Virtumonde Virus

mendeye · May 25, 2008

Virtumonde Virus - HJT + Combofix Log

Hi, I'm new here. I've had this virus for about a week now, and im quite over it.

tried a few anti viruses, and none have seem to detected it (im sticking to Avast).

ive done HJT and a Combofix run, and here are their logs.
I think i've almost gotten rid of the virus, just need to get the files that have been left behind! =]

-Dean

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:15 PM, on 25/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dean\Desktop\New Folder\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E09D32C-E5E6-4184-B177-784CEE1E09C4} - C:\WINDOWS\system32\wvUmnOGa.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {F4BD979C-82DD-4825-9953-571B6F82E365} - C:\WINDOWS\system32\byXNFUlm.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1209450513274
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1209451186390
O17 - HKLM\System\CCS\Services\Tcpip\..\{4FD7AA10-4666-40BD-870A-68F90538EF9A}: NameServer = 192.231.203.193,192.231.203.3
O20 - Winlogon Notify: wvUmnOGa - C:\WINDOWS\SYSTEM32\wvUmnOGa.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 8599 bytes

mendeye · May 25, 2008

ComboFix 08-05-24.1 - Dean 2008-05-25 20:51:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1514 [GMT 10:00]
Running from: C:\Documents and Settings\Dean\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMafb4df74.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awddtkvd.ini
C:\WINDOWS\system32\BceNnUvw.ini
C:\WINDOWS\system32\BceNnUvw.ini2
C:\WINDOWS\system32\fyxfdlcm.dll
C:\WINDOWS\system32\iequtnao.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlUFNXyb.ini
C:\WINDOWS\system32\mlUFNXyb.ini2
C:\WINDOWS\system32\njlpydtn.ini
C:\WINDOWS\system32\sBdLRqru.ini
C:\WINDOWS\system32\sBdLRqru.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

