Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde


  • This topic is locked This topic is locked
14 replies to this topic

#1 rotherka

rotherka

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 16 September 2008 - 09:13 AM

Hi folks,

I've tried to follow all the steps posted in the preparation guide before postng my HJT log, but I can't get Windows Updates to run, it tells me:

"The site cannot continue because one or more of these Windows services is not running:
Automatic Updates (allows the site to find, download and install high-priority updates for your computer)
Background Intelligent Transfer Service (BITS) (helps updates download more quickly and without problems if the download process is interrupted)
Event Log (keeps a record of updating activities to help with troubleshooting, if needed) "

The AU service startup type is Disabled. If I set the startup type to Automatic or Manual and try to start the AU service from the Services window, I get the following message: "Could not start the AU service on Local Computer. Error 1058, the service can not be started either because it is disabled or because it has no enabled devices associate with it." The BITS and Event Log services both seem to be running.

Following is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:39 AM, on 9/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA ANTIVIRUS PRO 2009\WebProxy.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\WINDOWS\system32\LPhal.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\HEWLET~1\WORKFL~1\DIGITA~2\Pen.TrayIcon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GetModule\GetModule23.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmPad.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\psimreal.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Pen.TrayIcon] C:\PROGRA~1\HEWLET~1\WORKFL~1\DIGITA~2\Pen.TrayIcon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BM2f8bc985] Rundll32.exe "C:\WINDOWS\system32\lwenrntd.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [GetModule23] "C:\Program Files\GetModule\GetModule23.exe"
O4 - HKCU\..\Run: [VnrBlock20] "C:\Program Files\VnrBlock\VnrBlock20.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Start WebEx MeetMeNow.LNK = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll
O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://10.0.0.232
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - http://10.0.0.44:1024/VirtualServer/active...tiveXClient.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {D3CCEFAF-8EE1-40FE-BE25-366E2B016DAB} (Microsoft Virtual Server VMRC Control) - http://10.0.0.44:1024/VirtualServer/active...tiveXClient.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/mwmus/tool/systemcheck/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6262915-8780-4177-8412-C2CDC9D166C6}: NameServer = 10.0.0.3,205.171.2.65
O20 - AppInit_DLLs: guhuyd.dll ggmffr.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: Digital Pen rendezvous server (PenRendezvous) - Logitech - C:\WINDOWS\system32\LPhal.exe
O23 - Service: Digital Pen Socket to USB protocol (PenSup) - Logitech - C:\WINDOWS\system32\LPhal.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10963 bytes

BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:59 AM

Posted 16 September 2008 - 02:04 PM

Hello and welcome to the forum. :thumbsup:

I am sorry it has take so long to get to your log but things are often very busy here.

I would like to offer you some help. We ask for a few things in return:
  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • All of these fixes are specific to your computer and should not be used by anyone else.
  • We ask that you stay with us until we declare you 'Clean'.
  • All of my recommendations will be checked by the elders here. You can feel confident that an expert is looking after you.
I have started analyzing your log and will get back to you ASAP with some instructions.

Thanks.

DR

#3 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:59 AM

Posted 17 September 2008 - 06:19 AM

You log does not show any 02s listed. :)

I would like you to rename HijackThis and run it again.

Please navigate to:

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe and rename HijackThis to Scanner.exe.


Run the scan to create a new logfile and post that log in your next reply. :thumbsup:

Thanks.

DR

#4 rotherka

rotherka
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 17 September 2008 - 07:29 AM

new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:04 AM, on 9/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA ANTIVIRUS PRO 2009\WebProxy.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\WINDOWS\system32\LPhal.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\HEWLET~1\WORKFL~1\DIGITA~2\Pen.TrayIcon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GetModule\GetModule23.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmPad.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Workflow Connect 250\Digital Pen 250 Download Software\Pen.LplsHost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Anoto\3.0\DockingEngine.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\psimreal.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\avciman.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {8AA25BD8-F2C5-462F-B620-3858EB64D2FE} - (no file)
O2 - BHO: (no name) - {9166A16D-533A-4D4B-BF81-011A74C5BB91} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {AAA0C93F-F237-47D2-9CB9-C9C2652ABD11} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {CEE6A201-39CC-4FA1-A35D-DBE497242122} - C:\WINDOWS\system32\ddcBUnnl.dll
O2 - BHO: (no name) - {D7336D32-62F7-43B5-8B8C-3963C72CA498} - C:\WINDOWS\system32\hgGwVPHX.dll
O2 - BHO: (no name) - {D96C5AC8-4531-4D7E-9A9D-9D3409B6B0CC} - (no file)
O2 - BHO: (no name) - {E25AEBED-7955-4764-8478-1039CF3F94BB} - (no file)
O2 - BHO: (no name) - {EDFC6A17-8F43-496C-B2BB-73ECEAB18905} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Pen.TrayIcon] C:\PROGRA~1\HEWLET~1\WORKFL~1\DIGITA~2\Pen.TrayIcon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BM2f8bc985] Rundll32.exe "C:\WINDOWS\system32\bcwebqxl.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [GetModule23] "C:\Program Files\GetModule\GetModule23.exe"
O4 - HKCU\..\Run: [VnrBlock20] "C:\Program Files\VnrBlock\VnrBlock20.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Start WebEx MeetMeNow.LNK = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll
O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://10.0.0.232
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - http://10.0.0.44:1024/VirtualServer/active...tiveXClient.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {D3CCEFAF-8EE1-40FE-BE25-366E2B016DAB} (Microsoft Virtual Server VMRC Control) - http://10.0.0.44:1024/VirtualServer/active...tiveXClient.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/mwmus/tool/systemcheck/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6262915-8780-4177-8412-C2CDC9D166C6}: NameServer = 10.0.0.3,205.171.2.65
O20 - AppInit_DLLs: guhuyd.dll ggmffr.dll
O20 - Winlogon Notify: hgGwVPHX - C:\WINDOWS\SYSTEM32\hgGwVPHX.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: Digital Pen rendezvous server (PenRendezvous) - Logitech - C:\WINDOWS\system32\LPhal.exe
O23 - Service: Digital Pen Socket to USB protocol (PenSup) - Logitech - C:\WINDOWS\system32\LPhal.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12673 bytes

