Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde


  • This topic is locked This topic is locked
9 replies to this topic

#1 shurikenx

shurikenx

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:50 AM

Posted 15 September 2008 - 06:57 PM

Hello, I have been to several sites to try to fix this, but haven't had any luck. I have followed your step by step instructions on what to do before you post HJL.

I have tried a lot of scanners and registery software to try and remove them.

I removed a lot of the spy ware, but am left with a single virtumonde that shows up every time I reboot. Spybot removes it when I do a scan every time reboot. Then when I reboot again, it is still there. ><

Here is the log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:25 PM, on 9/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1153012437\ee\AOLSoftware.exe
C:\WINDOWS\system32\TCAUDIAG.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.69\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.69\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Sam\Desktop\HijackThis\Crusty.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1BD0EDB1-CFA2-4B4D-A62F-5A47F26C59Df} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.0.0.69\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O2 - BHO: (no name) - {FEC9D9DC-F62D-420F-A180-500E9C0AAC8F} - (no file)
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1153012437\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\WINDOWS\system32\msupdte.exe
O4 - HKLM\..\Run: [5ca0d799] rundll32.exe "C:\WINDOWS\system32\yvepgkgy.dll",b
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sam\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150437316779
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E0B1CB0-8DF4-4008-8282-E2428685CB1A}: NameServer = 151.164.14.201,151.164.1.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E0B1CB0-8DF4-4008-8282-E2428685CB1A}: NameServer = 151.164.14.201,151.164.1.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E0B1CB0-8DF4-4008-8282-E2428685CB1A}: NameServer = 151.164.14.201,151.164.1.8
O18 - Filter hijack: text/html - {0EB00690-8FA1-11D3-96C7-829E3EA50C29} - (no file)
O20 - AppInit_DLLs: grglrj.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tuvVLbXP - tuvVLbXP.dll (file missing)
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.0.0.69\ccSvcHst.exe

--
End of file - 9424 bytes


Thanks in advanced for your help. :thumbsup:

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 16 September 2008 - 04:06 PM

Hi

What scanners have you run ?

What is the item that spybot finds ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 shurikenx

shurikenx
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:50 AM

Posted 16 September 2008 - 04:40 PM

hiya,

Thank you for the speedy response!

So far I have run, System Mechanic, a-squared Anti-Malware, SUPERAntiSpyware Free Edition, Spybot - Search & Destroy, Ad-Aware, AVG, CCleaner, Norton AntiVirus, cwshredder,
Bitdefender online scanner, Panda ActiveScan, VundoFix, McfeeSinger, VirtumundoBegone. That is them all, I think.

Spybot finds; Virtumonde 2 entries in my Hkey's. W/e that means. :/



Edit: This is the report from Spybot:

--- Search result list ---
Virtumonde: [SBI $42352499] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-507921405-1454471165-725345543-1004\Software\Microsoft\rdfa

Virtumonde: [SBI $47E741CD] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws


TY!

Edited by shurikenx, 16 September 2008 - 05:10 PM.


#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 17 September 2008 - 12:50 PM

HI

Please run the following & post the logs :-

1. Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

3. Reboot into Safe Mode`:-

Reboot into >>>safe mode

4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum.

THEN...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 shurikenx

shurikenx
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:50 AM

Posted 18 September 2008 - 07:08 PM

Hi Steam!

Ty for getting back to me with the guide you provided. I followed all the steps, AND the steps from the links.

Here are my logs.

SDfix log:


SDFix: Version 1.226
Run by Sam on Wed 09/17/2008 at 11:14 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Documents and Settings\Sam\Desktop\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\msupdte.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-17 23:34:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Il\16x\x20ac{\xb6\x2013ěS ?(?T?r?u?e?T?y?p?e?)?"="HDZB_37.TTF"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7AEFDED4-44F5-DCBC-3ADE-01B7006219A7}]

