Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Virtumonde Infection. Not Too Sure. Help


  • Please log in to reply
20 replies to this topic

#1 pyrosian

pyrosian

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 24 September 2008 - 02:20 AM

XP 2002 home service pack 3.
norton anti virus and firewall package.
loads of p2p filesharing which is possibly the culprit, but it could be the massive amount of surfing dodgy sites that i do.
internet explorer is not performing correctly, loads of pop-ups and hanging of program.
if i go into process's and stop iexplorer and explorer, i can manually open opera and any other software through the CTRL+ALT+DEL >APPLICATIONS>NEW TASK they perform perfectly, but the minute i start up internet explorer i have the problems again. keyboard seems to perform slowly at times or miss out on keys at times. have tested with other keyboards and have the same result. has only been happening as long as i have had the infection. thats the infection on the pc not the other one that just itches all night and smells funny.
by the way spybot finds problems but they dont seem to get fixed as after a rescan they are back again. norton has the same issues, finds virtumonde but when it is removed it comes straight back. virtumundobegone and vundofix dont find any problems at all, so not sure that it is a virtumonde problem.
here is the hijack this log.... i really hope this is an easy one for you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:12:47, on 9/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DNA\btdna.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Opera\opera.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [9c827bbc] rundll32.exe "C:\WINDOWS\system32\kicjrilf.dll",b
O4 - HKLM\..\Run: [BM9fb14820] Rundll32.exe "C:\WINDOWS\system32\scpcvctx.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: pejqrk.dll kaflil.dll bdnppb.dll kqhgly.dll venimr.dll qyyegt.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9789 bytes

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 24 September 2008 - 02:49 PM

Hello pyrosian,

Can you please disable Tea-Timer Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose Yes at the Warning prompt.
Expand the Tools menu.
Click Resident.
Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
In the File menu click Exit to exit Spybot Search & Destroy.


Next please download MalwareBytes Anti-malware (MBAM) from one of the following links:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

Please post a new HijackThis log and the MalwareBytes results.

#3 pyrosian

pyrosian
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 26 September 2008 - 05:57 PM

Malwarebytes' Anti-Malware 1.28
Database version: 1203
Windows 5.1.2600 Service Pack 3

9/26/2008 10:55:24 PM
mbam-log-2008-09-26 (22-55-20).txt

Scan type: Full Scan (C:\|D:\|F:\|G:\|)
Objects scanned: 123741
Time elapsed: 40 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 7
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 63

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\qoMcaxWO.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\pejqrk.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\kqhgly.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\venimr.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\bdnppb.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\kaflil.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\qyyegt.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b4be79a3-1094-45d4-820a-3f807aef094a} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{b4be79a3-1094-45d4-820a-3f807aef094a} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{49aca5b6-c136-461d-9ba4-ed76782f6f2a} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{08883342-0236-4c63-a70e-6e1d41bf707a} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{45ffb787-d9cf-4c6e-9528-0124becac2cd} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9f5eafd9-95ce-4b7a-b157-e1b1576f2898} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{75682729-d7f7-4b92-9011-5bce24e6df0e} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0e936a77-966e-4b3c-85a2-73514ac9fe26} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9c827bbc (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\qomcaxwo -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomcaxwo -> No action taken.

Folders Infected:
C:\Documents and Settings\Rich and Mel\Application Data\AntispywareBot (Rogue.AntiSpywareBot) -> No action taken.

Files Infected:
C:\WINDOWS\system32\qoMcaxWO.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\OWxacMoq.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\OWxacMoq.ini2 (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\dijexerk.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\krexejid.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\gifwykos.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\sokywfig.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\gwswfqsa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\asqfwswg.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\whjgyehi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\iheygjhw.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\xwlrlcyt.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\tyclrlwx.ini (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Rich and Mel\Local Settings\Temporary Internet Files\Content.IE5\QPXAKBB8\nd82m0[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Rich and Mel\Local Settings\Temporary Internet Files\Content.IE5\QPXAKBB8\upd105320[2] (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D74B556A-1F41-4295-8AF6-BD6D1A47F5F8}\RP102\A0031273.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D74B556A-1F41-4295-8AF6-BD6D1A47F5F8}\RP103\A0031316.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D74B556A-1F41-4295-8AF6-BD6D1A47F5F8}\RP103\A0031317.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D74B556A-1F41-4295-8AF6-BD6D1A47F5F8}\RP103\A0031338.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D74B556A-1F41-4295-8AF6-BD6D1A47F5F8}\RP107\A0031395.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D74B556A-1F41-4295-8AF6-BD6D1A47F5F8}\RP113\A0037867.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D74B556A-1F41-4295-8AF6-BD6D1A47F5F8}\RP115\A0037965.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D74B556A-1F41-4295-8AF6-BD6D1A47F5F8}\RP117\A0038973.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D74B556A-1F41-4295-8AF6-BD6D1A47F5F8}\RP98\A0030096.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{D74B556A-1F41-4295-8AF6-BD6D1A47F5F8}\RP98\A0030097.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{D74B556A-1F41-4295-8AF6-BD6D1A47F5F8}\RP98\A0030125.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{D74B556A-1F41-4295-8AF6-BD6D1A47F5F8}\RP99\A0030139.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\aqrqyn.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ovjgtwwd.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\pejqrk.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\pemlisth.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\izkqjx.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\kccwcj.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\kqhgly.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\kqrpiu.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\raudpppg.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\venimr.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\bdnppb.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\hfpawawa.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\nbqlhnuy.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\oiqmmdfn.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\tmdyqx.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\tnpysuoe.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\tqwfubui.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\jihpdwxo.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\kaefolgs.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\kaflil.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\adtjwwvt.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\yxbtlqrr.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\fvqxpq.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\gkkkrk.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\gmlzdw.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\rnmrmkjy.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ktjyskvn.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\qoMccYSJ.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\qyyegt.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mjtpvslb.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mlJAsQij.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\lgupdhev.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BM9fb14820.xml (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BM9fb14820.txt (Trojan.Vundo) -> No action taken.

#4 pyrosian

pyrosian
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 26 September 2008 - 05:59 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:58:58, on 9/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Opera\opera.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {0C078F37-430F-43F3-A783-E92CF88F9EB2} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {32807257-6460-4FD0-9D0F-36C31B426667} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {86FC8C7A-730F-4C33-B425-B7B9D76D2A2A} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9239EFC9-8CB0-424A-A6E4-0B1DAEC37D5B} - (no file)
O2 - BHO: (no name) - {941EEAB1-20F8-4E26-99D2-9998EB8B40BC} - (no file)
O2 - BHO: {cf5c3843-c3b7-604b-5994-3b8e417e387a} - {a783e714-e8b3-4995-b406-7b3c3483c5fc} - C:\WINDOWS\system32\vvofhh.dll
O2 - BHO: (no name) - {ACBE48C7-CB45-4F5A-AB1B-1273EB9CD5C0} - (no file)
O2 - BHO: (no name) - {B1677B07-1132-46DC-A321-492E8BC5D27A} - (no file)
O2 - BHO: (no name) - {DA5D2D3C-21DE-4144-A4C2-40FAF61DFC89} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: pejqrk.dll kaflil.dll bdnppb.dll kqhgly.dll venimr.dll qyyegt.dll vvofhh.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10940 bytes

#5 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 27 September 2008 - 03:40 AM

Hello pyrosian,

You may have noticed that No action taken showing in the Malwarebytes scan, can you please run through the Malwarebyte's Anti-Malware instructions again. When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results.

Make sure all entries have a checkmark at their far left.

Click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs' quarantine.


Please visit this webpage for download links, and instructions for running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt, a new HijackThis log and the latest Malwarebytes results.

#6 pyrosian

pyrosian
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 27 September 2008 - 08:17 PM

I really hope i got it right this time, thanks for the help so far, comp seems to be running much smoother allready.


ComboFix 08-09-27.01 - Rich and Mel 2008-09-28 11:02:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.547 [GMT 10:00]
Running from: C:\Documents and Settings\Rich and Mel\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RECYCLER\desktopA.sys

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 )))))))))))))))))))))))))))))))
.