#5 rotherka

rotherka
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 17 September 2008 - 07:39 AM

oops, forgot to note that when I ran the new HJT scan Panda AntiVirus complained strongly but unfortunately I was multi-tasking and killed the Panda info before I realized what it was. Let me know if I should disable Panda and run another scan.

many, many thanks,
karen

#6 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:59 AM

Posted 19 September 2008 - 06:16 AM

Let's try this next. :thumbsup:

We need to disable your Tea Timer first. You probably should also disable the Panda, please. Good thinking!
  • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  • On the left hand side, click on Tools, then click on the Resident Icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • Click on the "System Startup" icon in the List
  • Uncheck the "TeaTimer" box and "OK" any prompts.
  • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • Exit Spybot S&D when done.
When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.


Please now download Combofix to your desktop.
  • Doubleclick the combofix icon to launch the application.
  • Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt.

Post this log in your next reply together with a new HiJackThis log.

Thanks.


DR

#7 rotherka

rotherka
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 19 September 2008 - 01:16 PM

comboFix log contents:

ComboFix 08-09-16.05 - karen.rothermel 2008-09-19 12:24:26.1 - NTFSx86
Running from: C:\Documents and Settings\karen.rothermel.NC4000\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Cookies\administrator@edge.ru4[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@edge.toyota[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@nytimes[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\karen.rothermel.NC4000\Cookies\karen.rothermel@2o7[1].txt
C:\Documents and Settings\karen.rothermel.NC4000\Cookies\karen.rothermel@a.consumerreports[1].txt
C:\Documents and Settings\karen.rothermel.NC4000\Cookies\karen.rothermel@edge.ru4[1].txt
C:\Documents and Settings\karen.rothermel.NC4000\Cookies\karen.rothermel@ehg-chrysler.hitbox[2].txt
C:\Documents and Settings\karen.rothermel.NC4000\Cookies\karen.rothermel@ehg-techtarget.hitbox[2].txt
C:\Documents and Settings\karen.rothermel.NC4000\Cookies\karen.rothermel@ehg-vmware.hitbox[1].txt
C:\Documents and Settings\karen.rothermel.NC4000\Cookies\karen.rothermel@ehg-webex.hitbox[2].txt
C:\Documents and Settings\karen.rothermel.NC4000\Cookies\karen.rothermel@ehg.fedex[2].txt
C:\Documents and Settings\karen.rothermel.NC4000\Cookies\karen.rothermel@interclick[1].txt
C:\Documents and Settings\karen.rothermel.NC4000\Cookies\karen.rothermel@nytimes[2].txt
C:\Documents and Settings\karen.rothermel.NC4000\Cookies\karen.rothermel@partner2profit[1].txt
C:\Documents and Settings\karen.rothermel.NC4000\Cookies\karen.rothermel@specificclick[1].txt
C:\Documents and Settings\karen.rothermel.NC4000\Cookies\karen.rothermel@turn[2].txt
C:\Documents and Settings\karen.rothermel.NC4000\My Documents\SKS~1
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\GetModule
C:\Program Files\GetModule\dicik.gz
C:\Program Files\GetModule\GetModule23.exe
C:\Program Files\GetModule\kwdik.gz
C:\Program Files\GetModule\ozadik.gz
C:\Program Files\VnrBlock
C:\Program Files\VnrBlock\xtarga.gz
C:\WINDOWS\BM2f8bc985.txt
C:\WINDOWS\BM2f8bc985.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\MyWebEx
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atarm.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atas32.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atasanot.exe
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atasctrl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atasnt40.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atcarmcl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atdl2006.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atjpeg60.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atkbctl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atlchat.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atmemmgr.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atnetext.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atpack.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atres.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\attp.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atwbxui6.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\h264dec.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\h264enc.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\ieatgpc.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mmssl32.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\msess.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mticket.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mutiltpd.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mvc.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwm.ini
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmcliun.exe
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmie.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmim.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmoi.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmpad.exe
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmproxy.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmres.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmres1.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmtrace.txt
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmupd.exe
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\ratrace.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\Ratrace\ratrace.txt
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\raurl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\uilibres.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\wbxcrypt.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\webexmgr.dll
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bcwebqxl.dll
C:\WINDOWS\system32\bexicsff.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\clnbxonh.dll
C:\WINDOWS\system32\digodprf.dll
C:\WINDOWS\system32\edbcemhi.ini
C:\WINDOWS\system32\esnrqdto.dll
C:\WINDOWS\system32\eucywudd.dll
C:\WINDOWS\system32\fhksfaoy.dll
C:\WINDOWS\system32\frpdogid.ini
C:\WINDOWS\system32\ggmffr.dll
C:\WINDOWS\system32\gqjupygs.dll
C:\WINDOWS\system32\hgGwVPHX.dll
C:\WINDOWS\system32\hihrla.dll
C:\WINDOWS\system32\iesnvtoy.dll
C:\WINDOWS\system32\ihmecbde.dll
C:\WINDOWS\system32\jijlqnws.dll
C:\WINDOWS\system32\kpbydlkw.ini
C:\WINDOWS\system32\lctmrjiv.ini
C:\WINDOWS\system32\lnnUBcdd.ini
C:\WINDOWS\system32\lnnUBcdd.ini2
C:\WINDOWS\system32\lvdmfkij.dll
C:\WINDOWS\system32\lvnuhmjt.dll
C:\WINDOWS\system32\lwenrntd.dll
C:\WINDOWS\system32\mahainwk.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\otdqrnse.ini
C:\WINDOWS\system32\rgnemp.dll
C:\WINDOWS\system32\tjmhunvl.ini
C:\WINDOWS\system32\vfkuyu.dll
C:\WINDOWS\system32\vijrmtcl.dll
C:\WINDOWS\system32\wkhujlwp.dll
C:\WINDOWS\system32\wkldybpk.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-19 to 2008-09-19 )))))))))))))))))))))))))))))))
.