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1153012437\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1153012437\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1153012437\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1153012437\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\Hasbro Interactive\\Clue\\Clue.exe"="C:\\Program Files\\Hasbro Interactive\\Clue\\Clue.exe:*:Enabled:Clue"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Disabled:Run a DLL as an App"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"D:\\Life\\life.exe"="D:\\Life\\life.exe:*:Enabled:The Game Of Life"
"C:\\Program Files\\Tortun\\gui.exe"="C:\\Program Files\\Tortun\\gui.exe:*:Disabled:gui"
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Disabled:TrueVector Service"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\DOCUME~1\Sam\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 18 Aug 2008 1,832,272 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 21 Sep 2002 10,752 A..H. --- "C:\71fa59ad73e97\sp1\update\spcustom.dll"
Sat 21 Sep 2002 273,408 A..H. --- "C:\71fa59ad73e97\sp1\update\update.exe"
Sat 21 Sep 2002 10,752 A..H. --- "C:\922d5b79a\sp1\update\spcustom.dll"
Sat 21 Sep 2002 273,408 A..H. --- "C:\922d5b79a\sp1\update\update.exe"
Sat 21 Sep 2002 10,752 A..H. --- "C:\dec37d3eff887d3f6dbfba085dcdfa\sp1\update\spcustom.dll"
Sat 21 Sep 2002 273,408 A..H. --- "C:\dec37d3eff887d3f6dbfba085dcdfa\sp1\update\update.exe"
Sun 24 Aug 2008 444 ...HR --- "C:\Documents and Settings\Sam\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!








Malwarebytes log:


Malwarebytes' Anti-Malware 1.28
Database version: 1166
Windows 5.1.2600 Service Pack 3

9/17/2008 11:51:09 PM
mbam-log-2008-09-17 (23-51-09).txt

Scan type: Quick Scan
Objects scanned: 42893
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\yvepgkgy.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5ca0d799 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\yvepgkgy.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ygkgpevy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\BM5f93e405.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM5f93e405.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\ftpsconfig.dll (Hijack.Filter) -> Quarantined and deleted successfully.




Combofix log:


ComboFix 08-09-16.05 - Sam 2008-09-18 18:02:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.591 [GMT -5:00]
Running from: C:\Documents and Settings\Sam\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\eLnUCcdd.ini
C:\WINDOWS\system32\eLnUCcdd.ini2

----- BITS: Possible infected sites -----

http://www.tucows.com
.
((((((((((((((((((((((((( Files Created from 2008-08-18 to 2008-09-18 )))))))))))))))))))))))))))))))
.