2008-09-26 22:17 . 2008-09-26 22:18 50,183 --a------ C:\WINDOWS\system32\oofqdoee.dll
2008-09-26 22:15 . 2008-09-26 22:15 943,933 ---hs---- C:\WINDOWS\system32\vehdpugl.ini
2008-09-26 22:11 . 2008-09-26 22:11 105,984 --a------ C:\WINDOWS\system32\bilqaeuy.dll
2008-09-26 22:09 . 2008-09-26 22:09 105,984 --a------ C:\WINDOWS\system32\nbtamyvd.dll
2008-09-25 21:51 . 2008-09-25 21:51 <DIR> d-------- C:\Documents and Settings\Rich and Mel\Application Data\Malwarebytes
2008-09-25 21:50 . 2008-09-25 21:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-25 21:50 . 2008-09-25 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-25 21:50 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-25 21:50 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-24 17:11 . 2008-09-24 17:11 <DIR> d-------- C:\Program Files\New Folder (2)
2008-09-24 17:11 . 2008-09-24 17:11 <DIR> d-------- C:\Program Files\New Folder
2008-09-24 17:11 . 2008-09-28 10:58 <DIR> d-------- C:\Program Files\hijack this
2008-09-24 15:42 . 2008-09-24 15:42 50,183 --a------ C:\WINDOWS\system32\ghpcoygr.dll
2008-09-24 15:33 . 2008-09-24 15:33 96,256 --a------ C:\WINDOWS\system32\scpcvctx.dll
2008-09-23 15:39 . 2008-09-23 15:39 50,183 --a------ C:\WINDOWS\system32\aecwhige.dll
2008-09-23 15:36 . 2008-09-23 15:36 879,723 ---hs---- C:\WINDOWS\system32\ihibqtdk.ini
2008-09-22 21:14 . 2008-09-22 21:14 3,270 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-22 15:38 . 2008-09-22 15:38 50,183 --a------ C:\WINDOWS\system32\rheyrotg.dll
2008-09-22 15:32 . 2008-09-22 15:32 95,744 --a------ C:\WINDOWS\system32\mnueghtt.dll
2008-09-21 16:49 . 2008-09-23 20:38 <DIR> d-------- C:\Documents and Settings\Rich and Mel\Graphisoft
2008-09-21 16:49 . 2008-09-21 20:21 <DIR> d-------- C:\Documents and Settings\Rich and Mel\Application Data\Graphisoft
2008-09-21 16:48 . 2008-09-21 16:48 <DIR> d-------- C:\Program Files\WIBUKEY
2008-09-21 16:48 . 2008-09-21 16:48 <DIR> d-------- C:\Program Files\WIBU-SYSTEMS
2008-09-21 16:47 . 2008-09-21 16:48 <DIR> d-------- C:\Program Files\QuickTime
2008-09-21 16:47 . 2008-09-21 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-21 16:46 . 2008-09-21 16:46 <DIR> d-------- C:\Program Files\Apple Software Update
2008-09-21 16:46 . 2008-09-21 16:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-09-21 16:46 . 2008-09-21 16:46 8,122 --a------ C:\WINDOWS\vpd.properties
2008-09-21 16:43 . 2008-09-21 16:43 <DIR> d-------- C:\Program Files\Graphisoft
2008-09-21 16:31 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-21 15:42 . 2008-09-21 15:42 50,183 --a------ C:\WINDOWS\system32\xdbuhjjk.dll
2008-09-21 15:36 . 2008-09-22 14:47 1,002,089 ---hs---- C:\WINDOWS\system32\flirjcik.ini
2008-09-21 15:33 . 2008-09-21 15:33 96,256 --a------ C:\WINDOWS\system32\xrdenmjp.dll
2008-09-20 15:36 . 2008-09-20 15:36 50,183 --a------ C:\WINDOWS\system32\gnrjefxo.dll
2008-09-19 15:33 . 2008-09-19 15:33 50,183 --a------ C:\WINDOWS\system32\gjcvbhjh.dll
2008-09-19 13:59 . 2008-09-19 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-09-19 13:48 . 2008-09-19 13:48 <DIR> d-------- C:\Program Files\Yahoo!
2008-09-19 12:15 . 2008-09-19 12:15 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-18 21:54 . 2008-09-18 21:54 268 --ah----- C:\sqmdata09.sqm
2008-09-18 21:54 . 2008-09-18 21:54 244 --ah----- C:\sqmnoopt09.sqm
2008-09-18 18:35 . 2008-09-18 18:35 50,183 --a------ C:\WINDOWS\system32\vhyscgmt.dll
2008-09-17 22:48 . 2008-09-17 22:48 268 --ah----- C:\sqmdata08.sqm
2008-09-17 22:48 . 2008-09-17 22:48 244 --ah----- C:\sqmnoopt08.sqm
2008-09-17 21:32 . 2008-09-21 08:52 381 --a------ C:\WINDOWS\wininit.ini
2008-09-17 21:11 . 2008-09-18 18:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-17 21:11 . 2008-09-19 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-17 16:40 . 2008-09-17 16:40 <DIR> d-------- C:\Program Files\Opera
2008-09-17 15:37 . 2008-09-18 18:26 1,059,522 ---hs---- C:\WINDOWS\system32\kvnpwxcm.ini
2008-09-17 15:30 . 2008-09-17 15:30 50,183 --a------ C:\WINDOWS\system32\wogaaxdx.dll
2008-09-16 22:10 . 2008-09-16 22:10 268 --ah----- C:\sqmdata07.sqm
2008-09-16 22:10 . 2008-09-16 22:10 244 --ah----- C:\sqmnoopt07.sqm
2008-09-16 11:33 . 2008-09-17 15:29 1,180,998 ---hs---- C:\WINDOWS\system32\nesarjbw.ini
2008-09-16 10:18 . 2008-09-16 10:18 50,183 --a------ C:\WINDOWS\system32\pxebvgxc.dll
2008-09-15 13:34 . 2008-09-15 13:34 268 --ah----- C:\sqmdata06.sqm
2008-09-15 13:34 . 2008-09-15 13:34 244 --ah----- C:\sqmnoopt06.sqm
2008-09-15 10:24 . 2008-09-15 10:24 50,240 --a------ C:\WINDOWS\system32\wxdkqxtt.dll
2008-09-15 10:21 . 2008-09-16 11:33 1,179,156 ---hs---- C:\WINDOWS\system32\npcdquob.ini
2008-09-15 10:15 . 2008-09-15 10:15 95,744 --a------ C:\WINDOWS\system32\djjgqjxf.dll
2008-09-15 09:51 . 2008-09-15 09:51 1,124,748 ---hs---- C:\WINDOWS\system32\rqtpbbuv.ini
2008-09-15 09:45 . 2008-09-15 09:45 95,744 --a------ C:\WINDOWS\system32\vcnnyksh.dll
2008-09-14 22:54 . 2008-09-14 22:54 268 --ah----- C:\sqmdata05.sqm
2008-09-14 22:54 . 2008-09-14 22:54 244 --ah----- C:\sqmnoopt05.sqm
2008-09-14 09:51 . 2008-09-14 09:51 50,183 --a------ C:\WINDOWS\system32\bnsfvfbj.dll
2008-09-14 09:48 . 2008-09-15 09:50 1,124,688 ---hs---- C:\WINDOWS\system32\ofcoxmtg.ini
2008-09-14 09:44 . 2008-09-14 09:44 96,256 --a------ C:\WINDOWS\system32\uebdheen.dll
2008-09-13 12:16 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-09-13 12:15 . 2008-09-13 12:15 <DIR> d-------- C:\Program Files\Panda Security
2008-09-13 11:52 . 2005-02-16 11:06 218,112 --a------ C:\Program Files\MyHijackThis.exe
2008-09-13 11:36 . 2008-09-13 11:36 <DIR> d-------- C:\VundoFix Backups
2008-09-13 08:12 . 2008-09-14 09:43 2,070,036 ---hs---- C:\WINDOWS\system32\iictqmhc.ini
2008-09-13 08:07 . 2008-09-13 08:07 95,744 --a------ C:\WINDOWS\system32\dbraixha.dll
2008-09-12 20:28 . 2008-09-13 08:06 1,178,829 ---hs---- C:\WINDOWS\system32\mibuscbv.ini
2008-09-12 20:17 . 2008-09-12 20:17 4,096 --a------ C:\ombos.exe
2008-09-11 18:59 . 2008-09-11 19:05 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-09-08 19:03 . 2008-09-08 19:03 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-09-08 19:03 . 2008-09-08 19:03 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-09-08 19:02 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-09-07 10:04 . 2008-09-27 11:15 <DIR> d-------- C:\Program Files\Household
2008-09-07 10:04 . 2003-05-28 01:11 110,592 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-09-07 09:30 . 2008-09-07 09:30 <DIR> d-------- C:\Owl
2008-09-07 09:30 . 2008-09-07 09:30 65,536 --a------ C:\WINDOWS\IFinst27.exe
2008-08-31 20:33 . 2008-09-03 15:44 <DIR> d-------- C:\Program Files\yWriter4
2008-08-31 20:33 . 2004-03-09 16:45 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-08-31 20:33 . 1998-05-11 20:01 240,944 --a------ C:\WINDOWS\system32\RICHED.DLL
2008-08-31 20:33 . 2004-03-09 16:45 212,240 --a------ C:\WINDOWS\system32\RICHTX32.OCX
2008-08-31 20:33 . 2004-03-09 16:45 132,880 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-08-31 11:05 . 2008-04-14 10:12 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-31 09:36 . 2008-08-31 09:36 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-31 09:36 . 2008-08-31 09:36 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-31 09:36 . 2008-08-31 09:36 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-31 09:36 . 2008-08-31 09:36 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-31 09:34 . 2008-08-31 09:36 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-31 09:29 . 2008-08-31 09:29 <DIR> d-------- C:\WINDOWS\EHome
2008-08-31 09:26 . 2008-08-31 09:26 268 --ah----- C:\sqmdata04.sqm
2008-08-31 09:26 . 2008-08-31 09:26 244 --ah----- C:\sqmnoopt04.sqm
2008-08-29 06:45 . 2008-04-14 10:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 01:07 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\DNA
2008-09-28 01:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-28 00:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-27 05:36 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\BitTorrent
2008-09-24 06:54 10,448 ----a-w C:\Program Files\hijackthis.log
2008-09-21 06:57 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\AdobeUM
2008-09-21 06:31 --------- d-----w C:\Program Files\Java
2008-09-19 09:39 --------- d-----w C:\Program Files\DNA
2008-09-14 11:15 --------- d-----w C:\Program Files\SmartDraw 2008
2008-09-13 09:09 --------- d-----w C:\Program Files\EphPod
2008-09-13 01:59 --------- d-----w C:\Program Files\GameHouse
2008-09-10 12:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-08 09:03 --------- d-----w C:\Program Files\MSBuild
2008-08-24 05:22 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\SmartDraw
2008-08-18 09:23 --------- d-----w C:\Program Files\7-Zip
2008-08-18 09:15 --------- d-----w C:\Program Files\BitZipper
2008-08-18 09:15 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\BitZipper
2008-08-09 02:32 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-07 00:34 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\dvdcss
2008-08-02 08:17 --------- d-----w C:\Program Files\Common Files\logishrd
2008-08-02 08:15 --------- d-----w C:\Program Files\Logitech
2008-08-02 08:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-08-02 05:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-02 05:11 --------- d-----w C:\Program Files\Belkin
2008-08-01 00:32 --------- d-----w C:\Program Files\Common Files\Java
2008-07-30 07:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 07:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 07:28 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-07-29 10:46 --------- d-----w C:\Program Files\Norton Internet Security
2008-07-13 10:06 16,376 ----a-w C:\WINDOWS\gdrv.sys
2008-07-13 07:02 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-09-19 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-05 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-05 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-09-05 137752]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 771704]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 286720]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 C:\WINDOWS\RTHDCPL.exe]
"bcmwltry"="bcmwltry.exe" [2003-07-25 C:\WINDOWS\system32\bcmwltry.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Documents and Settings\\Rich and Mel\\My Documents\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
S2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [ ]
S3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [ ]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{0C078F37-430F-43F3-A783-E92CF88F9EB2} - (no file)
BHO-{32807257-6460-4FD0-9D0F-36C31B426667} - (no file)
BHO-{86FC8C7A-730F-4C33-B425-B7B9D76D2A2A} - (no file)
BHO-{9239EFC9-8CB0-424A-A6E4-0B1DAEC37D5B} - (no file)
BHO-{941EEAB1-20F8-4E26-99D2-9998EB8B40BC} - (no file)
BHO-{ACBE48C7-CB45-4F5A-AB1B-1273EB9CD5C0} - (no file)
BHO-{B1677B07-1132-46DC-A321-492E8BC5D27A} - (no file)
BHO-{DA5D2D3C-21DE-4144-A4C2-40FAF61DFC89} - (no file)
HKLM-Run-removecpl - RemoveCpl.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com.au/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 11:07:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\logishrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\logishrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-09-28 11:13:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-28 01:13:35