2008-09-19 09:41 . 2008-09-19 09:41 112,640 --a------ C:\WINDOWS\system32\jsmojycu.dll
2008-09-19 09:41 . 2008-09-19 09:41 112,640 --a------ C:\WINDOWS\system32\ftkynx.dll
2008-09-18 10:06 . 2008-09-18 10:06 112,640 --a------ C:\WINDOWS\system32\yolpvm.dll
2008-09-18 10:06 . 2008-09-18 10:06 112,640 --a------ C:\WINDOWS\system32\covxmudb.dll
2008-09-18 09:06 . 2008-09-18 10:46 406 --ahs---- C:\WINDOWS\system32\swnqljij.ini
2008-09-18 09:03 . 2008-09-18 09:03 112,640 --a------ C:\WINDOWS\system32\nykfwp.dll
2008-09-18 09:03 . 2008-09-18 09:03 112,640 --a------ C:\WINDOWS\system32\kyuwmfvd.dll
2008-09-16 09:41 . 2008-09-16 09:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-15 16:47 . 2008-09-19 13:10 780,320 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-15 16:47 . 2008-09-19 13:02 10,148 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-15 16:17 . 2008-09-15 16:17 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2008-09-15 16:17 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-09-15 16:17 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-09-15 16:17 . 2008-09-15 16:32 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-09-15 16:16 . 2008-09-15 16:16 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-15 10:44 . 2008-09-15 16:03 8,627 --a------ C:\WINDOWS\system32\PAV_FOG.OPC
2008-09-15 10:40 . 2008-09-19 12:17 13,880 --a------ C:\WINDOWS\system32\drivers\COMFiltr.sys
2008-09-15 10:38 . 2008-04-28 17:35 84,024 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2008-09-15 10:38 . 2007-03-15 19:38 54,832 --a------ C:\WINDOWS\system32\pavcpl.cpl
2008-09-15 10:38 . 2008-09-15 10:38 249 --a------ C:\WINDOWS\system32\PavCPL.dat
2008-09-15 10:37 . 2008-09-15 10:37 <DIR> d-------- C:\WINDOWS\system32\PAV
2008-09-15 10:37 . 2008-09-15 10:37 <DIR> d-------- C:\Program Files\Panda Security
2008-09-15 10:37 . 2008-09-15 10:37 <DIR> d-------- C:\Documents and Settings\karen.rothermel.NC4000\Application Data\Panda Security
2008-09-15 10:37 . 2008-09-15 10:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Panda Security
2008-09-15 10:37 . 2008-06-18 18:03 520,448 --a------ C:\WINDOWS\system32\PavSHook.dll
2008-09-15 10:37 . 2003-10-22 18:23 446,464 --a------ C:\WINDOWS\system32\HHActiveX.dll
2008-09-15 10:37 . 2008-06-24 14:48 193,280 --a------ C:\WINDOWS\system32\TpUtil.dll
2008-09-15 10:37 . 2007-02-08 11:53 107,568 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL
2008-09-15 10:37 . 2008-06-18 18:03 87,296 --a------ C:\WINDOWS\system32\PavLspHook.dll
2008-09-15 10:37 . 2008-03-18 16:58 58,672 --a------ C:\WINDOWS\system32\avldr.dll
2008-09-15 10:37 . 2008-06-18 18:03 55,552 --a------ C:\WINDOWS\system32\pavipc.dll
2008-09-15 10:34 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-09-15 10:33 . 2008-09-15 10:33 <DIR> d-------- C:\Program Files\Common Files\Panda Security
2008-09-15 10:33 . 2008-02-07 12:03 179,640 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2008-09-15 10:33 . 2008-03-04 15:59 41,144 --a------ C:\WINDOWS\system32\drivers\ShlDrv51.sys
2008-09-15 09:46 . 2008-09-15 10:05 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-09-14 17:47 . 2008-09-14 17:46 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-14 17:46 . 2008-09-14 17:47 <DIR> d-------- C:\Documents and Settings\karen.rothermel.NC4000\.housecall6.6
2008-09-14 15:30 . 2008-09-14 15:30 111,616 --a------ C:\WINDOWS\system32\phifmsje.dll
2008-09-14 15:30 . 2008-09-14 15:30 111,616 --a------ C:\WINDOWS\system32\oleemr.dll
2008-09-14 10:25 . 2008-09-14 10:25 111,616 --a------ C:\WINDOWS\system32\wnriflea.dll
2008-09-14 10:25 . 2008-09-14 10:25 111,616 --a------ C:\WINDOWS\system32\guhuyd.dll
2008-09-13 23:16 . 2008-09-14 17:33 259 --a------ C:\WINDOWS\wininit.ini
2008-09-13 22:45 . 2008-09-13 22:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-13 22:45 . 2008-09-14 10:23 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-09-13 20:37 . 2008-09-13 20:37 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-13 20:37 . 2008-09-13 20:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-09-13 20:36 . 2008-09-13 20:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-13 19:00 . 2008-09-13 19:00 <DIR> d-------- C:\Documents and Settings\karen.rothermel.NC4000\Application Data\Nokia
2008-09-13 18:40 . 2008-09-13 18:40 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-09-13 18:33 . 2008-09-13 18:33 253,440 --a------ C:\WINDOWS\system32\ddcBUnnl.dll
2008-08-31 15:24 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-31 15:24 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-08-26 08:33 . 2008-08-26 09:05 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-25 23:11 . 2008-08-25 23:11 <DIR> d-------- C:\Documents and Settings\karen.rothermel.NC4000\Application Data\PC Suite