2008-09-18 16:52 . 2008-09-18 17:54 <DIR> d-------- C:\XPSP2
2008-09-17 23:13 . 2008-09-17 23:13 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-09-17 23:11 . 2008-09-17 23:11 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-17 23:00 . 2008-09-17 23:00 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-17 23:00 . 2008-09-17 23:00 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-17 22:59 . 2008-09-18 16:31 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-17 22:59 . 2008-09-17 22:59 <DIR> d-------- C:\Program Files\AVG
2008-09-17 22:59 . 2008-09-17 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-17 22:59 . 2008-09-17 22:59 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-17 22:46 . 2008-09-17 22:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-17 22:46 . 2008-09-17 22:46 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\Malwarebytes
2008-09-17 22:46 . 2008-09-17 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-17 22:46 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-17 22:46 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-17 22:42 . 2008-09-16 17:42 <DIR> d-------- C:\SDFix
2008-09-17 16:02 . 2008-09-18 17:55 4,958,588 --a------ C:\WINDOWS\{00000002-00000000-0000000C-00001102-00000004-20021102}.BAK
2008-09-15 19:55 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-15 19:54 . 2008-09-15 19:55 <DIR> d-------- C:\Program Files\Java
2008-09-15 19:53 . 2008-09-15 19:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-15 14:42 . 2008-09-15 16:16 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-09-15 13:52 . 2008-09-15 13:52 <DIR> d-------- C:\Program Files\SweetIM
2008-09-15 13:52 . 2008-09-15 13:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SweetIM
2008-09-11 15:51 . 2008-09-11 15:51 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-09-11 15:51 . 2008-09-17 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-11 15:51 . 2008-09-17 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Norton
2008-09-11 15:50 . 2008-09-15 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-09-11 13:52 . 2008-09-11 13:52 <DIR> d-------- C:\Program Files\Digital Locker Assistant
2008-09-09 15:06 . 2008-09-09 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-09 15:05 . 2008-09-15 20:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-09 15:05 . 2008-09-09 15:05 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\SUPERAntiSpyware.com
2008-09-08 13:54 . 2008-09-08 20:04 337 --a------ C:\rollback.ini
2008-09-07 19:18 . 2008-09-08 08:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-09-07 19:18 . 2008-09-08 10:25 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-09-07 19:16 . 2008-09-09 15:54 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-09-07 19:15 . 2008-09-09 15:54 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-09-07 00:45 . 2008-09-07 00:45 <DIR> d-------- C:\VundoFix Backups
2008-09-06 22:50 . 2008-09-18 17:56 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\SiteAdvisor
2008-09-06 22:50 . 2008-09-06 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-09-06 22:50 . 2008-09-06 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-09-06 13:53 . 2008-09-06 13:53 75 --a------ C:\WINDOWS\st_affiliate.ini
2008-09-05 01:30 . 2008-09-05 01:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fitn17
2008-09-05 01:11 . 2008-09-05 01:24 311 --a------ C:\WINDOWS\bbbconfig.dat
2008-09-02 15:04 . 2008-09-02 15:04 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\Windows Search
2008-09-02 15:00 . 2008-09-02 15:00 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-09-02 15:00 . 2008-09-02 15:00 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\Windows Desktop Search
2008-09-02 14:59 . 2008-09-02 14:59 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-09-02 14:59 . 2008-09-02 14:59 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-09-02 14:58 . 2008-03-07 12:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-09-02 14:58 . 2008-03-07 12:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-09-02 14:58 . 2008-03-07 12:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-09-02 14:57 . 2008-07-22 09:45 1,214,526 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-09-02 14:57 . 2008-07-22 09:45 790,846 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-09-02 14:57 . 2008-07-22 09:45 9,696 -----c--- C:\WINDOWS\system32\dllcache\drvmain.sdb
2008-09-01 22:48 . 2008-09-01 22:50 <DIR> d-------- C:\Program Files\CCleaner
2008-09-01 22:29 . 2008-09-01 22:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-09-01 22:29 . 2008-09-09 10:15 922,464 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-09-01 22:29 . 2008-09-01 22:29 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-09-01 22:28 . 2008-09-01 22:28 <DIR> d-------- C:\Program Files\iolo
2008-09-01 22:28 . 2008-09-01 22:28 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-09-01 22:28 . 2008-06-16 19:21 29,696 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-09-01 22:28 . 2008-09-09 16:45 8,192 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-09-01 22:16 . 2008-09-01 22:29 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\iolo
2008-09-01 22:16 . 2008-09-01 22:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-08-31 14:19 . 2008-08-31 14:19 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\Uniblue
2008-08-31 14:02 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-08-30 16:14 . 2008-08-31 00:29 <DIR> d-------- C:\Program Files\a-squared Anti-Dialer
2008-08-30 16:13 . 2008-09-15 20:08 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-08-30 13:05 . 2008-08-30 13:05 <DIR> d-------- C:\WINDOWS\Go-Go Gourmet 2 - Chef of the Year
2008-08-29 17:51 . 2008-08-29 17:51 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\Simply Super Software
2008-08-29 17:06 . 2008-08-29 17:06 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\TrojanHunter
2008-08-29 15:13 . 2008-08-30 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-28 15:55 . 2008-08-28 15:55 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\Go-Go Gourmet Chef of the Year
2008-08-28 04:23 . 2008-09-07 17:16 <DIR> d-------- C:\Documents and Settings\Sam\Saved Games
2008-08-28 04:06 . 2008-08-28 04:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FreshGames