C:\ComboFix\CreateC00.bat .
2008-05-25 19:10 . 2008-05-25 19:10 58,880 --a------ C:\WINDOWS\system32\ddcYoOFU.dll
2008-05-25 19:08 . 2008-05-25 19:08 58,880 --a------ C:\WINDOWS\system32\wvUmnOGa.dll
2008-05-25 17:02 . 2008-05-25 17:19 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-25 17:02 . 2008-05-25 17:02 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\PC Tools
2008-05-25 17:02 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-25 17:02 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-25 17:02 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-25 17:02 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-25 16:25 . 2008-05-25 16:25 58,880 --a------ C:\WINDOWS\system32\iiffCVmn.dll
2008-05-25 16:12 . 2008-05-25 16:12 58,880 --a------ C:\WINDOWS\system32\jkkJbxVn.dll
2008-05-25 12:33 . 2008-05-25 15:56 <DIR> d-------- C:\VundoFix Backups
2008-05-25 11:56 . 2008-05-25 11:56 <DIR> d-------- C:\Program Files\CCleaner
2008-05-25 10:22 . 2008-05-25 10:34 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-24 20:41 . 2008-05-25 15:57 <DIR> d-------- C:\Program Files\BitDefender
2008-05-24 20:38 . 2008-05-25 16:07 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-05-24 16:41 . 2008-05-24 16:41 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-20 16:57 . 2008-05-20 16:57 <DIR> d-------- C:\Program Files\AVG
2008-05-20 16:57 . 2008-05-24 16:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-20 16:37 . 2008-05-20 16:37 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-20 11:43 . 2008-05-20 11:43 <DIR> d-------- C:\Program Files\Panda Security
2008-05-19 13:31 . 2008-05-20 09:44 <DIR> d-------- C:\Program Files\Common Files\LogiShrd
2008-05-19 13:31 . 2008-05-20 09:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2008-05-19 13:30 . 2008-05-19 13:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-05-18 22:07 . 2008-05-19 13:48 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-05-18 22:07 . 2008-05-20 09:46 1,280 --a------ C:\WINDOWS\_delis32.ini
2008-05-18 22:06 . 2008-05-20 09:48 <DIR> d-------- C:\Program Files\Logitech
2008-05-18 03:01 . 2008-05-18 03:01 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-17 13:37 . 2008-05-20 10:08 <DIR> d-------- C:\Program Files\Notepad++
2008-05-17 13:37 . 2008-05-20 10:08 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\Notepad++
2008-05-17 09:57 . 2008-05-18 12:15 269 --a------ C:\WINDOWS\wininit.ini
2008-05-17 09:00 . 2008-05-17 08:57 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-17 09:00 . 2008-05-17 09:00 2,543 --a------ C:\WINDOWS\unins000.dat
2008-05-17 08:51 . 2008-05-25 11:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 21:00 . 2008-05-12 21:00 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-12 20:59 . 2008-05-12 20:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-12 20:59 . 2008-05-12 21:00 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-10 14:51 . 2008-05-10 14:51 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-10 14:51 . 2008-05-10 14:51 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-10 14:51 . 2008-05-10 14:51 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-10 14:42 . 2007-10-26 13:36 8,454,656 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-05-10 13:40 . 2004-08-04 17:56 96,768 --a------ C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-05-10 13:40 . 2004-08-04 17:56 24,064 --a------ C:\WINDOWS\system32\dllcache\pidgen.dll
2008-05-10 13:40 . 2006-12-29 05:01 19,569 --a------ C:\WINDOWS\005799_.tmp
2008-05-06 20:34 . 2008-05-06 20:34 <DIR> d-------- C:\Documents and Settings\Dean\.netbeans-derby
2008-05-06 20:34 . 2008-05-06 20:34 <DIR> d-------- C:\Documents and Settings\Dean\.netbeans
2008-05-06 20:32 . 2008-05-06 20:32 <DIR> d-------- C:\Documents and Settings\Dean\.netbeans-registration
2008-05-06 20:26 . 2008-05-06 20:26 <DIR> d-------- C:\Program Files\Sun
2008-05-06 19:58 . 2008-05-06 20:03 <DIR> d-------- C:\Documents and Settings\Dean\.SunDownloadManager
2008-05-06 19:48 . 2008-05-25 12:31 <DIR> d-------- C:\Documents and Settings\Dean\.nbi
2008-05-06 18:59 . 2008-05-06 18:59 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\Helios
2008-05-06 17:40 . 2008-05-13 20:59 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\dvdcss
2008-05-05 12:19 . 2008-05-05 12:19 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\vlc
2008-05-05 12:17 . 2008-05-05 12:17 <DIR> d-------- C:\Program Files\VideoLAN
2008-05-04 15:37 . 2008-05-04 16:09 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\SSH
2008-05-04 15:27 . 2008-05-04 15:27 <DIR> d-------- C:\Program Files\vso
2008-05-04 15:27 . 2008-05-16 12:03 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\Vso
2008-05-04 15:27 . 2008-05-04 15:27 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-02 10:34 . 2008-05-02 10:34 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\HP
2008-05-02 10:33 . 2008-05-02 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-05-02 10:31 . 2008-05-02 10:32 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-05-02 10:30 . 2008-05-02 10:32 <DIR> d-------- C:\Program Files\Common Files\HP
2008-05-02 10:29 . 2008-05-02 10:29 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-05-02 10:28 . 2008-05-02 10:28 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-05-02 10:28 . 2006-01-04 19:12 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll
2008-05-02 10:28 . 2006-04-13 10:04 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-05-02 10:28 . 2006-04-10 14:03 38,400 --a------ C:\WINDOWS\system32\hpz3l054.dll
2008-05-02 10:28 . 2006-04-13 10:04 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-05-02 10:27 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-05-02 10:27 . 2006-03-03 21:03 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-05-02 10:27 . 2006-03-03 21:02 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-05-02 10:27 . 2006-03-03 21:02 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-05-02 10:27 . 2006-03-03 21:03 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-05-02 10:27 . 2006-03-03 21:03 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-05-02 10:27 . 2006-03-03 21:02 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-05-02 10:26 . 2008-05-02 10:33 <DIR> d-------- C:\Program Files\HP
2008-05-02 10:24 . 2008-05-02 10:34 117,108 --a------ C:\WINDOWS\hpoins11.dat