2008-08-24 19:42 . 2008-08-24 19:42 1,160 --a------ C:\WINDOWS\mozver.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-17 14:49 624,128 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-09-17 14:49 1,416,192 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-09-15 14:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-13 22:58 --------- d-----w C:\Program Files\Neoteris
2008-09-13 22:58 --------- d-----w C:\Documents and Settings\karen.rothermel.NC4000\Application Data\Juniper Networks
2008-09-12 13:54 --------- d-----w C:\Documents and Settings\karen.rothermel.NC4000\Application Data\AdobeUM
2008-08-20 01:42 --------- d-----w C:\Documents and Settings\karen.rothermel.NC4000\Application Data\U3
2008-08-06 14:21 --------- d-----w C:\Program Files\Digital Pen 2 Firmware Updater
2008-08-01 00:05 --------- d-----w C:\Program Files\Google
2008-07-25 02:51 --------- d-----w C:\Program Files\Netflix
2008-07-24 16:04 --------- d-----w C:\Program Files\Java
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D67AF2C-52A1-47E8-9CF0-FBA7A6E26E8F}]
2008-09-13 18:33 253440 --a------ C:\WINDOWS\system32\ddcBUnnl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-29 335872]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Pen.TrayIcon"="C:\PROGRA~1\HEWLET~1\WORKFL~1\DIGITA~2\Pen.TrayIcon.exe" [2005-03-30 20480]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"WD Button Manager"="WDBtnMgr.exe" [2007-02-12 C:\WINDOWS\system32\WDBtnMgr.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2008-03-18 16:58 58672 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-08-01 01:14 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pavboot;Panda boot driver;C:\WINDOWS\system32\Drivers\pavboot.sys [2008-06-19 28544]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2008-03-04 41144]
R2 Gwmsrv;Panda Goodware Cache Manager;C:\WINDOWS\system32\svchost -k Panda [ ]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2008-02-07 179640]
R2 PskSvcRetail;Panda PSK service;C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe [2008-06-25 28928]
R3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\alifir.sys [2001-08-17 26624]
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys [ ]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-29 182101]
R3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys [ ]
R3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys [ ]
R3 Phal;Phal - Logitech io2 USB driver;C:\WINDOWS\system32\Drivers\LPhalUsb.sys [2004-09-27 56320]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5211.sys [2003-09-11 322528]
S3 ComFiltr;Panda Anti-Dialer;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys [2008-09-19 13880]
S3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 5689]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
panda REG_MULTI_SZ Gwmsrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b04bad0-ab76-11dc-ba22-000bcd5cfc04}]
\Shell\AutoRun\command - E:\Launch.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{8166A09D-76D2-4441-9FBC-3344038C358C} - (no file)
BHO-{8AA25BD8-F2C5-462F-B620-3858EB64D2FE} - (no file)
BHO-{9166A16D-533A-4D4B-BF81-011A74C5BB91} - (no file)
BHO-{AAA0C93F-F237-47D2-9CB9-C9C2652ABD11} - (no file)
BHO-{D7336D32-62F7-43B5-8B8C-3963C72CA498} - C:\WINDOWS\system32\hgGwVPHX.dll
BHO-{D96C5AC8-4531-4D7E-9A9D-9D3409B6B0CC} - (no file)
BHO-{E25AEBED-7955-4764-8478-1039CF3F94BB} - (no file)
BHO-{EDFC6A17-8F43-496C-B2BB-73ECEAB18905} - (no file)
HKCU-Run-GetModule23 - C:\Program Files\GetModule\GetModule23.exe
HKCU-Run-VnrBlock20 - C:\Program Files\VnrBlock\VnrBlock20.exe
HKLM-Run-BM2f8bc985 - C:\WINDOWS\system32\eucywudd.dll
ShellExecuteHooks-{D7336D32-62F7-43B5-8B8C-3963C72CA498} - C:\WINDOWS\system32\hgGwVPHX.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\karen.rothermel.NC4000\Application Data\Mozilla\Firefox\Profiles\warr0dx0.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-19 13:08:00
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\WebProxy.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrlS.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\PavPrSrv.exe
C:\WINDOWS\system32\LPhal.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Dantz\Retrospect\wdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PAVSRV51.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Workflow Connect 250\Digital Pen 250 Download Software\Pen.LplsHost.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Anoto\3.0\DockingEngine.exe
.
**************************************************************************
.
Completion time: 2008-09-19 13:17:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-19 17:17:25