Pre-Run: 21,880,115,200 bytes free
Post-Run: 21,843,161,088 bytes free

264 --- E O F --- 2008-09-10 12:58:21


Malwarebytes' Anti-Malware 1.28
Database version: 1203
Windows 5.1.2600 Service Pack 3

9/28/2008 10:46:43 AM
mbam-log-2008-09-28 (10-46-43).txt

Scan type: Full Scan (C:\|D:\|F:\|G:\|)
Objects scanned: 124706
Time elapsed: 41 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a783e714-e8b3-4995-b406-7b3c3483c5fc} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a783e714-e8b3-4995-b406-7b3c3483c5fc} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\vvofhh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\oehutauk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:20, on 9/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {0C078F37-430F-43F3-A783-E92CF88F9EB2} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {32807257-6460-4FD0-9D0F-36C31B426667} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {86FC8C7A-730F-4C33-B425-B7B9D76D2A2A} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9239EFC9-8CB0-424A-A6E4-0B1DAEC37D5B} - (no file)
O2 - BHO: (no name) - {941EEAB1-20F8-4E26-99D2-9998EB8B40BC} - (no file)
O2 - BHO: (no name) - {ACBE48C7-CB45-4F5A-AB1B-1273EB9CD5C0} - (no file)
O2 - BHO: (no name) - {B1677B07-1132-46DC-A321-492E8BC5D27A} - (no file)
O2 - BHO: (no name) - {DA5D2D3C-21DE-4144-A4C2-40FAF61DFC89} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: pejqrk.dll kaflil.dll bdnppb.dll kqhgly.dll venimr.dll qyyegt.dll vvofhh.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10330 bytes

#7 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 28 September 2008 - 03:23 AM

Hello pyrosian,

Open HijackThis again, select "Do a System Scan only" and place a checkmark in the boxes before the following entry:

O20 - AppInit_DLLs: pejqrk.dll kaflil.dll bdnppb.dll kqhgly.dll venimr.dll qyyegt.dll vvofhh.dll

Close all other open windows and click on Fix checked, then exit HijackThis.


Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All Click the Empty Selected button.

If you use Firefox browser - Click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you use Opera browser - Click Opera at the top and choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.


Please use Internet Explorer and run this online scan with Kaspersky WebScanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan: Select My Computer

This will program will start and scan your system, This will take a while so be patient and let it run.

When the scan has completed, click Save Report As a Text File.
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste that information in your next post along with a new HijackThis log.

#8 pyrosian

pyrosian
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 28 September 2008 - 09:52 PM

NOTE:When i tried to do the kapersky scan with scan area as mycomputer, it constantly stalled at 7% that was with security programs and all non essential windows and processes stopped. when i scanned c: it scanned with no problems. will continue too try the full scan and post results, let me know if it is not necessary and i wont bother.