2008-08-24 18:30 . 2008-08-24 18:30 <DIR> d-------- C:\Program Files\MagicDisc
2008-08-24 18:30 . 2008-07-28 17:19 116,736 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-08-24 18:24 . 2008-08-24 18:24 <DIR> dr-h----- C:\Documents and Settings\Sam\Application Data\SecuROM
2008-08-24 18:24 . 2008-08-24 18:24 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-08-20 18:40 . 2008-08-20 18:40 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-20 18:40 . 2008-08-20 18:40 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-20 18:40 . 2008-08-20 18:40 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-18 18:23 . 2008-04-13 19:12 712,704 --a------ C:\WINDOWS\system32\windowscodecs.dll
2008-08-18 18:23 . 2008-04-13 19:12 346,112 --a------ C:\WINDOWS\system32\windowscodecsext.dll
2008-08-18 18:23 . 2008-04-13 19:12 276,992 --a------ C:\WINDOWS\system32\wmphoto.dll
2008-08-18 18:23 . 2008-04-13 19:12 69,120 --a------ C:\WINDOWS\system32\wlanapi.dll
2008-08-18 18:23 . 2008-04-13 19:12 53,248 --a------ C:\WINDOWS\system32\tsgqec.dll
2008-08-18 18:23 . 2008-04-13 19:12 50,688 --a------ C:\WINDOWS\system32\tspkg.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-17 23:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-17 21:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-16 05:30 --------- d-----w C:\Program Files\World of Warcraft
2008-09-09 20:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-06 17:20 --------- d-----w C:\Program Files\MagicISO
2008-09-06 17:20 --------- d-----w C:\Program Files\Ace of WAV
2008-09-03 23:02 --------- d-----w C:\Documents and Settings\Sam\Application Data\Gamelab
2008-08-31 20:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-30 17:44 --------- d-----w C:\Program Files\Lavasoft
2008-08-30 17:44 --------- d-----w C:\Documents and Settings\Sam\Application Data\Lavasoft
2008-08-28 05:30 --------- d-----w C:\Documents and Settings\Sam\Application Data\PlayFirst
2008-08-21 03:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-14 21:02 110 ----a-w C:\Documents and Settings\All Users\Application Data\MostFunGameId.bin
2006-06-17 03:41 77 --sh--w C:\Program Files\Common Files\Desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2008-07-06 173368]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2008-07-06 12:44 1164600 --a------ C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-07-06 1164600]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-07-06 1164600]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"SetDefaultMIDI"="MIDIDef.exe" [2006-08-11 C:\WINDOWS\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 278528]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 155648]
"HostManager"="C:\Program Files\Common Files\AOL\1153012437\ee\AOLSoftware.exe" [2006-05-09 50760]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-25 185632]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"SweetIM"="C:\Program Files\SweetIM\Messenger\SweetIM.exe" [2008-07-06 111928]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-17 1235736]
"TCASUTIEXE"="TCAUDIAG.exe" [2003-07-16 C:\WINDOWS\system32\TCAUDIAG.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 C:\WINDOWS\KHALMNPR.Exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTHelper"="CTHELPER.EXE" [2006-08-11 C:\WINDOWS\CTHELPER.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Sam\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-08-24 575488]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-05 125624]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-08-20 805392]
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=grglrj.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2003-05-30 12:42 585728 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2003-05-29 19:28 790528 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SoundMAX Agent Service (default)"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1153012437\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1153012437\\ee\\aim6.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8039:TCP"= 8039:TCP:BitComet 8039 TCP
"8039:UDP"= 8039:UDP:BitComet 8039 UDP
"6112:TCP"= 6112:TCP:BlizzDL6112
"3724:TCP"= 3724:TCP:BlizzDL3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-17 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-17 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-17 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-17 76040]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-08-15 596328]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-08-15 596328]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-06-30 3712]
R2 tcaicchg;tcaicchg;C:\WINDOWS\system32\tcaicchg.sys [2000-06-06 21233]
R2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys [2001-09-03 19534]
S3 COMMONFX.SYS;COMMONFX.SYS;C:\WINDOWS\system32\drivers\COMMONFX.SYS [ ]
S3 COMMONFX;COMMONFX;C:\WINDOWS\system32\drivers\COMMONFX.SYS [ ]
S3 CTAUDFX.SYS;CTAUDFX.SYS;C:\WINDOWS\system32\drivers\CTAUDFX.SYS [ ]
S3 CTAUDFX;CTAUDFX;C:\WINDOWS\system32\drivers\CTAUDFX.SYS [ ]
S3 CTERFXFX.SYS;CTERFXFX.SYS;C:\WINDOWS\system32\drivers\CTERFXFX.SYS [ ]
S3 CTERFXFX;CTERFXFX;C:\WINDOWS\system32\drivers\CTERFXFX.SYS [ ]
S3 CTSBLFX.SYS;CTSBLFX.SYS;C:\WINDOWS\system32\drivers\CTSBLFX.SYS [ ]
S3 CTSBLFX;CTSBLFX;C:\WINDOWS\system32\drivers\CTSBLFX.SYS [ ]
S3 P1050VID;Creative WebCam Pro eX (Video);C:\WINDOWS\system32\DRIVERS\P1050Wnt.sys [2003-01-02 179853]
S3 p17filt;p17filt;C:\WINDOWS\system32\drivers\p17filt.sys [ ]
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-08-12 19020]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1BD0EDB1-CFA2-4B4D-A62F-5A47F26C59Df} - (no file)
BHO-{FEC9D9DC-F62D-420F-A180-500E9C0AAC8F} - (no file)
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
Notify-tuvVLbXP - tuvVLbXP.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\9n7u0pvs.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
FF -: plugin - C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1111.1511\npCIDetect11.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-18 18:08:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
C:\Program Files\iolo\System Mechanic\SMTrayNotify.exe
.
**************************************************************************
.
Completion time: 2008-09-18 18:12:26 - machine was rebooted [Sam]
ComboFix-quarantined-files.txt 2008-09-18 23:12:20

