 31 August 2008 - 03:10 AM

Hi,

Thanks for your help. I have followed your instructions, here is the Malwarebytes log

Malwarebytes' Anti-Malware 1.25
Database version: 1101
Windows 5.1.2600 Service Pack 2

14:56:08 31/08/2008
mbam-log-08-31-2008 (14-56-08).txt

Scan type: Quick Scan
Objects scanned: 51638
Time elapsed: 4 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 55

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcr9aj0egen (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\smp (Fake.Dropped.Malware) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\blphcr9aj0egen.scr (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\smp\msrc.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Admin\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\akttzn.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\anticipator.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\awtoolb.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\bdn.com (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\bsva-egihsg52.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\dpcproxy.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\emesx.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\hoproxy.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\hxiwlgpm.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\hxiwlgpm.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\medup012.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\msgp.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\msnbho.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\mssecu.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\msvchost.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\mtr2.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\mwin32.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\netode.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\newsd32.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ps1.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\psof1.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\psoft1.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\regc64.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\regm64.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Rundl1.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\sncntr.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ssurf022.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ssvchost.com (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ssvchost.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\sysreq.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\taack.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\taack.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\temp#01.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\thun.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\thun32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\VBIEWER.OCX (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\vcatchpi.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\winlogonpc.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\winsystem.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\WINWGPX.EXE (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\vbsys2.dll (Trojan.Clicker) -> Delete on reboot.
C:\WINDOWS\system32\phcr9aj0egen.bmp (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\explorer.backup (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


And here is the fresh HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:09:28, on 31/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20627)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Documents and Settings\All Users\Application Data\nwlmtmhs\pghkjyxa.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
D:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
E:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Styler\Styler.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wincustomize.com/skins.asp?library=32
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - E:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [COMODO Firewall Pro] "E:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "D:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [mntsrv] C:\WINDOWS\system32\idgzibmd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [qXeVSupjbm] C:\Documents and Settings\All Users\Application Data\nwlmtmhs\pghkjyxa.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Shortcut to autorun.exe.lnk = D:\autorun.exe
O4 - Global Startup: Shortcut to RocketDock.lnk = C:\Program Files\RocketDock\RocketDock.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: ส่&งออกไปยัง Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: ???????? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Admin\WINDOWS\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C8F58E8-9DB3-4C68-8ADD-E0B82F5D821A}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O21 - SSODL: smartmonhlp - {5207CB13-9EFA-CAA6-78F2-06C897464DD3} - C:\Program Files\yhgrmhe\smartmonhlp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - E:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - D:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - D:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Admin\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Usbest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 13941 bytes


Many thanks

#5 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:04:23 AM

Posted 31 August 2008 - 05:40 PM

Hi,

Update MBAM, and do another scan please.


Next, we'll use ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

#6 danthedonut

danthedonut
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 31 August 2008 - 09:06 PM

Hi,

New Malwarebytes Log

Malwarebytes' Anti-Malware 1.25
Database version: 1102
Windows 5.1.2600 Service Pack 2

07:26:41 01/09/2008
mbam-log-09-01-2008 (07-26-41).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 247724
Time elapsed: 49 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Combofix Log

ComboFix 08-08-30.03 - Admin 2008-09-01 7:36:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.874.66.1033.18.376 [GMT 7:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\#SharedObjects\GVP00001\static.youku.com
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\#SharedObjects\GVP00001\static.youku.com\v1.0.0233\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Documents and Settings\Admin\Cookies\admin@serving-sys[1].txt
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 )))))))))))))))))))))))))))))))
.

2008-08-31 14:57 . 2008-08-31 14:57 61,440 --a------ C:\WINDOWS\system32\drivers\liscfdle.sys
2008-08-31 14:37 . 2008-08-31 14:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-31 14:37 . 2008-08-31 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-31 14:37 . 2008-08-31 14:37 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-08-31 14:37 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-31 14:37 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-28 08:24 . 2008-08-28 08:24 <DIR> d-------- C:\hjt
2008-08-28 08:07 . 2008-08-28 08:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-28 05:46 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-28 05:45 . 2008-08-28 05:45 <DIR> d-------- C:\Program Files\Panda Security
2008-08-27 23:52 . 2008-08-27 23:59 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-27 23:52 . 2008-08-28 00:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-27 22:58 . 2008-08-27 22:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-27 22:58 . 2008-08-27 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-27 22:29 . 2008-08-27 22:29 <DIR> d-------- C:\VundoFix Backups
2008-08-27 01:28 . 2008-08-27 01:28 <DIR> dr-h----- C:\Documents and Settings\Admin\Application Data\SecuROM
2008-08-27 01:28 . 2008-08-27 01:28 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-08-25 09:56 . 2008-08-25 09:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-08-25 09:56 . 2008-08-25 10:16 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Roxio
2008-08-25 09:55 . 2008-08-25 09:55 <DIR> d-------- C:\Program Files\InterActual
2008-08-25 09:32 . 2008-08-25 09:32 <DIR> d-------- C:\SmartSound Software
2008-08-25 09:29 . 2008-08-25 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-08-25 09:25 . 2008-08-25 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-08-25 09:22 . 2008-08-25 09:30 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-08-25 09:22 . 2008-08-25 09:30 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-08-12 04:27 . 2008-08-14 09:39 <DIR> d-------- C:\Program Files\Total Video Converter
2008-08-12 01:54 . 2008-08-12 01:54 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\NeroDigital?