KASPERSKY ONLINE SCANNER 7 REPORT
Monday, September 29, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, September 28, 2008 22:57:32
Records in database: 1269792


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Folder
C:\

Scan statistics
Files scanned 61689
Threat name 4
Infected objects 18
Suspicious objects 0
Duration of the scan 00:37:55

File name Threat name Threats count
C:\Documents and Settings\Rich and Mel\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

C:\Documents and Settings\Rich and Mel\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

C:\Documents and Settings\Rich and Mel\My Documents\Game\Linerider 2.exe Infected: Trojan-PSW.Win32.LdPinch.ger 1

C:\Documents and Settings\Rich and Mel\My Documents\Game\mitches games\jakes games\Linerider 2.exe Infected: Trojan-PSW.Win32.LdPinch.ger 1

C:\WINDOWS\system32\aecwhige.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\bilqaeuy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.alqn 1

C:\WINDOWS\system32\bnsfvfbj.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\ghpcoygr.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\gjcvbhjh.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\gnrjefxo.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\nbtamyvd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.alqn 1

C:\WINDOWS\system32\oofqdoee.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\pxebvgxc.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\rheyrotg.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\vhyscgmt.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\wogaaxdx.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\wxdkqxtt.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\xdbuhjjk.dll Infected: Trojan.Win32.Monder.gen 1

The selected area was scanned.




ComboFix 08-09-27.01 - Rich and Mel 2008-09-28 11:02:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.547 [GMT 10:00]
Running from: C:\Documents and Settings\Rich and Mel\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RECYCLER\desktopA.sys

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 )))))))))))))))))))))))))))))))
.

2008-09-26 22:17 . 2008-09-26 22:18 50,183 --a------ C:\WINDOWS\system32\oofqdoee.dll
2008-09-26 22:15 . 2008-09-26 22:15 943,933 ---hs---- C:\WINDOWS\system32\vehdpugl.ini
2008-09-26 22:11 . 2008-09-26 22:11 105,984 --a------ C:\WINDOWS\system32\bilqaeuy.dll
2008-09-26 22:09 . 2008-09-26 22:09 105,984 --a------ C:\WINDOWS\system32\nbtamyvd.dll
2008-09-25 21:51 . 2008-09-25 21:51 <DIR> d-------- C:\Documents and Settings\Rich and Mel\Application Data\Malwarebytes
2008-09-25 21:50 . 2008-09-25 21:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-25 21:50 . 2008-09-25 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-25 21:50 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-25 21:50 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-24 17:11 . 2008-09-24 17:11 <DIR> d-------- C:\Program Files\New Folder (2)
2008-09-24 17:11 . 2008-09-24 17:11 <DIR> d-------- C:\Program Files\New Folder
2008-09-24 17:11 . 2008-09-28 10:58 <DIR> d-------- C:\Program Files\hijack this
2008-09-24 15:42 . 2008-09-24 15:42 50,183 --a------ C:\WINDOWS\system32\ghpcoygr.dll
2008-09-24 15:33 . 2008-09-24 15:33 96,256 --a------ C:\WINDOWS\system32\scpcvctx.dll
2008-09-23 15:39 . 2008-09-23 15:39 50,183 --a------ C:\WINDOWS\system32\aecwhige.dll
2008-09-23 15:36 . 2008-09-23 15:36 879,723 ---hs---- C:\WINDOWS\system32\ihibqtdk.ini
2008-09-22 21:14 . 2008-09-22 21:14 3,270 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-22 15:38 . 2008-09-22 15:38 50,183 --a------ C:\WINDOWS\system32\rheyrotg.dll
2008-09-22 15:32 . 2008-09-22 15:32 95,744 --a------ C:\WINDOWS\system32\mnueghtt.dll
2008-09-21 16:49 . 2008-09-23 20:38 <DIR> d-------- C:\Documents and Settings\Rich and Mel\Graphisoft
2008-09-21 16:49 . 2008-09-21 20:21 <DIR> d-------- C:\Documents and Settings\Rich and Mel\Application Data\Graphisoft
2008-09-21 16:48 . 2008-09-21 16:48 <DIR> d-------- C:\Program Files\WIBUKEY
2008-09-21 16:48 . 2008-09-21 16:48 <DIR> d-------- C:\Program Files\WIBU-SYSTEMS
2008-09-21 16:47 . 2008-09-21 16:48 <DIR> d-------- C:\Program Files\QuickTime
2008-09-21 16:47 . 2008-09-21 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-21 16:46 . 2008-09-21 16:46 <DIR> d-------- C:\Program Files\Apple Software Update
2008-09-21 16:46 . 2008-09-21 16:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-09-21 16:46 . 2008-09-21 16:46 8,122 --a------ C:\WINDOWS\vpd.properties
2008-09-21 16:43 . 2008-09-21 16:43 <DIR> d-------- C:\Program Files\Graphisoft
2008-09-21 16:31 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-21 15:42 . 2008-09-21 15:42 50,183 --a------ C:\WINDOWS\system32\xdbuhjjk.dll
2008-09-21 15:36 . 2008-09-22 14:47 1,002,089 ---hs---- C:\WINDOWS\system32\flirjcik.ini
2008-09-21 15:33 . 2008-09-21 15:33 96,256 --a------ C:\WINDOWS\system32\xrdenmjp.dll
2008-09-20 15:36 . 2008-09-20 15:36 50,183 --a------ C:\WINDOWS\system32\gnrjefxo.dll
2008-09-19 15:33 . 2008-09-19 15:33 50,183 --a------ C:\WINDOWS\system32\gjcvbhjh.dll
2008-09-19 13:59 . 2008-09-19 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-09-19 13:48 . 2008-09-19 13:48 <DIR> d-------- C:\Program Files\Yahoo!
2008-09-19 12:15 . 2008-09-19 12:15 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-18 21:54 . 2008-09-18 21:54 268 --ah----- C:\sqmdata09.sqm
2008-09-18 21:54 . 2008-09-18 21:54 244 --ah----- C:\sqmnoopt09.sqm
2008-09-18 18:35 . 2008-09-18 18:35 50,183 --a------ C:\WINDOWS\system32\vhyscgmt.dll
2008-09-17 22:48 . 2008-09-17 22:48 268 --ah----- C:\sqmdata08.sqm
2008-09-17 22:48 . 2008-09-17 22:48 244 --ah----- C:\sqmnoopt08.sqm
2008-09-17 21:32 . 2008-09-21 08:52 381 --a------ C:\WINDOWS\wininit.ini
2008-09-17 21:11 . 2008-09-18 18:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-17 21:11 . 2008-09-19 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-17 16:40 . 2008-09-17 16:40 <DIR> d-------- C:\Program Files\Opera
2008-09-17 15:37 . 2008-09-18 18:26 1,059,522 ---hs---- C:\WINDOWS\system32\kvnpwxcm.ini
2008-09-17 15:30 . 2008-09-17 15:30 50,183 --a------ C:\WINDOWS\system32\wogaaxdx.dll
2008-09-16 22:10 . 2008-09-16 22:10 268 --ah----- C:\sqmdata07.sqm
2008-09-16 22:10 . 2008-09-16 22:10 244 --ah----- C:\sqmnoopt07.sqm
2008-09-16 11:33 . 2008-09-17 15:29 1,180,998 ---hs---- C:\WINDOWS\system32\nesarjbw.ini
2008-09-16 10:18 . 2008-09-16 10:18 50,183 --a------ C:\WINDOWS\system32\pxebvgxc.dll
2008-09-15 13:34 . 2008-09-15 13:34 268 --ah----- C:\sqmdata06.sqm
2008-09-15 13:34 . 2008-09-15 13:34 244 --ah----- C:\sqmnoopt06.sqm
2008-09-15 10:24 . 2008-09-15 10:24 50,240 --a------ C:\WINDOWS\system32\wxdkqxtt.dll
2008-09-15 10:21 . 2008-09-16 11:33 1,179,156 ---hs---- C:\WINDOWS\system32\npcdquob.ini
2008-09-15 10:15 . 2008-09-15 10:15 95,744 --a------ C:\WINDOWS\system32\djjgqjxf.dll
2008-09-15 09:51 . 2008-09-15 09:51 1,124,748 ---hs---- C:\WINDOWS\system32\rqtpbbuv.ini
2008-09-15 09:45 . 2008-09-15 09:45 95,744 --a------ C:\WINDOWS\system32\vcnnyksh.dll
2008-09-14 22:54 . 2008-09-14 22:54 268 --ah----- C:\sqmdata05.sqm
2008-09-14 22:54 . 2008-09-14 22:54 244 --ah----- C:\sqmnoopt05.sqm
2008-09-14 09:51 . 2008-09-14 09:51 50,183 --a------ C:\WINDOWS\system32\bnsfvfbj.dll
2008-09-14 09:48 . 2008-09-15 09:50 1,124,688 ---hs---- C:\WINDOWS\system32\ofcoxmtg.ini
2008-09-14 09:44 . 2008-09-14 09:44 96,256 --a------ C:\WINDOWS\system32\uebdheen.dll
2008-09-13 12:16 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-09-13 12:15 . 2008-09-13 12:15 <DIR> d-------- C:\Program Files\Panda Security
2008-09-13 11:52 . 2005-02-16 11:06 218,112 --a------ C:\Program Files\MyHijackThis.exe
2008-09-13 11:36 . 2008-09-13 11:36 <DIR> d-------- C:\VundoFix Backups
2008-09-13 08:12 . 2008-09-14 09:43 2,070,036 ---hs---- C:\WINDOWS\system32\iictqmhc.ini
2008-09-13 08:07 . 2008-09-13 08:07 95,744 --a------ C:\WINDOWS\system32\dbraixha.dll
2008-09-12 20:28 . 2008-09-13 08:06 1,178,829 ---hs---- C:\WINDOWS\system32\mibuscbv.ini
2008-09-12 20:17 . 2008-09-12 20:17 4,096 --a------ C:\ombos.exe
2008-09-11 18:59 . 2008-09-11 19:05 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-09-08 19:03 . 2008-09-08 19:03 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-09-08 19:03 . 2008-09-08 19:03 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-09-08 19:02 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-09-07 10:04 . 2008-09-27 11:15 <DIR> d-------- C:\Program Files\Household
2008-09-07 10:04 . 2003-05-28 01:11 110,592 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-09-07 09:30 . 2008-09-07 09:30 <DIR> d-------- C:\Owl
2008-09-07 09:30 . 2008-09-07 09:30 65,536 --a------ C:\WINDOWS\IFinst27.exe
2008-08-31 20:33 . 2008-09-03 15:44 <DIR> d-------- C:\Program Files\yWriter4
2008-08-31 20:33 . 2004-03-09 16:45 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-08-31 20:33 . 1998-05-11 20:01 240,944 --a------ C:\WINDOWS\system32\RICHED.DLL
2008-08-31 20:33 . 2004-03-09 16:45 212,240 --a------ C:\WINDOWS\system32\RICHTX32.OCX
2008-08-31 20:33 . 2004-03-09 16:45 132,880 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-08-31 11:05 . 2008-04-14 10:12 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-31 09:36 . 2008-08-31 09:36 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-31 09:36 . 2008-08-31 09:36 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-31 09:36 . 2008-08-31 09:36 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-31 09:36 . 2008-08-31 09:36 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-31 09:34 . 2008-08-31 09:36 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-31 09:29 . 2008-08-31 09:29 <DIR> d-------- C:\WINDOWS\EHome
2008-08-31 09:26 . 2008-08-31 09:26 268 --ah----- C:\sqmdata04.sqm
2008-08-31 09:26 . 2008-08-31 09:26 244 --ah----- C:\sqmnoopt04.sqm
2008-08-29 06:45 . 2008-04-14 10:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 01:07 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\DNA
2008-09-28 01:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-28 00:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-27 05:36 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\BitTorrent
2008-09-24 06:54 10,448 ----a-w C:\Program Files\hijackthis.log
2008-09-21 06:57 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\AdobeUM
2008-09-21 06:31 --------- d-----w C:\Program Files\Java
2008-09-19 09:39 --------- d-----w C:\Program Files\DNA
2008-09-14 11:15 --------- d-----w C:\Program Files\SmartDraw 2008
2008-09-13 09:09 --------- d-----w C:\Program Files\EphPod
2008-09-13 01:59 --------- d-----w C:\Program Files\GameHouse
2008-09-10 12:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-08 09:03 --------- d-----w C:\Program Files\MSBuild
2008-08-24 05:22 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\SmartDraw
2008-08-18 09:23 --------- d-----w C:\Program Files\7-Zip
2008-08-18 09:15 --------- d-----w C:\Program Files\BitZipper
2008-08-18 09:15 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\BitZipper
2008-08-09 02:32 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-07 00:34 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\dvdcss
2008-08-02 08:17 --------- d-----w C:\Program Files\Common Files\logishrd
2008-08-02 08:15 --------- d-----w C:\Program Files\Logitech
2008-08-02 08:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-08-02 05:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-02 05:11 --------- d-----w C:\Program Files\Belkin
2008-08-01 00:32 --------- d-----w C:\Program Files\Common Files\Java
2008-07-30 07:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 07:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 07:28 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-07-29 10:46 --------- d-----w C:\Program Files\Norton Internet Security
2008-07-13 10:06 16,376 ----a-w C:\WINDOWS\gdrv.sys
2008-07-13 07:02 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-09-19 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-05 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-05 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-09-05 137752]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 771704]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 286720]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 C:\WINDOWS\RTHDCPL.exe]
"bcmwltry"="bcmwltry.exe" [2003-07-25 C:\WINDOWS\system32\bcmwltry.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Documents and Settings\\Rich and Mel\\My Documents\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
S2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [ ]
S3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [ ]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{0C078F37-430F-43F3-A783-E92CF88F9EB2} - (no file)
BHO-{32807257-6460-4FD0-9D0F-36C31B426667} - (no file)
BHO-{86FC8C7A-730F-4C33-B425-B7B9D76D2A2A} - (no file)
BHO-{9239EFC9-8CB0-424A-A6E4-0B1DAEC37D5B} - (no file)
BHO-{941EEAB1-20F8-4E26-99D2-9998EB8B40BC} - (no file)
BHO-{ACBE48C7-CB45-4F5A-AB1B-1273EB9CD5C0} - (no file)
BHO-{B1677B07-1132-46DC-A321-492E8BC5D27A} - (no file)
BHO-{DA5D2D3C-21DE-4144-A4C2-40FAF61DFC89} - (no file)
HKLM-Run-removecpl - RemoveCpl.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com.au/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 11:07:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\logishrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\logishrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-09-28 11:13:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-28 01:13:35