Pre-Run: 16,244,047,872 bytes free
Post-Run: 16,929,857,536 bytes free

341 --- E O F --- 2008-08-15 03:49:14



When running HJT I received a popup message "for some reason your system denied write access to the Hosts file. If any hijacked domains are in the file, HIjackThis may not be able to fix this. blah, blah, blah". The only item in my hosts file is 127.0.0.1 local host.


HJT log contents:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:39 PM, on 9/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA ANTIVIRUS PRO 2009\WebProxy.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\WINDOWS\system32\LPhal.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\HEWLET~1\WORKFL~1\DIGITA~2\Pen.TrayIcon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Workflow Connect 250\Digital Pen 250 Download Software\Pen.LplsHost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Anoto\3.0\DockingEngine.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\psimreal.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\avciman.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {66608756-8AA9-438D-9EAA-7D5F58A01440} - C:\WINDOWS\system32\ddcBUnnl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Pen.TrayIcon] C:\PROGRA~1\HEWLET~1\WORKFL~1\DIGITA~2\Pen.TrayIcon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BM2f8bc985] Rundll32.exe "C:\WINDOWS\system32\cbhfsugp.dll",s
O4 - HKLM\..\Run: [2cb8fa19] rundll32.exe "C:\WINDOWS\system32\beryuqey.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Start WebEx MeetMeNow.LNK = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll (file missing)
O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://10.0.0.232
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - http://10.0.0.44:1024/VirtualServer/active...tiveXClient.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {D3CCEFAF-8EE1-40FE-BE25-366E2B016DAB} (Microsoft Virtual Server VMRC Control) - http://10.0.0.44:1024/VirtualServer/active...tiveXClient.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/mwmus/tool/systemcheck/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6262915-8780-4177-8412-C2CDC9D166C6}: NameServer = 10.0.0.3,205.171.2.65
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: Digital Pen rendezvous server (PenRendezvous) - Logitech - C:\WINDOWS\system32\LPhal.exe
O23 - Service: Digital Pen Socket to USB protocol (PenSup) - Logitech - C:\WINDOWS\system32\LPhal.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10892 bytes


Thanks!

#8 rotherka

rotherka
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 19 September 2008 - 01:19 PM

Note: I re-enabled spybot resident and panda antivirus after running combofix and HJT and panda immediately found virtumonde and "deleted" it yet again.

#9 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:59 AM

Posted 22 September 2008 - 06:12 AM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do notinterfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::C:\WINDOWS\system32\ddcBUnnl.dll
C:\WINDOWS\system32\hgGwVPHX.dll
C:\Program Files\GetModule\GetModule23.exe
C:\Program Files\VnrBlock\VnrBlock20.exe
C:\WINDOWS\system32\eucywudd.dll
C:\WINDOWS\system32\beryuqey.dll
C:\WINDOWS\system32\cbhfsugp.dll
C:\WINDOWS\system32\jsmojycu.dll
C:\WINDOWS\system32\ftkynx.dll
C:\WINDOWS\system32\yolpvm.dll
C:\WINDOWS\system32\covxmudb.dll
C:\WINDOWS\system32\swnqljij.ini
C:\WINDOWS\system32\nykfwp.dll
C:\WINDOWS\system32\kyuwmfvd.dll
C:\WINDOWS\system32\phifmsje.dll
C:\WINDOWS\system32\oleemr.dll
C:\WINDOWS\system32\wnriflea.dll
C:\WINDOWS\system32\guhuyd.dll


Note: the above code was created specifically for this user. Ifyou are not this user, do NOT follow these directions as they could damage theworkings of your system.

Save this as CFScript.txt on your desktop, the same asComboFix.exe
Posted Image
Refering to the picture above, drag CFScript onto ComboFix.

After reboot, (in case it asks to reboot), please post the followingreports/logs into your next reply after you re-enable all the programs thatwere disabled during the running of ComboFix:
  • Combofix.txt
  • A new HijackThis log.