Pre-Run: 15,801,020,416 bytes free
Post-Run: 15,719,092,224 bytes free

286 --- E O F --- 2008-09-07 03:56:50


_________________________________________________________________________________________



I noticed it said that I don't have the recovery console installed. However, I did try to install it by following the directions given and I guess it didn't to create one? Is that going to be a problem? Or should I try again. I did it by dragging and dropping the "WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe" (as recommended if you have SP3) into the combofix icon on my desktop. It seemed to run fine from there. So I don't know why it didn't install. It wasn't working when I tried to integrate my CDrom to SP2. My CDrom version is SP1. I just followed the integration instructions. /shrug

TY again in advanced.

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 19 September 2008 - 03:38 PM

HI

It doesn't look as though Combofix even saw the recovery console file you dropped in, Please try again, It is not essential to have the recovery console installed, but in the unlikely event that the removal of malware made your computer unbootable, being able to boot to the recovery console would enable us to carry out diagnostics & repairs to get you up & running again ...

Please post a new hijackthis log ...

Then please run spybot again & see if it now gives you clean log ...

Any problems still ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 shurikenx

shurikenx
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:50 AM

Posted 20 September 2008 - 12:30 PM

Hi, yeah I don't know why it didn't do the recovery console install.

It did it this time around.

Here is my combofix log:

ComboFix 08-09-19.06 - Sam 2008-09-19 19:28:11.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.636 [GMT -5:00]
Running from: C:\Documents and Settings\Sam\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sam\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-08-20 to 2008-09-20 )))))))))))))))))))))))))))))))
.