Pre-Run: 21,880,115,200 bytes free
Post-Run: 21,843,161,088 bytes free

264 --- E O F --- 2008-09-10 12:58:21



Malwarebytes' Anti-Malware 1.28
Database version: 1203
Windows 5.1.2600 Service Pack 3

9/28/2008 10:46:43 AM
mbam-log-2008-09-28 (10-46-43).txt

Scan type: Full Scan (C:\|D:\|F:\|G:\|)
Objects scanned: 124706
Time elapsed: 41 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a783e714-e8b3-4995-b406-7b3c3483c5fc} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a783e714-e8b3-4995-b406-7b3c3483c5fc} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\vvofhh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\oehutauk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:20, on 9/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {0C078F37-430F-43F3-A783-E92CF88F9EB2} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {32807257-6460-4FD0-9D0F-36C31B426667} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {86FC8C7A-730F-4C33-B425-B7B9D76D2A2A} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9239EFC9-8CB0-424A-A6E4-0B1DAEC37D5B} - (no file)
O2 - BHO: (no name) - {941EEAB1-20F8-4E26-99D2-9998EB8B40BC} - (no file)
O2 - BHO: (no name) - {ACBE48C7-CB45-4F5A-AB1B-1273EB9CD5C0} - (no file)
O2 - BHO: (no name) - {B1677B07-1132-46DC-A321-492E8BC5D27A} - (no file)
O2 - BHO: (no name) - {DA5D2D3C-21DE-4144-A4C2-40FAF61DFC89} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: pejqrk.dll kaflil.dll bdnppb.dll kqhgly.dll venimr.dll qyyegt.dll vvofhh.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10330 bytes


thanks again for all the help

#9 pyrosian

pyrosian
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 28 September 2008 - 09:53 PM

by the way as per your last post i opened hijack this and did a scan unfortunately the file you wanted me to remove was not there. i assumed maybe norton or one of the other programs you had me run removed it before i got to the hijack this stage. what should i do here?