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-31 23:56 --------- d-----w C:\Documents and Settings\Admin\Application Data\Skype
2008-08-31 17:08 --------- d-----w C:\Documents and Settings\Admin\Application Data\skypePM
2008-08-31 05:12 --------- d-----w C:\Documents and Settings\Admin\Application Data\BitTorrent
2008-08-27 15:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-26 18:23 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-08-26 17:16 --------- d-----w C:\Program Files\Common Files\Intuit
2008-08-26 17:10 --------- d-----w C:\Documents and Settings\Admin\Application Data\OpenOffice.org2
2008-08-25 02:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-25 02:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-08-06 22:34 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-08-02 00:41 --------- d-----w C:\Program Files\PowerISO
2008-07-15 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\nwlmtmhs
2008-07-15 16:10 --------- d-----w C:\Program Files\yhgrmhe
2008-07-13 17:01 --------- d-----w C:\Documents and Settings\Admin\Application Data\IMVU
2008-07-13 16:56 --------- d-----w C:\Program Files\IMVU
2008-07-13 14:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\PassMark
2008-07-13 14:08 --------- d-----w C:\Program Files\WirelessMon
2008-07-07 07:40 56,108 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2008-07-07 02:58 --------- d-----w C:\Program Files\Macromedia
2008-07-07 02:58 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-06-08 16:58 60,273 ----a-w C:\WINDOWS\system32\pthreadGC2.dll
2008-03-26 01:28 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-18 00:59 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2008-01-18 00:59 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-01-18 00:59 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008011720080118\index.dat
2008-01-18 00:59 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2007-10-08 08:30 815104 6cc9bcad800d1fe2567f61645b33ba49 C:\WINDOWS\system32\wininet.dll

2007-10-08 08:31 360704 1157d0d6ba036fb9537d4cd81375b12c C:\WINDOWS\system32\drivers\tcpip.sys

2007-10-08 11:55 2182144 a09c144d8d5a460b8ebfa56f913715d2 C:\WINDOWS\system32\ntkrnlpa.exe

2007-10-08 11:48 2302464 465e3e1178812be755634457f4a778bf C:\WINDOWS\system32\ntoskrnl.exe

2007-10-08 08:31 975360 d96ec9dae043c3bee37ee9099336470e C:\WINDOWS\explorer.exe
2007-10-08 08:31 1224192 8084a78f85e634d4387bb4caa775ade8 C:\WINDOWS\icon_TMP\explorer.exe
2007-10-08 08:31 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\system_backup\explorer.exe

2007-10-08 08:29 80216 1fa4b5a2899a41df1b0068e96b55e9c2 C:\WINDOWS\icon_TMP\wuauclt.exe
2007-10-08 08:29 68440 be055b9cc6958e7b4b2f6fa2a60e2d78 C:\WINDOWS\system32\wuauclt.exe
2007-10-08 08:29 53080 f3e9065eb617a7e3a832a7976bfa021b C:\WINDOWS\system_backup\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2007-05-18 15:30 1230848]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 19:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-02 07:22 21898024]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:21 1694208]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 16:39 486856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-05 22:13 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-05 22:13 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-09-05 22:13 137752]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2007-10-08 08:17 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 19:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 19:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 19:00 455168]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-17 14:40 53248]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-23 19:54 851968]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2007-06-29 03:16 707080]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 14:06 40048]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-11-22 00:38 35328]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-09-19 02:08 29696]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-09-30 12:58 49152]
"UVS10 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" [2006-03-07 15:52 36864]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-27 07:21 270336]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-20 16:34 266497]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 09:59 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-30 11:58 185896]
"COMODO Firewall Pro"="E:\Program Files\Comodo\Firewall\cfp.exe" [2008-05-31 14:47 1655552]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-07-07 14:34 167936]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 15:52 240112]
"DMXLauncher"="D:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 03:44 113136]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 08:32 16132608 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2007-05-18 15:30 1230848]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 19:00 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-10-08 08:30 124928 C:\WINDOWS\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"qXeVSupjbm"="C:\Documents and Settings\All Users\Application Data\nwlmtmhs\pghkjyxa.exe" [2008-07-15 23:11 65536]

C:\Documents and Settings\Admin\WINDOWS\Programs\Startup\
Styler.lnk - C:\Documents and Settings\Admin\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2008-01-18 08:01:04 15086]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 11 (0xb)
"NoStartMenuMFUprogramsList"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"smartmonhlp"= {5207CB13-9EFA-CAA6-78F2-06C897464DD3} - C:\Program Files\yhgrmhe\smartmonhlp.dll [2008-07-15 23:10 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-21 13:57 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"E:\\Program Files\\realplay.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-05-23 15:45]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-05-23 15:45]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 05:29]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 19:00]
R3 hidshim;Service for HID-KMDF Shim layer;C:\WINDOWS\system32\DRIVERS\hidshim.sys [2007-05-30 09:49]
R3 winbondhidcir;Winbond HID CIR Receiver;C:\WINDOWS\system32\DRIVERS\winbondhidcir.sys [2007-05-30 09:49]
S0 iastor76;iastor76;C:\WINDOWS\system32\drivers\iastor76.sys [2007-10-08 08:02]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;D:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2007-08-24 15:53]
S2 RoxLiveShare10;LiveShare P2P Server 10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-08-24 15:52]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-08-24 15:52]
S2 SessionLauncher;SessionLauncher;C:\DOCUME~1\Admin\LOCALS~1\Temp\DX9\SessionLauncher.exe []
S3 musbehco;musbehco;C:\DOCUME~1\Admin\LOCALS~1\Temp\musbehco.sys []
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;D:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2007-08-24 15:53]
S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-08-24 15:52]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ba2ca5a-7244-11dd-bb73-001b24fb8699}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e426ae0e-d8f9-11dc-b2a6-001b24fb8f77}]
\Shell\AutoRun\command - H:\autoverify.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}]
"%ProgramFiles%\Windows Sidebar\.\regsvr32.exe" /s wlsrvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
"%ProgramFiles%\Windows Sidebar\.\regsvr32.exe" /s sbdrop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
HIDEC /W "%VAIOTOOLS%\regtlib.exe" "%ProgramFiles%\Windows Sidebar\sidebar.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-06-06 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-20 07:53]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-mntsrv - C:\WINDOWS\system32\idgzibmd.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\5adrq7zb.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.daemon-search.com/startpage
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 1\plugins\npnul32.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-01 07:39:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-09-01 7:40:28
ComboFix-quarantined-files.txt 2008-09-01 00:40:17