2008-09-18 19:27 . 2008-09-19 19:23 4,958,588 --a------ C:\WINDOWS\{00000002-00000000-0000000C-00001102-00000004-20021102}.BAK
2008-09-17 23:13 . 2008-09-17 23:13 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-09-17 23:11 . 2008-09-17 23:11 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-17 23:00 . 2008-09-17 23:00 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-17 23:00 . 2008-09-17 23:00 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-17 22:59 . 2008-09-19 09:08 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-17 22:59 . 2008-09-17 22:59 <DIR> d-------- C:\Program Files\AVG
2008-09-17 22:59 . 2008-09-17 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-17 22:59 . 2008-09-17 22:59 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-17 22:46 . 2008-09-17 22:47 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-17 22:46 . 2008-09-17 22:46 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\Malwarebytes
2008-09-17 22:46 . 2008-09-17 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-17 22:46 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-17 22:46 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-17 22:42 . 2008-09-16 17:42 <DIR> d-------- C:\SDFix
2008-09-15 19:55 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-15 19:54 . 2008-09-15 19:55 <DIR> d-------- C:\Program Files\Java
2008-09-15 19:53 . 2008-09-15 19:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-15 14:42 . 2008-09-15 16:16 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-09-15 13:52 . 2008-09-15 13:52 <DIR> d-------- C:\Program Files\SweetIM
2008-09-15 13:52 . 2008-09-15 13:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SweetIM
2008-09-11 15:51 . 2008-09-11 15:51 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-09-11 15:51 . 2008-09-17 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-11 15:51 . 2008-09-17 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Norton
2008-09-11 15:50 . 2008-09-15 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-09-11 13:52 . 2008-09-11 13:52 <DIR> d-------- C:\Program Files\Digital Locker Assistant
2008-09-09 15:06 . 2008-09-09 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-09 15:05 . 2008-09-15 20:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-09 15:05 . 2008-09-09 15:05 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\SUPERAntiSpyware.com
2008-09-08 13:54 . 2008-09-08 20:04 337 --a------ C:\rollback.ini
2008-09-07 19:18 . 2008-09-08 08:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-09-07 19:18 . 2008-09-08 10:25 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-09-07 19:16 . 2008-09-09 15:54 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-09-07 19:15 . 2008-09-09 15:54 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-09-06 22:50 . 2008-09-19 18:58 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\SiteAdvisor
2008-09-06 22:50 . 2008-09-06 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-09-06 22:50 . 2008-09-06 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-09-06 13:53 . 2008-09-06 13:53 75 --a------ C:\WINDOWS\st_affiliate.ini
2008-09-05 01:30 . 2008-09-05 01:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fitn17
2008-09-05 01:11 . 2008-09-05 01:24 311 --a------ C:\WINDOWS\bbbconfig.dat
2008-09-02 15:04 . 2008-09-02 15:04 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\Windows Search
2008-09-02 15:00 . 2008-09-02 15:00 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-09-02 15:00 . 2008-09-02 15:00 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\Windows Desktop Search
2008-09-02 14:59 . 2008-09-02 14:59 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-09-02 14:59 . 2008-09-02 14:59 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-09-02 14:58 . 2008-03-07 12:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-09-02 14:58 . 2008-03-07 12:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-09-02 14:58 . 2008-03-07 12:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-09-02 14:57 . 2008-07-22 09:45 1,214,526 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-09-02 14:57 . 2008-07-22 09:45 790,846 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-09-02 14:57 . 2008-07-22 09:45 9,696 -----c--- C:\WINDOWS\system32\dllcache\drvmain.sdb
2008-09-01 22:48 . 2008-09-01 22:50 <DIR> d-------- C:\Program Files\CCleaner
2008-09-01 22:29 . 2008-09-01 22:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-09-01 22:29 . 2008-09-09 10:15 922,464 --a------ C:\WINDOWS\system32\Incinerator.dll
2008-09-01 22:29 . 2008-09-01 22:29 406 --a------ C:\WINDOWS\system32\ioloBootDefrag.cfg
2008-09-01 22:28 . 2008-09-01 22:28 <DIR> d-------- C:\Program Files\iolo
2008-09-01 22:28 . 2008-09-01 22:28 74,703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-09-01 22:28 . 2008-06-16 19:21 29,696 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-09-01 22:28 . 2008-09-09 16:45 8,192 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-09-01 22:16 . 2008-09-01 22:29 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\iolo
2008-09-01 22:16 . 2008-09-01 22:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-08-31 14:19 . 2008-08-31 14:19 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\Uniblue
2008-08-31 14:02 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-08-30 16:14 . 2008-08-31 00:29 <DIR> d-------- C:\Program Files\a-squared Anti-Dialer
2008-08-30 16:13 . 2008-09-15 20:08 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-08-30 13:05 . 2008-08-30 13:05 <DIR> d-------- C:\WINDOWS\Go-Go Gourmet 2 - Chef of the Year
2008-08-29 17:51 . 2008-08-29 17:51 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\Simply Super Software
2008-08-29 17:06 . 2008-08-29 17:06 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\TrojanHunter
2008-08-29 15:13 . 2008-08-30 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-28 15:55 . 2008-08-28 15:55 <DIR> d-------- C:\Documents and Settings\Sam\Application Data\Go-Go Gourmet Chef of the Year
2008-08-28 04:23 . 2008-09-07 17:16 <DIR> d-------- C:\Documents and Settings\Sam\Saved Games
2008-08-28 04:06 . 2008-08-28 04:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FreshGames
2008-08-24 18:30 . 2008-08-24 18:30 <DIR> d-------- C:\Program Files\MagicDisc
2008-08-24 18:30 . 2008-07-28 17:19 116,736 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-08-24 18:24 . 2008-08-24 18:24 <DIR> dr-h----- C:\Documents and Settings\Sam\Application Data\SecuROM
2008-08-24 18:24 . 2008-08-24 18:24 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-08-20 18:40 . 2008-08-20 18:40 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-20 18:40 . 2008-08-20 18:40 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-20 18:40 . 2008-08-20 18:40 <DIR> d-------- C:\WINDOWS\l2schemas