#10 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 29 September 2008 - 11:40 AM

Hello pyrosian,

it before i got to the hijack this stage. what should i do here?

I will need to see new logs in your next reply so please work your way through these instructions first then after running ComboFix please make sure you rescan and post a new HijackThis along with the latest ComboFix results. :thumbsup:

Please go to Start > Run and type in Notepad and copy and paste the following text inside of this Quote box below into Notepad.

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Click : File | Save As
Change the Save as type to All Files
Save it to your desktop as fix.reg

Now Double Click on the Fix.reg icon
When asked if you want to merge with the registry, click YES.
Wait for the merged successfully prompt.



Please now copy and paste the following text inside the Quote box into a new notepad - don't use any other text editor

KillAll::
File::
C:\WINDOWS\system32\oofqdoee.dll
C:\WINDOWS\system32\vehdpugl.ini
C:\WINDOWS\system32\bilqaeuy.dll
C:\WINDOWS\system32\nbtamyvd.dll
C:\WINDOWS\system32\ghpcoygr.dll
C:\WINDOWS\system32\scpcvctx.dll
C:\WINDOWS\system32\aecwhige.dll
C:\WINDOWS\system32\ihibqtdk.ini
C:\WINDOWS\system32\rheyrotg.dll
C:\WINDOWS\system32\mnueghtt.dll
C:\WINDOWS\system32\xdbuhjjk.dll
C:\WINDOWS\system32\flirjcik.ini
C:\WINDOWS\system32\xrdenmjp.dll
C:\WINDOWS\system32\gnrjefxo.dll
C:\WINDOWS\system32\gjcvbhjh.dll
C:\sqmdata09.sqm
C:\sqmnoopt09.sqm
C:\WINDOWS\system32\vhyscgmt.dll
C:\sqmdata08.sqm
C:\sqmnoopt08.sqm
C:\WINDOWS\system32\kvnpwxcm.ini
C:\WINDOWS\system32\wogaaxdx.dll
C:\sqmdata07.sqm
C:\sqmnoopt07.sqm
C:\WINDOWS\system32\nesarjbw.ini
C:\WINDOWS\system32\pxebvgxc.dll
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm
C:\WINDOWS\system32\wxdkqxtt.dll
C:\WINDOWS\system32\npcdquob.ini
C:\WINDOWS\system32\djjgqjxf.dll
C:\WINDOWS\system32\rqtpbbuv.ini
C:\WINDOWS\system32\vcnnyksh.dll
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\WINDOWS\system32\bnsfvfbj.dll
C:\WINDOWS\system32\ofcoxmtg.ini
C:\WINDOWS\system32\uebdheen.dll
C:\WINDOWS\system32\iictqmhc.ini
C:\WINDOWS\system32\dbraixha.dll
C:\WINDOWS\system32\mibuscbv.ini
C:\ombos.exe
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm


Name the file CFScript.txt and Save it to your Desktop

Posted Image
Referring to the picture above, drag CFScript.txt into ComboFix.exe

Please run ComboFix again and post the resultant log along with and a new HijackThis log.

#11 pyrosian

pyrosian
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 29 September 2008 - 10:36 PM

dude once i dragged the cfscript.txt into the combofix shortcut it asked if i wanted to run the program. i said yes, but it just closed. have tried to run it normally or by redropping the cfscript into it but it keeps doing the same, it just asks me if i want to run it then it closes. hmm what next? the other notepad file worked fine merged with the registry etc.

#12 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 30 September 2008 - 11:09 AM

Hello pyrosian,

Can you please delete ComboFix and download a new copy from HERE

Then rescan with both ComboFix and Hijackthis and post the two logs in your next reply. :thumbsup:

#13 pyrosian

pyrosian
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 01 October 2008 - 02:06 AM

hoping these logs are right. how is it all looking? any diagnosis on whether we will be successful in cleaning this system?
thanks again for the help so far

pyrosian



ComboFix 08-09-30.03 - Rich and Mel 2008-10-01 16:54:48.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.450 [GMT 10:00]
Running from: C:\Documents and Settings\Rich and Mel\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RECYCLER\desktopA.sys
C:\WINDOWS\system32\bilqaeuy.dll
C:\WINDOWS\system32\dbraixha.dll
C:\WINDOWS\system32\djjgqjxf.dll
C:\WINDOWS\system32\flirjcik.ini
C:\WINDOWS\system32\ihibqtdk.ini
C:\WINDOWS\system32\iictqmhc.ini
C:\WINDOWS\system32\kvnpwxcm.ini
C:\WINDOWS\system32\mibuscbv.ini
C:\WINDOWS\system32\mnueghtt.dll
C:\WINDOWS\system32\nbtamyvd.dll
C:\WINDOWS\system32\nesarjbw.ini
C:\WINDOWS\system32\npcdquob.ini
C:\WINDOWS\system32\ofcoxmtg.ini
C:\WINDOWS\system32\rqtpbbuv.ini
C:\WINDOWS\system32\uebdheen.dll
C:\WINDOWS\system32\vcnnyksh.dll
C:\WINDOWS\system32\vehdpugl.ini
C:\WINDOWS\system32\xrdenmjp.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))
.