2008-05-02 09:50 . 2008-05-02 09:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-05-02 08:57 . 2008-05-02 08:57 38 --a------ C:\WINDOWS\avisplitter.INI
2008-04-30 22:12 . 2008-04-30 22:14 <DIR> d-------- C:\WINDOWS\NV36842032.TMP
2008-04-30 22:12 . 2007-12-10 14:24 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-04-30 22:11 . 2008-04-30 22:11 <DIR> d-------- C:\NVIDIA
2008-04-30 21:37 . 2008-04-30 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-30 17:57 . 2008-04-30 17:57 <DIR> d-------- C:\WINDOWS\Sun
2008-04-30 13:25 . 2008-04-30 13:25 584 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-04-30 13:25 . 2008-04-30 13:25 584 --a------ C:\WINDOWS\system32\settings.sfm
2008-04-30 13:24 . 2008-04-30 13:28 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\Creative
2008-04-30 13:22 . 2000-05-22 10:58 647,872 --a------ C:\WINDOWS\system32\Mscomct2.ocx
2008-04-30 13:22 . 1999-10-10 19:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2008-04-30 13:21 . 2008-04-30 13:21 183 --a------ C:\WINDOWS\setuplog
2008-04-30 13:20 . 1999-12-13 11:01 44,032 --a------ C:\WINDOWS\system32\CTSVCCDA.EXE
2008-04-30 13:20 . 1999-11-18 11:00 25,088 --a------ C:\WINDOWS\system32\CTSVCCTL.EXE
2008-04-30 13:18 . 2004-08-11 01:45 5,550,080 --a------ C:\WINDOWS\system32\setb0.tmp
2008-04-30 13:17 . 2008-04-30 13:17 <DIR> d-------- C:\WINDOWS\system32\Data
2008-04-30 13:17 . 2000-12-13 12:21 7,572,224 --a------ C:\WINDOWS\system32\CT8MGM.SF2
2008-04-30 13:17 . 2000-05-11 01:00 90,112 --------- C:\WINDOWS\Updreg.EXE
2008-04-30 13:15 . 2008-04-30 13:22 <DIR> d-------- C:\Program Files\Creative
2008-04-30 12:44 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-30 12:44 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-30 12:13 . 2008-04-30 12:13 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-30 12:11 . 2008-04-30 12:11 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-30 12:10 . 2008-04-30 12:10 <DIR> dr-h----- C:\MSOCache
2008-04-30 12:10 . 2008-05-14 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-30 09:51 . 2008-04-30 09:51 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-30 08:45 . 2008-04-30 08:45 <DIR> d-------- C:\WINDOWS\system32\Shell
2008-04-30 08:45 . 2007-04-21 08:51 7,307,264 --a------ C:\WINDOWS\system32\Inspirat2.msstyles
2008-04-30 00:34 . 2008-05-18 12:28 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-29 22:57 . 2008-04-29 23:08 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-29 22:57 . 2008-04-29 22:57 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\AdobeUM
2008-04-29 22:51 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-29 22:50 . 2008-05-06 20:26 <DIR> d-------- C:\Program Files\Java
2008-04-29 22:48 . 2008-04-29 22:48 <DIR> d-------- C:\WINDOWS\Cache
2008-04-29 22:47 . 2008-04-29 22:47 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-29 22:14 . 2008-04-29 22:14 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-04-29 21:49 . 2008-05-20 11:43 2,538 --a------ C:\WINDOWS\mozver.dat
2008-04-29 21:43 . 2008-05-18 18:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-04-29 21:40 . 2004-08-04 17:56 218,624 --a------ C:\WINDOWS\system32\uxtheme.backup
2008-04-29 21:13 . 2008-05-19 22:20 <DIR> d-------- C:\Program Files\Winamp
2008-04-29 21:13 . 2008-04-30 12:59 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\Winamp
2008-04-29 20:59 . 2008-04-29 20:59 <DIR> d-------- C:\WINDOWS\OPTIONS
2008-04-29 20:59 . 2008-04-29 20:59 <DIR> d-------- C:\Program Files\Realtek
2008-04-29 20:59 . 2008-04-30 13:22 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-29 20:59 . 2008-04-29 20:59 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\InstallShield
2008-04-29 20:58 . 2008-04-29 20:58 <DIR> d-------- C:\Program Files\DIFX
2008-04-29 20:58 . 2006-06-18 23:37 36,864 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 03:15 28,672 ----a-w C:\WINDOWS\system32\verclsid.exe
2008-05-24 03:14 757,760 ----a-w C:\WINDOWS\system32\nvcplui.exe
2008-05-23 13:53 5,632 ----a-w C:\WINDOWS\system32\cisvc.exe
2008-05-23 13:40 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2008-05-23 13:25 183,808 ----a-w C:\WINDOWS\system32\accwiz.exe
2008-05-23 13:23 89,600 ----a-w C:\WINDOWS\system32\smlogsvc.exe
2008-05-23 13:23 8,192 ----a-w C:\WINDOWS\system32\lpr.exe
2008-04-29 05:56 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-14 00:12 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2008-03-28 17:41 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E09D32C-E5E6-4184-B177-784CEE1E09C4}]
2008-05-25 19:08 58880 --a------ C:\WINDOWS\system32\wvUmnOGa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F4BD979C-82DD-4825-9953-571B6F82E365}]
C:\WINDOWS\system32\byXNFUlm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 18:51 172032]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 08:47 1629480]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 08:47 1057064]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-02 04:49 36352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10 57344]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 17:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7E09D32C-E5E6-4184-B177-784CEE1E09C4}"= C:\WINDOWS\system32\wvUmnOGa.dll [2008-05-25 19:08 58880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUmnOGa]
wvUmnOGa.dll 2008-05-25 19:08 58880 C:\WINDOWS\system32\wvUmnOGa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.enc"= ITIG726.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ac87ece8]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMafb4df74]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Update]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"G:\\Program Files\\Steam\\steamapps\\deanmendygral\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_06\\jre\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 09:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 09:16]
S3 aswArKrn;aswArKrn;C:\DOCUME~1\Dean\LOCALS~1\Temp\aswArKrn.sys []
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-04-29 20:58]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C0-4FCB-11CF-AAX5-004016608512}]
c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1113\iuhi32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C2-99CB-11CF-AYX5-00401C648513}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-25 10:09:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.