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-19 23:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-19 00:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-16 05:30 --------- d-----w C:\Program Files\World of Warcraft
2008-09-09 20:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-07 03:06 118,784 ----a-w C:\WINDOWS\Web\Wallpaper\Enthusiasm In Life Wallpaper.exe
2008-09-06 17:20 --------- d-----w C:\Program Files\MagicISO
2008-09-06 17:20 --------- d-----w C:\Program Files\Ace of WAV
2008-09-03 23:02 --------- d-----w C:\Documents and Settings\Sam\Application Data\Gamelab
2008-08-31 20:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-31 05:49 118,784 ----a-w C:\WINDOWS\Web\Wallpaper\Enthusiasm In Life Wallpaper dir\uninstall.exe
2008-08-30 17:44 --------- d-----w C:\Program Files\Lavasoft
2008-08-30 17:44 --------- d-----w C:\Documents and Settings\Sam\Application Data\Lavasoft
2008-08-28 05:30 --------- d-----w C:\Documents and Settings\Sam\Application Data\PlayFirst
2008-08-21 03:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2(2).dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-28 04:08 444,952 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-06-28 04:08 109,080 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-06-24 23:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-01-14 21:02 110 ----a-w C:\Documents and Settings\All Users\Application Data\MostFunGameId.bin
2006-06-17 03:41 77 --sh--w C:\Program Files\Common Files\Desktop.ini
2003-07-31 09:53 147,456 ----a-w C:\WINDOWS\inf\EL2K_XP.sys
2003-07-31 09:50 448,768 ----a-w C:\WINDOWS\inf\EL2K_N64.sys
2003-07-31 09:43 147,456 ----a-w C:\WINDOWS\inf\EL2K_2K.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2008-07-06 173368]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2008-07-06 12:44 1164600 --a------ C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-07-06 1164600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-07-06 1164600]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"SetDefaultMIDI"="MIDIDef.exe" [2006-08-11 C:\WINDOWS\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 278528]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 155648]
"HostManager"="C:\Program Files\Common Files\AOL\1153012437\ee\AOLSoftware.exe" [2006-05-09 50760]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-25 185632]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"SweetIM"="C:\Program Files\SweetIM\Messenger\SweetIM.exe" [2008-07-06 111928]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-17 1235736]
"TCASUTIEXE"="TCAUDIAG.exe" [2003-07-16 C:\WINDOWS\system32\TCAUDIAG.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 C:\WINDOWS\KHALMNPR.Exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTHelper"="CTHELPER.EXE" [2006-08-11 C:\WINDOWS\CTHELPER.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Sam\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-08-24 575488]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-05 125624]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-08-20 805392]
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=grglrj.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2003-05-30 12:42 585728 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2003-05-29 19:28 790528 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SoundMAX Agent Service (default)"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1153012437\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1153012437\\ee\\aim6.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8039:TCP"= 8039:TCP:BitComet 8039 TCP
"8039:UDP"= 8039:UDP:BitComet 8039 UDP
"6112:TCP"= 6112:TCP:BlizzDL6112
"3724:TCP"= 3724:TCP:BlizzDL3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-17 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-17 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-17 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-17 76040]
R2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-08-15 596328]
R2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2008-08-15 596328]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-06-30 3712]
R2 tcaicchg;tcaicchg;C:\WINDOWS\system32\tcaicchg.sys [2000-06-06 21233]
R2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys [2001-09-03 19534]
S3 COMMONFX.SYS;COMMONFX.SYS;C:\WINDOWS\system32\drivers\COMMONFX.SYS [ ]
S3 COMMONFX;COMMONFX;C:\WINDOWS\system32\drivers\COMMONFX.SYS [ ]
S3 CTAUDFX.SYS;CTAUDFX.SYS;C:\WINDOWS\system32\drivers\CTAUDFX.SYS [ ]
S3 CTAUDFX;CTAUDFX;C:\WINDOWS\system32\drivers\CTAUDFX.SYS [ ]
S3 CTERFXFX.SYS;CTERFXFX.SYS;C:\WINDOWS\system32\drivers\CTERFXFX.SYS [ ]
S3 CTERFXFX;CTERFXFX;C:\WINDOWS\system32\drivers\CTERFXFX.SYS [ ]
S3 CTSBLFX.SYS;CTSBLFX.SYS;C:\WINDOWS\system32\drivers\CTSBLFX.SYS [ ]
S3 CTSBLFX;CTSBLFX;C:\WINDOWS\system32\drivers\CTSBLFX.SYS [ ]
S3 P1050VID;Creative WebCam Pro eX (Video);C:\WINDOWS\system32\DRIVERS\P1050Wnt.sys [2003-01-02 179853]
S3 p17filt;p17filt;C:\WINDOWS\system32\drivers\p17filt.sys [ ]
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-08-12 19020]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\9n7u0pvs.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
FF -: plugin - C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1111.1511\npCIDetect11.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-19 19:30:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-19 19:31:52
ComboFix-quarantined-files.txt 2008-09-20 00:31:15
ComboFix2.txt 2008-09-18 23:12:27