2008-09-26 22:17 . 2008-09-26 22:18 50,183 --a------ C:\WINDOWS\system32\oofqdoee.dll
2008-09-25 21:51 . 2008-09-25 21:51 <DIR> d-------- C:\Documents and Settings\Rich and Mel\Application Data\Malwarebytes
2008-09-25 21:50 . 2008-09-25 21:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-25 21:50 . 2008-09-25 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-25 21:50 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-25 21:50 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-24 17:11 . 2008-09-24 17:11 <DIR> d-------- C:\Program Files\New Folder (2)
2008-09-24 17:11 . 2008-09-24 17:11 <DIR> d-------- C:\Program Files\New Folder
2008-09-24 17:11 . 2008-09-28 20:57 <DIR> d-------- C:\Program Files\hijack this
2008-09-24 15:42 . 2008-09-24 15:42 50,183 --a------ C:\WINDOWS\system32\ghpcoygr.dll
2008-09-23 15:39 . 2008-09-23 15:39 50,183 --a------ C:\WINDOWS\system32\aecwhige.dll
2008-09-22 21:14 . 2008-09-22 21:14 3,270 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-22 15:38 . 2008-09-22 15:38 50,183 --a------ C:\WINDOWS\system32\rheyrotg.dll
2008-09-21 16:49 . 2008-09-23 20:38 <DIR> d-------- C:\Documents and Settings\Rich and Mel\Graphisoft
2008-09-21 16:49 . 2008-09-21 20:21 <DIR> d-------- C:\Documents and Settings\Rich and Mel\Application Data\Graphisoft
2008-09-21 16:48 . 2008-09-21 16:48 <DIR> d-------- C:\Program Files\WIBUKEY
2008-09-21 16:48 . 2008-09-21 16:48 <DIR> d-------- C:\Program Files\WIBU-SYSTEMS
2008-09-21 16:47 . 2008-09-21 16:48 <DIR> d-------- C:\Program Files\QuickTime
2008-09-21 16:47 . 2008-09-21 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-21 16:46 . 2008-09-21 16:46 <DIR> d-------- C:\Program Files\Apple Software Update
2008-09-21 16:46 . 2008-09-21 16:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-09-21 16:46 . 2008-09-21 16:46 8,122 --a------ C:\WINDOWS\vpd.properties
2008-09-21 16:43 . 2008-09-21 16:43 <DIR> d-------- C:\Program Files\Graphisoft
2008-09-21 16:31 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-21 15:42 . 2008-09-21 15:42 50,183 --a------ C:\WINDOWS\system32\xdbuhjjk.dll
2008-09-20 15:36 . 2008-09-20 15:36 50,183 --a------ C:\WINDOWS\system32\gnrjefxo.dll
2008-09-19 15:33 . 2008-09-19 15:33 50,183 --a------ C:\WINDOWS\system32\gjcvbhjh.dll
2008-09-19 13:59 . 2008-09-19 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-09-19 13:48 . 2008-09-19 13:48 <DIR> d-------- C:\Program Files\Yahoo!
2008-09-19 12:15 . 2008-09-19 12:15 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-18 21:54 . 2008-09-18 21:54 268 --ah----- C:\sqmdata09.sqm
2008-09-18 21:54 . 2008-09-18 21:54 244 --ah----- C:\sqmnoopt09.sqm
2008-09-18 18:35 . 2008-09-18 18:35 50,183 --a------ C:\WINDOWS\system32\vhyscgmt.dll
2008-09-17 22:48 . 2008-09-17 22:48 268 --ah----- C:\sqmdata08.sqm
2008-09-17 22:48 . 2008-09-17 22:48 244 --ah----- C:\sqmnoopt08.sqm
2008-09-17 21:32 . 2008-09-21 08:52 381 --a------ C:\WINDOWS\wininit.ini
2008-09-17 21:11 . 2008-09-18 18:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-17 21:11 . 2008-09-19 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-17 16:40 . 2008-09-17 16:40 <DIR> d-------- C:\Program Files\Opera
2008-09-17 15:30 . 2008-09-17 15:30 50,183 --a------ C:\WINDOWS\system32\wogaaxdx.dll
2008-09-16 22:10 . 2008-09-16 22:10 268 --ah----- C:\sqmdata07.sqm
2008-09-16 22:10 . 2008-09-16 22:10 244 --ah----- C:\sqmnoopt07.sqm
2008-09-16 10:18 . 2008-09-16 10:18 50,183 --a------ C:\WINDOWS\system32\pxebvgxc.dll
2008-09-15 13:34 . 2008-09-15 13:34 268 --ah----- C:\sqmdata06.sqm
2008-09-15 13:34 . 2008-09-15 13:34 244 --ah----- C:\sqmnoopt06.sqm
2008-09-15 10:24 . 2008-09-15 10:24 50,240 --a------ C:\WINDOWS\system32\wxdkqxtt.dll
2008-09-14 22:54 . 2008-09-14 22:54 268 --ah----- C:\sqmdata05.sqm
2008-09-14 22:54 . 2008-09-14 22:54 244 --ah----- C:\sqmnoopt05.sqm
2008-09-14 09:51 . 2008-09-14 09:51 50,183 --a------ C:\WINDOWS\system32\bnsfvfbj.dll
2008-09-13 12:16 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-09-13 12:15 . 2008-09-13 12:15 <DIR> d-------- C:\Program Files\Panda Security
2008-09-13 11:52 . 2005-02-16 11:06 218,112 --a------ C:\Program Files\MyHijackThis.exe
2008-09-13 11:36 . 2008-09-13 11:36 <DIR> d-------- C:\VundoFix Backups
2008-09-12 20:17 . 2008-09-12 20:17 4,096 --a------ C:\ombos.exe
2008-09-11 18:59 . 2008-09-11 19:05 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-09-08 19:03 . 2008-09-08 19:03 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-09-08 19:03 . 2008-09-08 19:03 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-09-08 19:02 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-09-07 10:04 . 2008-10-01 14:27 <DIR> d-------- C:\Program Files\Household
2008-09-07 10:04 . 2003-05-28 01:11 110,592 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-09-07 09:30 . 2008-09-07 09:30 <DIR> d-------- C:\Owl
2008-09-07 09:30 . 2008-09-07 09:30 65,536 --a------ C:\WINDOWS\IFinst27.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-01 06:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-01 06:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-01 06:48 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\DNA
2008-09-28 10:58 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\BitTorrent
2008-09-24 06:54 10,448 ----a-w C:\Program Files\hijackthis.log
2008-09-21 06:57 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\AdobeUM
2008-09-21 06:31 --------- d-----w C:\Program Files\Java
2008-09-19 09:39 --------- d-----w C:\Program Files\DNA
2008-09-14 11:15 --------- d-----w C:\Program Files\SmartDraw 2008
2008-09-13 09:09 --------- d-----w C:\Program Files\EphPod
2008-09-13 01:59 --------- d-----w C:\Program Files\GameHouse
2008-09-10 12:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-08 09:03 --------- d-----w C:\Program Files\MSBuild
2008-09-03 05:44 --------- d-----w C:\Program Files\yWriter4
2008-08-24 05:22 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\SmartDraw
2008-08-18 09:23 --------- d-----w C:\Program Files\7-Zip
2008-08-18 09:15 --------- d-----w C:\Program Files\BitZipper
2008-08-18 09:15 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\BitZipper
2008-08-09 02:32 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-07 00:34 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\dvdcss
2008-08-02 08:17 --------- d-----w C:\Program Files\Common Files\logishrd
2008-08-02 08:15 --------- d-----w C:\Program Files\Logitech
2008-08-02 08:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-08-02 05:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-02 05:11 --------- d-----w C:\Program Files\Belkin
2008-08-01 00:32 --------- d-----w C:\Program Files\Common Files\Java
2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 12:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 12:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 12:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-13 10:33 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-13 10:06 16,376 ----a-w C:\WINDOWS\gdrv.sys
2008-07-13 07:02 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-01 10:00 57,552 ----a-w C:\WINDOWS\system32\WkDos.exe
2008-07-01 10:00 516,096 ----a-w C:\WINDOWS\system32\WibuXpm4J32.dll
2008-07-01 10:00 479,232 ----a-w C:\WINDOWS\system32\wibuKJni.dll
2008-07-01 10:00 348,160 ----a-w C:\WINDOWS\system32\WkExt32.dll
2008-07-01 10:00 159,744 ----a-w C:\WINDOWS\system32\WkWin32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-09-19 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-05 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-05 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-09-05 137752]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 771704]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 286720]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 C:\WINDOWS\RTHDCPL.exe]
"bcmwltry"="bcmwltry.exe" [2003-07-25 C:\WINDOWS\system32\bcmwltry.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Documents and Settings\\Rich and Mel\\My Documents\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
S2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [ ]
S3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [ ]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com.au/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-01 16:56:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-01 16:57:44
ComboFix-quarantined-files.txt 2008-10-01 06:57:41
ComboFix2.txt 2008-09-28 01:13:42

Pre-Run: 21,709,266,944 bytes free
Post-Run: 21,743,857,664 bytes free

228 --- E O F --- 2008-09-10 12:58:21



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:02:22, on 10/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\hijack this\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9307 bytes

#14 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 01 October 2008 - 10:53 AM

Hello pyrosian,

Thank you for posting both logs, still a few files left to clean so please let me know how you get on with these instructions.

Please open Notepad , I would like you to now copy and paste the text in the quotebox below into Notepad:

File::
C:\WINDOWS\system32\oofqdoee.dll
C:\WINDOWS\system32\ghpcoygr.dll
C:\WINDOWS\system32\aecwhige.dll
C:\WINDOWS\system32\rheyrotg.dll
C:\WINDOWS\system32\xdbuhjjk.dll
C:\WINDOWS\system32\gnrjefxo.dll
C:\WINDOWS\system32\gjcvbhjh.dll
C:\sqmdata09.sqm
C:\sqmnoopt09.sqm
C:\WINDOWS\system32\vhyscgmt.dll
C:\sqmdata08.sqm
C:\sqmnoopt08.sqm
C:\WINDOWS\system32\wogaaxdx.dll
C:\sqmdata07.sqm
C:\sqmnoopt07.sqm
C:\WINDOWS\system32\pxebvgxc.dll
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm
C:\WINDOWS\system32\wxdkqxtt.dll
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\WINDOWS\system32\bnsfvfbj.dll
C:\ombos.exe



Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a new log for you at C:\ComboFix.txt, please post this new log back to me.