Pre-Run: 10,611,462,144 bytes free
Post-Run: 10,622,189,568 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

239


Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:45:08, on 01/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20627)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Documents and Settings\All Users\Application Data\nwlmtmhs\pghkjyxa.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
D:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wincustomize.com/skins.asp?library=32
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - E:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [COMODO Firewall Pro] "E:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "D:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [qXeVSupjbm] C:\Documents and Settings\All Users\Application Data\nwlmtmhs\pghkjyxa.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Shortcut to autorun.exe.lnk = D:\autorun.exe
O4 - Global Startup: Shortcut to RocketDock.lnk = C:\Program Files\RocketDock\RocketDock.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: ส่&งออกไปยัง Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: ???????? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Admin\WINDOWS\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C8F58E8-9DB3-4C68-8ADD-E0B82F5D821A}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O21 - SSODL: smartmonhlp - {5207CB13-9EFA-CAA6-78F2-06C897464DD3} - C:\Program Files\yhgrmhe\smartmonhlp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - E:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - D:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - D:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Admin\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Usbest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 12947 bytes



Many thx

Edited by danthedonut, 31 August 2008 - 09:07 PM.


#7 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:04:23 AM

Posted 02 September 2008 - 02:06 AM

Hi,

Before we continue I would like some more information about some of your system files, so please do the following:

Please go to VirusTotal, and upload the following files for analysis:
C:\WINDOWS\system32\wininet.dll
C:\WINDOWS\system32\drivers\tcpip.sys
C:\WINDOWS\system32\ntkrnlpa.exe
C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\icon_TMP\wuauclt.exe


Post the results in your reply.

In addition, do you have your Windows XP CD?

-screen317

#8 danthedonut

danthedonut
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 02 September 2008 - 10:31 AM

C:\WINDOWS\system32\wininet.dll


File wininet.dll received on 09.02.2008 17:03:09 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.3.0 2008.09.02 -
AntiVir 7.8.1.23 2008.09.02 -
Authentium 5.1.0.4 2008.09.02 -
Avast 4.8.1195.0 2008.09.02 -
AVG 8.0.0.161 2008.09.02 -
BitDefender 7.2 2008.09.02 -
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.09.02 -
DrWeb 4.44.0.09170 2008.09.02 -
eSafe 7.0.17.0 2008.09.01 -
eTrust-Vet 31.6.6064 2008.09.02 -
Ewido 4.0 2008.09.02 -
F-Prot 4.4.4.56 2008.09.02 -
F-Secure 8.0.14332.0 2008.09.02 -
Fortinet 3.14.0.0 2008.09.02 -
GData 19 2008.09.02 -
Ikarus T3.1.1.34.0 2008.09.02 -
K7AntiVirus 7.10.437 2008.09.02 -
Kaspersky 7.0.0.125 2008.09.02 -
McAfee 5374 2008.09.01 -
Microsoft 1.3807 2008.09.02 -
NOD32v2 3407 2008.09.02 -
Norman 5.80.02 2008.09.02 -
Panda 9.0.0.4 2008.09.02 -
PCTools 4.4.2.0 2008.09.02 -
Prevx1 V2 2008.09.02 -
Rising 20.60.11.00 2008.09.02 -
Sophos 4.33.0 2008.09.02 -
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.09.02 -
TheHacker 6.3.0.8.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.02 -
VBA32 3.12.8.4 2008.09.02 -
ViRobot 2008.9.2.1361 2008.09.02 -
VirusBuster 4.5.11.0 2008.09.02 -
Webwasher-Gateway 6.6.2 2008.09.02 -
Additional information
File size: 815104 bytes
MD5...: 6cc9bcad800d1fe2567f61645b33ba49

C:\WINDOWS\system32\drivers\tcpip.sys

File tcpip.sys received on 09.02.2008 17:07:57 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.3.0 2008.09.02 -
AntiVir 7.8.1.23 2008.09.02 -
Authentium 5.1.0.4 2008.09.02 -
Avast 4.8.1195.0 2008.09.02 -
AVG 8.0.0.161 2008.09.02 -
BitDefender 7.2 2008.09.02 -
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.09.02 -
DrWeb 4.44.0.09170 2008.09.02 -
eSafe 7.0.17.0 2008.09.01 -
eTrust-Vet 31.6.6064 2008.09.02 -
Ewido 4.0 2008.09.02 -
F-Prot 4.4.4.56 2008.09.02 -
F-Secure 8.0.14332.0 2008.09.02 -
Fortinet 3.14.0.0 2008.09.02 -
GData 19 2008.09.02 -
Ikarus T3.1.1.34.0 2008.09.02 -
K7AntiVirus 7.10.437 2008.09.02 -
Kaspersky 7.0.0.125 2008.09.02 -
McAfee 5374 2008.09.01 -
Microsoft 1.3807 2008.09.02 -
NOD32v2 3407 2008.09.02 -
Norman 5.80.02 2008.09.02 -
Panda 9.0.0.4 2008.09.02 -
PCTools 4.4.2.0 2008.09.02 -
Prevx1 V2 2008.09.02 -
Rising 20.60.11.00 2008.09.02 -
Sophos 4.33.0 2008.09.02 -
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.09.02 -
TheHacker 6.3.0.8.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.02 -
VBA32 3.12.8.4 2008.09.02 -
ViRobot 2008.9.2.1361 2008.09.02 -
VirusBuster 4.5.11.0 2008.09.02 -
Webwasher-Gateway 6.6.2 2008.09.02 -
Additional information
File size: 360704 bytes
MD5...: 1157d0d6ba036fb9537d4cd81375b12c