Please take note: CF disconnects your machine from the internet. The connection isautomatically restored before CF completes its run. If CF runs into difficultyand terminates prematurely, the connection can be manually restored byrestarting your machine.

Thanks.

DR

#10 rotherka

rotherka
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 22 September 2008 - 10:38 AM

ComboFix log:

ComboFix 08-09-16.05 - karen.rothermel 2008-09-22 10:57:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.629 [GMT -4:00]
Running from: C:\Documents and Settings\karen.rothermel.NC4000\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\karen.rothermel.NC4000\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM2f8bc985.txt
C:\WINDOWS\BM2f8bc985.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bxjabilf.dll
C:\WINDOWS\system32\dwuqpqcj.dll
C:\WINDOWS\system32\ioqelunu.ini
C:\WINDOWS\system32\lhjavlmu.dll
C:\WINDOWS\system32\lnnUBcdd.ini
C:\WINDOWS\system32\lnnUBcdd.ini2
C:\WINDOWS\system32\swnqljij.ini
C:\WINDOWS\system32\unuleqoi.dll
C:\WINDOWS\system32\yequyreb.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.

2008-09-22 11:09 . 2008-09-22 11:09 <DIR> d-------- C:\WINDOWS\LastGood
2008-09-22 10:10 . 2008-09-22 10:10 113,152 --a------ C:\WINDOWS\system32\vgaisvdh.dll
2008-09-22 10:10 . 2008-09-22 10:10 113,152 --a------ C:\WINDOWS\system32\djqzxp.dll
2008-09-20 22:35 . 2008-09-20 22:35 294 ---hs---- C:\WINDOWS\system32\jcqpquwd.ini
2008-09-16 09:41 . 2008-09-16 09:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-15 16:47 . 2008-09-22 11:16 1,224,736 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-15 16:47 . 2008-09-22 11:06 15,308 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-15 16:17 . 2008-09-15 16:17 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2008-09-15 16:17 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-09-15 16:17 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-09-15 16:17 . 2008-09-15 16:32 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-09-15 16:16 . 2008-09-15 16:16 <DIR> d-------- C:\Program Files\Zone Labs
2008-09-15 10:44 . 2008-09-19 14:00 8,627 --a------ C:\WINDOWS\system32\PAV_FOG.OPC
2008-09-15 10:40 . 2008-09-21 12:18 13,880 --a------ C:\WINDOWS\system32\drivers\COMFiltr.sys
2008-09-15 10:38 . 2008-04-28 17:35 84,024 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2008-09-15 10:38 . 2007-03-15 19:38 54,832 --a------ C:\WINDOWS\system32\pavcpl.cpl
2008-09-15 10:38 . 2008-09-15 10:38 249 --a------ C:\WINDOWS\system32\PavCPL.dat
2008-09-15 10:37 . 2008-09-15 10:37 <DIR> d-------- C:\WINDOWS\system32\PAV
2008-09-15 10:37 . 2008-09-15 10:37 <DIR> d-------- C:\Program Files\Panda Security
2008-09-15 10:37 . 2008-09-15 10:37 <DIR> d-------- C:\Documents and Settings\karen.rothermel.NC4000\Application Data\Panda Security
2008-09-15 10:37 . 2008-09-15 10:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Panda Security
2008-09-15 10:37 . 2008-06-18 18:03 520,448 --a------ C:\WINDOWS\system32\PavSHook.dll
2008-09-15 10:37 . 2003-10-22 18:23 446,464 --a------ C:\WINDOWS\system32\HHActiveX.dll
2008-09-15 10:37 . 2008-06-24 14:48 193,280 --a------ C:\WINDOWS\system32\TpUtil.dll
2008-09-15 10:37 . 2007-02-08 11:53 107,568 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL
2008-09-15 10:37 . 2008-06-18 18:03 87,296 --a------ C:\WINDOWS\system32\PavLspHook.dll
2008-09-15 10:37 . 2008-03-18 16:58 58,672 --a------ C:\WINDOWS\system32\avldr.dll
2008-09-15 10:37 . 2008-06-18 18:03 55,552 --a------ C:\WINDOWS\system32\pavipc.dll
2008-09-15 10:34 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-09-15 10:33 . 2008-09-15 10:33 <DIR> d-------- C:\Program Files\Common Files\Panda Security
2008-09-15 10:33 . 2008-02-07 12:03 179,640 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2008-09-15 10:33 . 2008-03-04 15:59 41,144 --a------ C:\WINDOWS\system32\drivers\ShlDrv51.sys
2008-09-15 09:46 . 2008-09-15 10:05 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-09-14 17:47 . 2008-09-14 17:46 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-14 17:46 . 2008-09-14 17:47 <DIR> d-------- C:\Documents and Settings\karen.rothermel.NC4000\.housecall6.6
2008-09-13 23:16 . 2008-09-21 11:17 318 --a------ C:\WINDOWS\wininit.ini
2008-09-13 22:45 . 2008-09-13 22:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-13 22:45 . 2008-09-14 10:23 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-09-13 20:37 . 2008-09-13 20:37 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-13 20:37 . 2008-09-13 20:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-09-13 20:36 . 2008-09-13 20:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-13 19:00 . 2008-09-13 19:00 <DIR> d-------- C:\Documents and Settings\karen.rothermel.NC4000\Application Data\Nokia
2008-09-13 18:40 . 2008-09-13 18:40 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-09-13 18:33 . 2008-09-13 18:33 253,440 --a------ C:\WINDOWS\system32\ddcBUnnl.dll
2008-08-31 15:24 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-31 15:24 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-08-26 08:33 . 2008-08-26 09:05 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-25 23:11 . 2008-08-25 23:11 <DIR> d-------- C:\Documents and Settings\karen.rothermel.NC4000\Application Data\PC Suite