#15 pyrosian

pyrosian
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 01 October 2008 - 03:51 PM

ComboFix 08-09-30.03 - Rich and Mel 2008-10-02 6:47:16.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.504 [GMT 10:00]
Running from: C:\Documents and Settings\Rich and Mel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rich and Mel\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\ombos.exe
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\WINDOWS\system32\aecwhige.dll
C:\WINDOWS\system32\bnsfvfbj.dll
C:\WINDOWS\system32\ghpcoygr.dll
C:\WINDOWS\system32\gjcvbhjh.dll
C:\WINDOWS\system32\gnrjefxo.dll
C:\WINDOWS\system32\oofqdoee.dll
C:\WINDOWS\system32\pxebvgxc.dll
C:\WINDOWS\system32\rheyrotg.dll
C:\WINDOWS\system32\vhyscgmt.dll
C:\WINDOWS\system32\wogaaxdx.dll
C:\WINDOWS\system32\wxdkqxtt.dll
C:\WINDOWS\system32\xdbuhjjk.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Rich and Mel\Cookies\rich_and_mel@cubics[1].txt
C:\ombos.exe
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\WINDOWS\system32\aecwhige.dll
C:\WINDOWS\system32\bnsfvfbj.dll
C:\WINDOWS\system32\ghpcoygr.dll
C:\WINDOWS\system32\gjcvbhjh.dll
C:\WINDOWS\system32\gnrjefxo.dll
C:\WINDOWS\system32\oofqdoee.dll
C:\WINDOWS\system32\pxebvgxc.dll
C:\WINDOWS\system32\rheyrotg.dll
C:\WINDOWS\system32\vhyscgmt.dll
C:\WINDOWS\system32\wogaaxdx.dll
C:\WINDOWS\system32\wxdkqxtt.dll
C:\WINDOWS\system32\xdbuhjjk.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))
.

2008-10-01 17:39 . 2008-10-01 17:39 <DIR> d-------- C:\RECYCLED
2008-09-25 21:51 . 2008-09-25 21:51 <DIR> d-------- C:\Documents and Settings\Rich and Mel\Application Data\Malwarebytes
2008-09-25 21:50 . 2008-09-25 21:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-25 21:50 . 2008-09-25 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-25 21:50 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-25 21:50 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-24 17:11 . 2008-09-24 17:11 <DIR> d-------- C:\Program Files\New Folder (2)
2008-09-24 17:11 . 2008-09-24 17:11 <DIR> d-------- C:\Program Files\New Folder
2008-09-24 17:11 . 2008-10-01 17:02 <DIR> d-------- C:\Program Files\hijack this
2008-09-22 21:14 . 2008-09-22 21:14 3,270 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-21 16:49 . 2008-09-23 20:38 <DIR> d-------- C:\Documents and Settings\Rich and Mel\Graphisoft
2008-09-21 16:49 . 2008-09-21 20:21 <DIR> d-------- C:\Documents and Settings\Rich and Mel\Application Data\Graphisoft
2008-09-21 16:48 . 2008-09-21 16:48 <DIR> d-------- C:\Program Files\WIBUKEY
2008-09-21 16:48 . 2008-09-21 16:48 <DIR> d-------- C:\Program Files\WIBU-SYSTEMS
2008-09-21 16:47 . 2008-09-21 16:48 <DIR> d-------- C:\Program Files\QuickTime
2008-09-21 16:47 . 2008-09-21 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-21 16:46 . 2008-09-21 16:46 <DIR> d-------- C:\Program Files\Apple Software Update
2008-09-21 16:46 . 2008-09-21 16:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-09-21 16:46 . 2008-09-21 16:46 8,122 --a------ C:\WINDOWS\vpd.properties
2008-09-21 16:43 . 2008-09-21 16:43 <DIR> d-------- C:\Program Files\Graphisoft
2008-09-21 16:31 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-19 13:59 . 2008-09-19 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-09-19 13:48 . 2008-09-19 13:48 <DIR> d-------- C:\Program Files\Yahoo!
2008-09-19 12:15 . 2008-09-19 12:15 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-17 21:32 . 2008-09-21 08:52 381 --a------ C:\WINDOWS\wininit.ini
2008-09-17 21:11 . 2008-09-18 18:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-17 21:11 . 2008-09-19 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-17 16:40 . 2008-09-17 16:40 <DIR> d-------- C:\Program Files\Opera
2008-09-13 12:16 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-09-13 12:15 . 2008-09-13 12:15 <DIR> d-------- C:\Program Files\Panda Security
2008-09-13 11:52 . 2005-02-16 11:06 218,112 --a------ C:\Program Files\MyHijackThis.exe
2008-09-13 11:36 . 2008-09-13 11:36 <DIR> d-------- C:\VundoFix Backups
2008-09-11 18:59 . 2008-09-11 19:05 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-09-08 19:03 . 2008-09-08 19:03 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-09-08 19:03 . 2008-09-08 19:03 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-09-08 19:02 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-09-07 10:04 . 2008-10-01 17:39 <DIR> d-------- C:\Program Files\Household
2008-09-07 10:04 . 2003-05-28 01:11 110,592 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-09-07 09:30 . 2008-09-07 09:30 <DIR> d-------- C:\Owl
2008-09-07 09:30 . 2008-09-07 09:30 65,536 --a------ C:\WINDOWS\IFinst27.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-01 20:43 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\DNA
2008-10-01 20:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-01 20:39 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-01 07:11 --------- d-----w C:\Program Files\Java
2008-09-28 10:58 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\BitTorrent
2008-09-24 06:54 10,448 ----a-w C:\Program Files\hijackthis.log
2008-09-21 06:57 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\AdobeUM
2008-09-19 09:39 --------- d-----w C:\Program Files\DNA
2008-09-14 11:15 --------- d-----w C:\Program Files\SmartDraw 2008
2008-09-13 09:09 --------- d-----w C:\Program Files\EphPod
2008-09-13 01:59 --------- d-----w C:\Program Files\GameHouse
2008-09-10 12:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-08 09:03 --------- d-----w C:\Program Files\MSBuild
2008-09-03 05:44 --------- d-----w C:\Program Files\yWriter4
2008-08-24 05:22 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\SmartDraw
2008-08-18 09:23 --------- d-----w C:\Program Files\7-Zip
2008-08-18 09:15 --------- d-----w C:\Program Files\BitZipper
2008-08-18 09:15 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\BitZipper
2008-08-09 02:32 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-07 00:34 --------- d-----w C:\Documents and Settings\Rich and Mel\Application Data\dvdcss
2008-08-02 08:17 --------- d-----w C:\Program Files\Common Files\logishrd
2008-08-02 08:15 --------- d-----w C:\Program Files\Logitech
2008-08-02 08:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-08-02 05:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-02 05:11 --------- d-----w C:\Program Files\Belkin
2008-08-01 00:32 --------- d-----w C:\Program Files\Common Files\Java
2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 12:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 12:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 12:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-13 10:33 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-13 10:06 16,376 ----a-w C:\WINDOWS\gdrv.sys
2008-07-13 07:02 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-01 10:00 57,552 ----a-w C:\WINDOWS\system32\WkDos.exe
2008-07-01 10:00 516,096 ----a-w C:\WINDOWS\system32\WibuXpm4J32.dll
2008-07-01 10:00 479,232 ----a-w C:\WINDOWS\system32\wibuKJni.dll
2008-07-01 10:00 348,160 ----a-w C:\WINDOWS\system32\WkExt32.dll
2008-07-01 10:00 159,744 ----a-w C:\WINDOWS\system32\WkWin32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-28_11.13.05.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-24 12:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-09 15:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-24 12:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-09 15:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-24 13:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-09 16:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-09-19 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-05 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-05 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-09-05 137752]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 771704]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 286720]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 C:\WINDOWS\RTHDCPL.exe]
"bcmwltry"="bcmwltry.exe" [2003-07-25 C:\WINDOWS\system32\bcmwltry.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Documents and Settings\\Rich and Mel\\My Documents\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
S2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [ ]
S3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [ ]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-02 06:48:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-02 6:49:45
ComboFix-quarantined-files.txt 2008-10-01 20:49:41
ComboFix2.txt 2008-10-01 06:57:45
ComboFix3.txt 2008-09-28 01:13:42

Pre-Run: 21,594,189,824 bytes free
Post-Run: 21,605,023,744 bytes free

240 --- E O F --- 2008-09-10 12:58:21




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users