C:\WINDOWS\system32\ntkrnlpa.exe

File ntkrnlpa.exe received on 09.02.2008 17:12:11 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.3.0 2008.09.02 -
AntiVir 7.8.1.23 2008.09.02 -
Authentium 5.1.0.4 2008.09.02 -
Avast 4.8.1195.0 2008.09.02 -
AVG 8.0.0.161 2008.09.02 -
BitDefender 7.2 2008.09.02 -
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.09.02 -
DrWeb 4.44.0.09170 2008.09.02 -
eSafe 7.0.17.0 2008.09.02 -
eTrust-Vet 31.6.6064 2008.09.02 -
Ewido 4.0 2008.09.02 -
F-Prot 4.4.4.56 2008.09.02 -
Fortinet 3.14.0.0 2008.09.02 -
GData 19 2008.09.02 -
Ikarus T3.1.1.34.0 2008.09.02 -
K7AntiVirus 7.10.437 2008.09.02 -
Kaspersky 7.0.0.125 2008.09.02 -
McAfee 5374 2008.09.01 -
Microsoft 1.3807 2008.09.02 -
NOD32v2 3407 2008.09.02 -
Norman 5.80.02 2008.09.02 -
Panda 9.0.0.4 2008.09.02 -
PCTools 4.4.2.0 2008.09.02 -
Prevx1 V2 2008.09.02 -
Rising 20.60.11.00 2008.09.02 -
Sophos 4.33.0 2008.09.02 -
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.09.02 -
TheHacker 6.3.0.8.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.02 -
VBA32 3.12.8.4 2008.09.02 -
ViRobot 2008.9.2.1361 2008.09.02 -
VirusBuster 4.5.11.0 2008.09.02 -
Webwasher-Gateway 6.6.2 2008.09.02 -
Additional information
File size: 2182144 bytes
MD5...: a09c144d8d5a460b8ebfa56f913715d2

C:\WINDOWS\system32\ntoskrnl.exe

File ntoskrnl.exe received on 09.02.2008 17:18:52 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.3.0 2008.09.02 -
AntiVir 7.8.1.23 2008.09.02 -
Authentium 5.1.0.4 2008.09.02 -
Avast 4.8.1195.0 2008.09.02 -
AVG 8.0.0.161 2008.09.02 -
BitDefender 7.2 2008.09.02 -
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.09.02 -
DrWeb 4.44.0.09170 2008.09.02 -
eSafe 7.0.17.0 2008.09.02 -
eTrust-Vet 31.6.6064 2008.09.02 -
Ewido 4.0 2008.09.02 -
F-Prot 4.4.4.56 2008.09.02 -
F-Secure 8.0.14332.0 2008.09.02 -
Fortinet 3.14.0.0 2008.09.02 -
GData 19 2008.09.02 -
Ikarus T3.1.1.34.0 2008.09.02 -
K7AntiVirus 7.10.437 2008.09.02 -
Kaspersky 7.0.0.125 2008.09.02 -
McAfee 5374 2008.09.01 -
Microsoft 1.3807 2008.09.02 -
NOD32v2 3407 2008.09.02 -
Norman 5.80.02 2008.09.02 -
Panda 9.0.0.4 2008.09.02 -
PCTools 4.4.2.0 2008.09.02 -
Prevx1 V2 2008.09.02 -
Rising 20.60.11.00 2008.09.02 -
Sophos 4.33.0 2008.09.02 -
Sunbelt 3.1.1592.1 2008.08.30 -
TheHacker 6.3.0.8.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.02 -
VBA32 3.12.8.4 2008.09.02 -
ViRobot 2008.9.2.1361 2008.09.02 -
VirusBuster 4.5.11.0 2008.09.02 -
Webwasher-Gateway 6.6.2 2008.09.02 -
Additional information
File size: 2302464 bytes
MD5...: 465e3e1178812be755634457f4a778bf

C:\WINDOWS\explorer.exe

File explorer.exe received on 09.02.2008 17:22:24 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.3.0 2008.09.02 -
AntiVir 7.8.1.23 2008.09.02 -
Authentium 5.1.0.4 2008.09.02 -
Avast 4.8.1195.0 2008.09.02 -
AVG 8.0.0.161 2008.09.02 -
BitDefender 7.2 2008.09.02 -
CAT-QuickHeal 9.50 2008.09.02 -
ClamAV 0.93.1 2008.09.02 -
DrWeb 4.44.0.09170 2008.09.02 -
eSafe 7.0.17.0 2008.09.02 -
eTrust-Vet 31.6.6064 2008.09.02 -
Ewido 4.0 2008.09.02 -
F-Prot 4.4.4.56 2008.09.02 -
F-Secure 8.0.14332.0 2008.09.02 -
Fortinet 3.14.0.0 2008.09.02 -
GData 19 2008.09.02 -
Ikarus T3.1.1.34.0 2008.09.02 -
K7AntiVirus 7.10.437 2008.09.02 -
Kaspersky 7.0.0.125 2008.09.02 -
McAfee 5374 2008.09.01 -
Microsoft 1.3807 2008.09.02 -
NOD32v2 3407 2008.09.02 -
Norman 5.80.02 2008.09.02 -
Panda 9.0.0.4 2008.09.02 -
PCTools 4.4.2.0 2008.09.02 -
Prevx1 V2 2008.09.02 -
Rising 20.60.11.00 2008.09.02 -
Sophos 4.33.0 2008.09.02 -
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.09.02 -
TheHacker 6.3.0.8.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.02 -
VBA32 3.12.8.4 2008.09.02 -
ViRobot 2008.9.2.1361 2008.09.02 -
VirusBuster 4.5.11.0 2008.09.02 -
Webwasher-Gateway 6.6.2 2008.09.02 -
Additional information
File size: 975360 bytes
MD5...: d96ec9dae043c3bee37ee9099336470e