2008-08-24 19:42 . 2008-08-24 19:42 1,160 --a------ C:\WINDOWS\mozver.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-17 14:49 624,128 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-09-17 14:49 1,416,192 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-09-15 14:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-13 22:58 --------- d-----w C:\Program Files\Neoteris
2008-09-13 22:58 --------- d-----w C:\Documents and Settings\karen.rothermel.NC4000\Application Data\Juniper Networks
2008-09-12 13:54 --------- d-----w C:\Documents and Settings\karen.rothermel.NC4000\Application Data\AdobeUM
2008-08-20 01:42 --------- d-----w C:\Documents and Settings\karen.rothermel.NC4000\Application Data\U3
2008-08-06 14:21 --------- d-----w C:\Program Files\Digital Pen 2 Firmware Updater
2008-08-01 00:05 --------- d-----w C:\Program Files\Google
2008-07-25 02:51 --------- d-----w C:\Program Files\Netflix
2008-07-24 16:04 --------- d-----w C:\Program Files\Java
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-09 13:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 22:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-19_13.15.29.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-17 21:01:28 102,400 ----a-r C:\WINDOWS\Installer\{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}\iTunesIco.exe
+ 2008-09-21 21:36:57 102,400 ----a-r C:\WINDOWS\Installer\{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}\iTunesIco.exe
- 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-07-27 14:41:40 16,760 ------w C:\WINDOWS\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1CFE9481-EA3F-4434-8D61-1CD94A694F3C}]
2008-09-13 18:33 253440 --a------ C:\WINDOWS\system32\ddcBUnnl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-01-19 4670968]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"GetModule23"="C:\Program Files\GetModule\GetModule23.exe" [BU]
"VnrBlock20"="C:\Program Files\VnrBlock\VnrBlock20.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-29 335872]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Pen.TrayIcon"="C:\PROGRA~1\HEWLET~1\WORKFL~1\DIGITA~2\Pen.TrayIcon.exe" [2005-03-30 20480]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"BM2f8bc985"="C:\WINDOWS\system32\bxjabilf.dll" [BU]
"WD Button Manager"="WDBtnMgr.exe" [2007-02-12 C:\WINDOWS\system32\WDBtnMgr.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2008-03-18 16:58 58672 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-08-01 01:14 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pavboot;Panda boot driver;C:\WINDOWS\system32\Drivers\pavboot.sys [2008-06-19 28544]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2008-03-04 41144]
R2 Gwmsrv;Panda Goodware Cache Manager;C:\WINDOWS\system32\svchost -k Panda [ ]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2008-02-07 179640]
R2 PskSvcRetail;Panda PSK service;C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe [2008-06-25 28928]
R3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\alifir.sys [2001-08-17 26624]
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys [ ]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-29 182101]
R3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys [ ]
R3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys [ ]
R3 Phal;Phal - Logitech io2 USB driver;C:\WINDOWS\system32\Drivers\LPhalUsb.sys [2004-09-27 56320]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5211.sys [2003-09-11 322528]
S3 ComFiltr;Panda Anti-Dialer;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys [2008-09-21 13880]
S3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 5689]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
panda REG_MULTI_SZ Gwmsrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b04bad0-ab76-11dc-ba22-000bcd5cfc04}]
\Shell\AutoRun\command - E:\Launch.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{1FB95697-05F5-42D4-B53F-0F81375D3B0A} - (no file)
BHO-{8166A09D-76D2-4441-9FBC-3344038C358C} - (no file)
BHO-{8AA25BD8-F2C5-462F-B620-3858EB64D2FE} - (no file)
BHO-{9166A16D-533A-4D4B-BF81-011A74C5BB91} - (no file)
BHO-{AAA0C93F-F237-47D2-9CB9-C9C2652ABD11} - (no file)
BHO-{AB3954DA-B5D6-4085-9E94-BDE6EEC75ED9} - (no file)
BHO-{D7336D32-62F7-43B5-8B8C-3963C72CA498} - (no file)
BHO-{D96C5AC8-4531-4D7E-9A9D-9D3409B6B0CC} - (no file)
BHO-{E25AEBED-7955-4764-8478-1039CF3F94BB} - (no file)
BHO-{EDFC6A17-8F43-496C-B2BB-73ECEAB18905} - (no file)
HKLM-Run-2cb8fa19 - C:\WINDOWS\system32\unuleqoi.dll
Notify-hgGwVPHX - (no file)



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 11:12:17
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\KB938464.log 515 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\WebProxy.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrlS.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\PavPrSrv.exe
C:\WINDOWS\system32\LPhal.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Dantz\Retrospect\wdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PAVSRV51.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Workflow Connect 250\Digital Pen 250 Download Software\Pen.LplsHost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Anoto\3.0\DockingEngine.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-22 11:23:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-22 15:23:22
ComboFix2.txt 2008-09-19 17:17:43