Pre-Run: 15,706,103,808 bytes free
Post-Run: 15,670,640,640 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

273 --- E O F --- 2008-09-07 03:56:50



HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:33 PM, on 9/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1153012437\ee\AOLSoftware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\TCAUDIAG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Sam\Desktop\HijackThis\Crusty.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1153012437\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sam\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150437316779
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E0B1CB0-8DF4-4008-8282-E2428685CB1A}: NameServer = 151.164.14.201,151.164.1.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E0B1CB0-8DF4-4008-8282-E2428685CB1A}: NameServer = 151.164.14.201,151.164.1.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E0B1CB0-8DF4-4008-8282-E2428685CB1A}: NameServer = 151.164.14.201,151.164.1.8
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: grglrj.dll,avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

--
End of file - 8612 bytes


I ran SpyBot and it was clean. When I reboot the virtumode that use to pop up in a dos base form for a few seconds has gone too.

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 20 September 2008 - 05:28 PM

HI

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

This will uninstall Combofix, delete any of its related folders and files (Qoobox, VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then you're good to go :thumbsup:

Before you leave the site ...

Please Have a look here at ways to keep your computer safe :-

Simple steps to keep your computer secure! By Grinler > http://www.bleepingcomputer.com/forums/t/1628/simple-steps-to-keep-your-computer-secure/

& here :-

So how did I get infected in the first place? By TonyKlein > http://forums.spybot.info/showthread.php?t=279

Happy surfing :)

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 shurikenx

shurikenx
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:50 AM

Posted 21 September 2008 - 02:56 PM

Hi Steam,

Thank you very much for all your help. Everything is peachy now!

:thumbsup:

Great work! Thanks again.

#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 21 September 2008 - 03:27 PM

Hi

You're very welcome :thumbsup:

As this thread is resolved, :) it is now locked.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users