C:\WINDOWS\icon_TMP\wuauclt.exe

File wuauclt.exe received on 09.02.2008 17:27:38 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.3.0 2008.09.02 -
AntiVir 7.8.1.23 2008.09.02 -
Authentium 5.1.0.4 2008.09.02 -
Avast 4.8.1195.0 2008.09.02 -
AVG 8.0.0.161 2008.09.02 -
BitDefender 7.2 2008.09.02 -
CAT-QuickHeal 9.50 2008.09.02 -
ClamAV 0.93.1 2008.09.02 -
DrWeb 4.44.0.09170 2008.09.02 -
eSafe 7.0.17.0 2008.09.02 -
eTrust-Vet 31.6.6064 2008.09.02 -
Ewido 4.0 2008.09.02 -
F-Prot 4.4.4.56 2008.09.02 -
F-Secure 8.0.14332.0 2008.09.02 -
Fortinet 3.14.0.0 2008.09.02 -
GData 19 2008.09.02 -
Ikarus T3.1.1.34.0 2008.09.02 -
K7AntiVirus 7.10.437 2008.09.02 -
Kaspersky 7.0.0.125 2008.09.02 -
McAfee 5374 2008.09.01 -
Microsoft 1.3807 2008.09.02 -
NOD32v2 3407 2008.09.02 -
Norman 5.80.02 2008.09.02 -
Panda 9.0.0.4 2008.09.02 -
PCTools 4.4.2.0 2008.09.02 -
Prevx1 V2 2008.09.02 -
Rising 20.60.11.00 2008.09.02 -
Sophos 4.33.0 2008.09.02 -
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.09.02 -
TheHacker 6.3.0.8.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.02 -
VBA32 3.12.8.4 2008.09.02 -
ViRobot 2008.9.2.1361 2008.09.02 -
VirusBuster 4.5.11.0 2008.09.02 -
Webwasher-Gateway 6.6.2 2008.09.02 -
Additional information
File size: 80216 bytes
MD5...: 1fa4b5a2899a41df1b0068e96b55e9c2

In addition, do you have your Windows XP CD?


Unfortunately, no. :thumbsup:

Cheers

Edited by screen317, 04 September 2008 - 01:55 AM.


#9 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:04:23 AM

Posted 02 September 2008 - 02:40 PM

Okay luckily your system files are okay. :thumbsup:


Few more files I would like confirmation on:

Configure Windows XP to show hidden files:
Navigate to Start --> My Computer.
Select the Tools menu and click Folder Options. Select the View tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.


Then, please go to VirusTotal, and upload the following files for analysis:
C:\WINDOWS\system32\drivers\liscfdle.sys
C:\WINDOWS\system32\advpack.dll
C:\Program Files\yhgrmhe\smartmonhlp.dll
C:\Documents and Settings\All Users\Application Data\nwlmtmhs\pghkjyxa.exe


Post the results in your reply.

-screen317

#10 danthedonut

danthedonut
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 02 September 2008 - 05:24 PM

C:\WINDOWS\system32\drivers\liscfdle.sys



File liscfdle.sys received on 09.03.2008 00:04:56 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.3.0 2008.09.02 -
AntiVir 7.8.1.23 2008.09.02 -
Authentium 5.1.0.4 2008.09.02 -
Avast 4.8.1195.0 2008.09.02 -
AVG 8.0.0.161 2008.09.02 -
BitDefender 7.2 2008.09.02 -
CAT-QuickHeal 9.50 2008.09.02 -
ClamAV 0.93.1 2008.09.02 -
DrWeb 4.44.0.09170 2008.09.02 -
eSafe 7.0.17.0 2008.09.02 -
eTrust-Vet 31.6.6064 2008.09.02 -
Ewido 4.0 2008.09.02 -
F-Prot 4.4.4.56 2008.09.02 -
F-Secure 8.0.14332.0 2008.09.02 -
Fortinet 3.14.0.0 2008.09.02 -
GData 19 2008.09.02 -
Ikarus T3.1.1.34.0 2008.09.02 -
K7AntiVirus 7.10.437 2008.09.02 Trojan.Win32.Malware.2
Kaspersky 7.0.0.125 2008.09.02 -
McAfee 5375 2008.09.02 -
Microsoft 1.3807 2008.09.02 -
NOD32v2 3409 2008.09.02 -
Norman 5.80.02 2008.09.02 -
Panda 9.0.0.4 2008.09.02 -
PCTools 4.4.2.0 2008.09.02 -
Prevx1 V2 2008.09.03 -
Rising 20.60.11.00 2008.09.02 -
Sophos 4.33.0 2008.09.02 -
Sunbelt 3.1.1582.1 2008.09.02 -
Symantec 10 2008.09.02 -
TheHacker 6.3.0.8.070 2008.09.02 -
TrendMicro 8.700.0.1004 2008.09.02 -
VBA32 3.12.8.4 2008.09.02 -
ViRobot 2008.9.2.1361 2008.09.02 -
VirusBuster 4.5.11.0 2008.09.02 -
Webwasher-Gateway 6.6.2 2008.09.02 -
Additional information
File size: 61440 bytes
MD5...: 589312a3b46721c5a751e4d5222a89be

C:\WINDOWS\system32\advpack.dll

File advpack.dll received on 09.03.2008 00:08:13 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.3.0 2008.09.02 -
AntiVir 7.8.1.23 2008.09.02 -
Authentium 5.1.0.4 2008.09.02 -
Avast 4.8.1195.0 2008.09.02 -
AVG 8.0.0.161 2008.09.02 -
BitDefender 7.2 2008.09.02 -
CAT-QuickHeal 9.50 2008.09.02 -
ClamAV 0.93.1 2008.09.02 -
DrWeb 4.44.0.09170 2008.09.02 -
eSafe 7.0.17.0 2008.09.02 -
eTrust-Vet 31.6.6064 2008.09.02 -
Ewido 4.0 2008.09.02 -
F-Prot 4.4.4.56 2008.09.02 -
F-Secure 8.0.14332.0 2008.09.02 -
Fortinet 3.14.0.0 2008.09.02 -
GData 19 2008.09.02 -
Ikarus T3.1.1.34.0 2008.09.02 -
K7AntiVirus 7.10.437 2008.09.02 -
Kaspersky 7.0.0.125 2008.09.03 -
McAfee 5375 2008.09.02 -
Microsoft 1.3807 2008.09.02 -
NOD32v2 3409 2008.09.02 -
Norman 5.80.02 2008.09.02 -
Panda 9.0.0.4 2008.09.02 -
PCTools 4.4.2.0 2008.09.02 -
Prevx1 V2 2008.09.03 -
Rising 20.60.11.00 2008.09.02 -
Sophos 4.33.0 2008.09.02 -
Sunbelt 3.1.1582.1 2008.09.02 -
Symantec 10 2008.09.02 -
TheHacker 6.3.0.8.070 2008.09.02 -
TrendMicro 8.700.0.1004 2008.09.02 -
VBA32 3.12.8.4 2008.09.02 -
ViRobot 2008.9.2.1361 2008.09.02 -
VirusBuster 4.5.11.0 2008.09.02 -
Webwasher-Gateway 6.6.2 2008.09.02 -
Additional information
File size: 124928 bytes
MD5...: d4731a37701c764c25fd4e4462fc5f61