Pre-Run: 17,969,700,864 bytes free
Post-Run: 17,960,656,896 bytes free

259 --- E O F --- 2008-09-22 15:18:48



HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:15 AM, on 9/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA ANTIVIRUS PRO 2009\WebProxy.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\WINDOWS\system32\LPhal.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\HEWLET~1\WORKFL~1\DIGITA~2\Pen.TrayIcon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Workflow Connect 250\Digital Pen 250 Download Software\Pen.LplsHost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Anoto\3.0\DockingEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {28F11A2A-8200-4DCB-8613-661BE48EB195} - C:\WINDOWS\system32\ddcBUnnl.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Pen.TrayIcon] C:\PROGRA~1\HEWLET~1\WORKFL~1\DIGITA~2\Pen.TrayIcon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BM2f8bc985] Rundll32.exe "C:\WINDOWS\system32\tnuilrjc.dll",s
O4 - HKLM\..\Run: [2cb8fa19] rundll32.exe "C:\WINDOWS\system32\tutgcogi.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [GetModule23] "C:\Program Files\GetModule\GetModule23.exe"
O4 - HKCU\..\Run: [VnrBlock20] "C:\Program Files\VnrBlock\VnrBlock20.exe"
O4 - Global Startup: Start WebEx MeetMeNow.LNK = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll (file missing)
O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://10.0.0.232
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - http://10.0.0.44:1024/VirtualServer/active...tiveXClient.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {D3CCEFAF-8EE1-40FE-BE25-366E2B016DAB} (Microsoft Virtual Server VMRC Control) - http://10.0.0.44:1024/VirtualServer/active...tiveXClient.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/mwmus/tool/systemcheck/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6262915-8780-4177-8412-C2CDC9D166C6}: NameServer = 10.0.0.3,205.171.2.65
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: Digital Pen rendezvous server (PenRendezvous) - Logitech - C:\WINDOWS\system32\LPhal.exe
O23 - Service: Digital Pen Socket to USB protocol (PenSup) - Logitech - C:\WINDOWS\system32\LPhal.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10425 bytes


Thanks!

#11 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:59 AM

Posted 23 September 2008 - 04:59 AM

I'm sorry, but the last script was a little messed up. :thumbsup: This one should work better.


1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\ddcBUnnl.dll
C:\WINDOWS\system32\hgGwVPHX.dll
C:\Program Files\GetModule\GetModule23.exe
C:\Program Files\VnrBlock\VnrBlock20.exe
C:\WINDOWS\system32\eucywudd.dll
C:\WINDOWS\system32\beryuqey.dll
C:\WINDOWS\system32\cbhfsugp.dll
C:\WINDOWS\system32\jsmojycu.dll
C:\WINDOWS\system32\ftkynx.dll
C:\WINDOWS\system32\yolpvm.dll
C:\WINDOWS\system32\covxmudb.dll
C:\WINDOWS\system32\swnqljij.ini
C:\WINDOWS\system32\nykfwp.dll
C:\WINDOWS\system32\kyuwmfvd.dll
C:\WINDOWS\system32\phifmsje.dll
C:\WINDOWS\system32\oleemr.dll
C:\WINDOWS\system32\wnriflea.dll
C:\WINDOWS\system32\guhuyd.dll
C:\WINDOWS\system32\vgaisvdh.dll
C:\WINDOWS\system32\djqzxp.dll
C:\WINDOWS\system32\jcqpquwd.ini
C:\WINDOWS\system32\ddcBUnnl.dll
C:\WINDOWS\system32\bxjabilf.dll
C:\WINDOWS\system32\unuleqoi.dll
C:\WINDOWS\system32\tnuilrjc.dll
C:\WINDOWS\system32\tutgcogi.dll

Folder::
C:\Program Files\GetModule
C:\Program Files\VnrBlock

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GetModule23"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VnrBlock20"=-



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Save this as CFScript.txt on your desktop, the same as ComboFix.exe
Posted Image
Refering to the picture above, drag CFScript onto ComboFix.

After reboot, (in case it asks to reboot), please post the followingreports/logs into your next reply after you re-enable all the programs that were disabled during the running of ComboFix:
  • Combofix.txt
  • A new HijackThis log.
Please take note: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Thanks.

DR

#12 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:59 AM

Posted 25 September 2008 - 06:47 PM

Please consider finishing your cleaning. :)

As I last saw, there were still some files needing to be deleted. :thumbsup:

DR

#13 rotherka

rotherka
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 26 September 2008 - 08:29 AM

Hey, thanks again for all your help, but I ended up rebuilding the computer. Just too many things were going on and I could no longer tell what was virus/trojan and what was good. Before I rebuilt, I did run Malwarebytes which seemed to do a good job of cleaning virtumonde. But I just couldn't trust the system anymore and felt better about rebuilding than going on with a potentially compromised system.

Thanks again!

#14 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:59 AM

Posted 26 September 2008 - 11:42 AM

Not a problem. I know how a compromised computer can feel. Either reinstall or throw the computer out of the window. :thumbsup:

DR

#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 28 September 2008 - 01:58 PM

Since this issue appears to be resolved, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users