C:\Program Files\yhgrmhe\smartmonhlp.dll

File smartmonhlp.dll received on 09.03.2008 00:11:23 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.3.0 2008.09.02 -
AntiVir 7.8.1.23 2008.09.02 -
Authentium 5.1.0.4 2008.09.02 -
Avast 4.8.1195.0 2008.09.02 -
AVG 8.0.0.161 2008.09.02 -
BitDefender 7.2 2008.09.02 -
CAT-QuickHeal 9.50 2008.09.02 -
ClamAV 0.93.1 2008.09.02 -
DrWeb 4.44.0.09170 2008.09.02 -
eSafe 7.0.17.0 2008.09.02 -
eTrust-Vet 31.6.6064 2008.09.02 -
Ewido 4.0 2008.09.02 -
F-Prot 4.4.4.56 2008.09.02 -
F-Secure 8.0.14332.0 2008.09.02 -
Fortinet 3.14.0.0 2008.09.02 -
GData 19 2008.09.02 -
Ikarus T3.1.1.34.0 2008.09.02 -
K7AntiVirus 7.10.437 2008.09.02 -
Kaspersky 7.0.0.125 2008.09.03 -
McAfee 5375 2008.09.02 -
Microsoft 1.3807 2008.09.02 -
NOD32v2 3409 2008.09.02 -
Norman 5.80.02 2008.09.02 -
Panda 9.0.0.4 2008.09.02 -
PCTools 4.4.2.0 2008.09.02 -
Prevx1 V2 2008.09.03 Fraudulent Security Program
Rising 20.60.11.00 2008.09.02 -
Sophos 4.33.0 2008.09.02 Mal/EncPk-DG
Sunbelt 3.1.1582.1 2008.09.02 -
Symantec 10 2008.09.02 -
TheHacker 6.3.0.8.070 2008.09.02 -
TrendMicro 8.700.0.1004 2008.09.02 -
VBA32 3.12.8.4 2008.09.02 -
ViRobot 2008.9.2.1361 2008.09.02 -
VirusBuster 4.5.11.0 2008.09.02 -
Webwasher-Gateway 6.6.2 2008.09.02 -
Additional information
File size: 106496 bytes
MD5...: 6344a2e3a19b811ef566f11f89ef9e29

C:\Documents and Settings\All Users\Application Data\nwlmtmhs\pghkjyxa.exe

File pghkjyxa.exe received on 09.03.2008 00:14:30 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.3.0 2008.09.02 -
AntiVir 7.8.1.23 2008.09.02 -
Authentium 5.1.0.4 2008.09.02 -
Avast 4.8.1195.0 2008.09.02 -
AVG 8.0.0.161 2008.09.02 Downloader.Swizzor
BitDefender 7.2 2008.09.02 Trojan.Generic.546284
CAT-QuickHeal 9.50 2008.09.02 -
ClamAV 0.93.1 2008.09.02 -
DrWeb 4.44.0.09170 2008.09.02 -
eSafe 7.0.17.0 2008.09.02 -
eTrust-Vet 31.6.6064 2008.09.02 -
Ewido 4.0 2008.09.02 -
F-Prot 4.4.4.56 2008.09.02 -
F-Secure 8.0.14332.0 2008.09.02 -
Fortinet 3.14.0.0 2008.09.02 W32/PolySmall.BP!tr
GData 19 2008.09.02 -
Ikarus T3.1.1.34.0 2008.09.02 -
K7AntiVirus 7.10.437 2008.09.02 -
Kaspersky 7.0.0.125 2008.09.03 -
McAfee 5375 2008.09.02 -
Microsoft 1.3807 2008.09.02 Trojan:Win32/Busky.EH
NOD32v2 3409 2008.09.02 probably a variant of Win32/TrojanDownloader.FakeAlert.BP
Norman 5.80.02 2008.09.02 -
Panda 9.0.0.4 2008.09.02 -
PCTools 4.4.2.0 2008.09.02 -
Prevx1 V2 2008.09.03 -
Rising 20.60.11.00 2008.09.02 -
Sophos 4.33.0 2008.09.02 -
Sunbelt 3.1.1582.1 2008.09.02 -
Symantec 10 2008.09.02 Packed.Generic.182
TheHacker 6.3.0.8.070 2008.09.02 -
TrendMicro 8.700.0.1004 2008.09.02 -
VBA32 3.12.8.4 2008.09.02 -
ViRobot 2008.9.2.1361 2008.09.02 -
VirusBuster 4.5.11.0 2008.09.02 -
Webwasher-Gateway 6.6.2 2008.09.02 -
Additional information
File size: 65536 bytes
MD5...: 474011840745ca5405e383b3c8998353


Cheers

D

Edited by screen317, 04 September 2008 - 01:54 AM.


#11 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:04:23 AM

Posted 04 September 2008 - 01:57 AM

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.


Next, please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy and paste the text in the Code box below into Notepad:

http://www.bleepingcomputer.com/forums/t/165922/suspected-virtumonde-infection/
Collect::
C:\Documents and Settings\All Users\Application Data\nwlmtmhs\pghkjyxa.exe
C:\Program Files\yhgrmhe\smartmonhlp.dll
KILLALL::
Folder::C:\Documents and Settings\All Users\Application Data\nwlmtmhs
C:\Program Files\yhgrmhe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"qXeVSupjbm"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"smartmonhlp"=-


Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


Additonally, when ComboFix finishes running, it will display its log and it will prompt you to submit a file for analysis; please follow its instructions.

-screen317

Edited by screen317, 04 September 2008 - 01:58 AM.


#12 danthedonut

danthedonut
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 06 September 2008 - 03:10 AM

Hi,

Sorry for the delay..

Here is the Combofix log

ComboFix 08-09-05.02 - Admin 2008-09-06 14:48:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.874.66.1033.18.579 [GMT 7:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\nwlmtmhs\pghkjyxa.exe
C:\Program Files\yhgrmhe
C:\Program Files\yhgrmhe\smartmonhlp.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 )))))))))))))))))))))))))))))))
.

2008-09-01 18:57 . 2008-09-01 18:57 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-09-01 18:57 . 2008-09-01 18:57 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-08-31 14:57 . 2008-08-31 14:57 61,440 --a------ C:\WINDOWS\system32\drivers\liscfdle.sys
2008-08-31 14:37 . 2008-08-31 14:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-31 14:37 . 2008-08-31 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-31 14:37 . 2008-08-31 14:37 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-08-31 14:37 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-31 14:37 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-28 08:24 . 2008-08-28 08:24 <DIR> d-------- C:\hjt
2008-08-28 08:07 . 2008-08-28 08:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-28 05:46 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-28 05:45 . 2008-08-28 05:45 <DIR> d-------- C:\Program Files\Panda Security
2008-08-27 23:52 . 2008-08-27 23:59 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-27 23:52 . 2008-08-28 00:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-27 22:58 . 2008-08-27 22:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-27 22:58 . 2008-08-27 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-27 22:29 . 2008-08-27 22:29 <DIR> d-------- C:\VundoFix Backups
2008-08-27 01:28 . 2008-08-27 01:28 <DIR> dr-h----- C:\Documents and Settings\Admin\Application Data\SecuROM
2008-08-27 01:28 . 2008-08-27 01:28 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-08-25 09:56 . 2008-08-25 09:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-08-25 09:56 . 2008-08-25 10:16 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Roxio
2008-08-25 09:55 . 2008-08-25 09:55 <DIR> d-------- C:\Program Files\InterActual
2008-08-25 09:32 . 2008-08-25 09:32 <DIR> d-------- C:\SmartSound Software
2008-08-25 09:29 . 2008-08-25 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-08-25 09:25 . 2008-08-25 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-08-25 09:22 . 2008-08-25 09:30 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-08-25 09:22 . 2008-08-25 09:30 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-08-12 04:27 . 2008-08-14 09:39 <DIR> d-------- C:\Program Files\Total Video Converter
2008-08-12 01:54 . 2008-08-12 01:54 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\NeroDigital?

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-06 07:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\nwlmtmhs
2008-09-06 07:42 --------- d-----w C:\Documents and Settings\Admin\Application Data\Skype
2008-09-06 01:40 --------- d-----w C:\Documents and Settings\Admin\Application Data\skypePM
2008-09-05 04:22 --------- d-----w C:\Documents and Settings\Admin\Application Data\BitTorrent
2008-08-27 15:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-26 18:23 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-08-26 17:16 --------- d-----w C:\Program Files\Common Files\Intuit
2008-08-26 17:10 --------- d-----w C:\Documents and Settings\Admin\Application Data\OpenOffice.org2
2008-08-25 02:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-25 02:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-08-06 22:34 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-08-02 00:41 --------- d-----w C:\Program Files\PowerISO
2008-07-13 17:01 --------- d-----w C:\Documents and Settings\Admin\Application Data\IMVU
2008-07-13 16:56 --------- d-----w C:\Program Files\IMVU
2008-07-13 14:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\PassMark
2008-07-13 14:08 --------- d-----w C:\Program Files\WirelessMon
2008-07-07 07:40 56,108 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2008-07-07 02:58 --------- d-----w C:\Program Files\Macromedia
2008-07-07 02:58 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-06-08 16:58 60,273 ----a-w C:\WINDOWS\system32\pthreadGC2.dll
2008-03-26 01:28 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-18 00:59 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2008-01-18 00:59 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-01-18 00:59 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008011720080118\index.dat
2008-01-18 00:59 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2007-10-08 08:30 815104 6cc9bcad800d1fe2567f61645b33ba49 C:\WINDOWS\system32\wininet.dll

2007-10-08 08:31 360704 1157d0d6ba036fb9537d4cd81375b12c C:\WINDOWS\system32\drivers\tcpip.sys

2007-10-08 11:55 2182144 a09c144d8d5a460b8ebfa56f913715d2 C:\WINDOWS\system32\ntkrnlpa.exe

2007-10-08 11:48 2302464 465e3e1178812be755634457f4a778bf C:\WINDOWS\system32\ntoskrnl.exe

2007-10-08 08:31 975360 d96ec9dae043c3bee37ee9099336470e C:\WINDOWS\explorer.exe
2007-10-08 08:31 1224192 8084a78f85e634d4387bb4caa775ade8 C:\WINDOWS\icon_TMP\explorer.exe
2007-10-08 08:31 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\system_backup\explorer.exe

2007-10-08 08:29 80216 1fa4b5a2899a41df1b0068e96b55e9c2 C:\WINDOWS\icon_TMP\wuauclt.exe
2007-10-08 08:29 68440 be055b9cc6958e7b4b2f6fa2a60e2d78 C:\WINDOWS\system32\wuauclt.exe
2007-10-08 08:29 53080 f3e9065eb617a7e3a832a7976bfa021b C:\WINDOWS\system_backup\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2007-05-18 1230848]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-02 21898024]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 1694208]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-05 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-05 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-09-05 137752]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2007-10-08 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-23 851968]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2007-06-29 707080]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-11-22 35328]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-09-19 29696]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-09-30 49152]
"UVS10 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" [2006-03-07 36864]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-27 270336]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-20 266497]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-30 185896]
"COMODO Firewall Pro"="E:\Program Files\Comodo\Firewall\cfp.exe" [2008-05-31 1655552]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"DMXLauncher"="D:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 113136]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2007-05-18 1230848]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-10-08 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\Admin\WINDOWS\Programs\Startup\
Styler.lnk - C:\Documents and Settings\Admin\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2008-01-18 15086]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 11 (0xb)
"NoStartMenuMFUprogramsList"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-21 13:57 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"E:\\Program Files\\realplay.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-05-23 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-05-23 24208]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R3 hidshim;Service for HID-KMDF Shim layer;C:\WINDOWS\system32\DRIVERS\hidshim.sys [2007-05-30 5632]
R3 winbondhidcir;Winbond HID CIR Receiver;C:\WINDOWS\system32\DRIVERS\winbondhidcir.sys [2007-05-30 21504]
S0 iastor76;iastor76;C:\WINDOWS\system32\drivers\iastor76.sys [2007-10-08 305176]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;D:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2007-08-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-08-24 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-08-24 166384]
S2 SessionLauncher;SessionLauncher;C:\DOCUME~1\Admin\LOCALS~1\Temp\DX9\SessionLauncher.exe [ ]
S3 musbehco;musbehco;C:\DOCUME~1\Admin\LOCALS~1\Temp\musbehco.sys [ ]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;D:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2007-08-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-08-24 1083888]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ba2ca5a-7244-11dd-bb73-001b24fb8699}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e426ae0e-d8f9-11dc-b2a6-001b24fb8f77}]
\Shell\AutoRun\command - H:\autoverify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}]
"%ProgramFiles%\Windows Sidebar\.\regsvr32.exe" /s wlsrvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}]
"%ProgramFiles%\Windows Sidebar\.\regsvr32.exe" /s sbdrop.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
HIDEC /W "%VAIOTOOLS%\regtlib.exe" "%ProgramFiles%\Windows Sidebar\sidebar.exe"
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-06 14:53:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Styler\Styler.exe
C:\DOCUME~1\Admin\LOCALS~1\temp\RtkBtMnt.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-09-06 14:59:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-06 07:59:16
ComboFix2.txt 2008-09-01 00:40:29

Pre-Run: 9,550,073,856 bytes free
Post-Run: 9,540,116,480 bytes free

242


HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:08:03, on 06/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20627)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
D:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Styler\Styler.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wincustomize.com/skins.asp?library=32
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - E:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [COMODO Firewall Pro] "E:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "D:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Shortcut to autorun.exe.lnk = D:\autorun.exe
O4 - Global Startup: Shortcut to RocketDock.lnk = C:\Program Files\RocketDock\RocketDock.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: ส่&งออกไปยัง Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: ???????? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Admin\WINDOWS\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C8F58E8-9DB3-4C68-8ADD-E0B82F5D821A}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - E:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - D:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - D:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Admin\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Usbest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 12829 bytes


Additonally, when ComboFix finishes running, it will display its log and it will prompt you to submit a file for analysis; please follow its instructions.


Just a note - there was no prompt to submit a file for analysis

Thx

#13 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:04:23 AM

Posted 07 September 2008 - 04:59 PM

Hi,

Please delete this folder...
C:\Documents and Settings\All Users\Application Data\nwlmtmhs

...and these files:
C:\Documents and Settings\Admin\WINDOWS\Programs\Startup\Styler.lnk
C:\Documents and Settings\Admin\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe


After that, please back your Registry with ERUNT.
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe



Please open Notepad. Copy and paste the following text (starting with REGEDIT4) into the Notepad document.

Navigate to File --> Save As..., and save the file as Fix.reg (make sure the Save As Type is set to All Files).

Save it to your Desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ba2ca5a-7244-11dd-bb73-001b24fb8699}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e426ae0e-d8f9-11dc-b2a6-001b24fb8f77}]


Now navigate to your Desktop, and double click fix.reg (Click Yes to the prompt).


After that, delete fix.reg.

Next, navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.


Restart your computer, post a fresh HijackThis log, and let me know what problems remain.

-screen317

#14 danthedonut

danthedonut
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 08 September 2008 - 06:43 AM

New HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:38:03, on 08/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20627)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
E:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
D:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\RtkBtMnt.exe
E:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wincustomize.com/skins.asp?library=32
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - E:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [COMODO Firewall Pro] "E:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [DMXLauncher] "D:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Shortcut to autorun.exe.lnk = D:\autorun.exe
O4 - Global Startup: Shortcut to RocketDock.lnk = C:\Program Files\RocketDock\RocketDock.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: ส่&งออกไปยัง Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: ???????? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Admin\WINDOWS\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/beta/SP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C8F58E8-9DB3-4C68-8ADD-E0B82F5D821A}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - E:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - D:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - D:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Admin\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Usbest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 12806 bytes


I removed the files you asked, the only problem is that the styler link used to run and change the appearance of my desktop (as set by me). If the styler link was a problem then no worries, but was it necessary to delete ? Am I able to create a new link to styler in Startup ?

Many thanks

D

#15 screen317

screen317

  • Malware Response Team
  • 236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:04:23 AM

Posted 08 September 2008 - 02:36 PM

Am I able to create a new link to styler in Startup?

Yes feel free to create a new link; the old one somehow got connected to a malicious file.

Let's run one final check before I send you home with great tips for computer security in the future.

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Also... Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u7.
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • In the pull down menu next to Platform select Windows
  • Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement"
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windowsi586-p.exe to install the newest version.
Restart your computer, and post a fresh HijackThis log.


After that, please download JavaRa and unzip it to your Desktop.

Double click JavaRa.exe then click Remove Older Versions.

Follow any prompts; a log will popup (JavaRa.log)-- please post the contents of this log.

-screen317




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users