mendeye · May 25, 2008

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 20:59:32
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2008-05-25 21:08:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-25 11:07:07

Pre-Run: 69,855,592,448 bytes free
Post-Run: 69,834,989,568 bytes free

285 --- E O F --- 2008-05-24 06:00:46

techpro5238 · May 25, 2008

Step1

1. Please open Notepad

Click Start, then Run
Type "notepad.exe" in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

DirLook::
C:\WINDOWS\system32\Data

File::
C:\WINDOWS\system32\ddcYoOFU.dll
C:\WINDOWS\system32\wvUmnOGa.dll
C:\WINDOWS\system32\iiffCVmn.dll
C:\WINDOWS\system32\jkkJbxVn.dll
C:\WINDOWS\_delis32.ini
C:\WINDOWS\005799_.tmp
C:\WINDOWS\NV36842032.TMP
C:\WINDOWS\system32\setb0.tmp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E09D32C-E5E6-4184-B177-784CEE1E09C4}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{7E09D32C-E5E6-4184-B177-784CEE1E09C4}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUmnOGa]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ac87ece8]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMafb4df74]

3. Then in the text file go to FILE => SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply

Step2

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {7E09D32C-E5E6-4184-B177-784CEE1E09C4} - C:\WINDOWS\system32\wvUmnOGa.dll
O2 - BHO: (no name) - {F4BD979C-82DD-4825-9953-571B6F82E365} - C:\WINDOWS\system32\byXNFUlm.dll (file missing)
O20 - Winlogon Notify: wvUmnOGa - C:\WINDOWS\SYSTEM32\wvUmnOGa.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Step3

Do you live in the area of Australia? Do you use anything with your internet, relating to Australia?

Logs Required In Next Post
-------------------------------

ComboFix Log
Hijackthis Log

Kind Regards,
Techpro5238

mendeye · May 25, 2008

Thankyou for the help Techpro, Yes i live in Australia but what do you mean if i use anything with my internet relating to Australia?

I do play the odd game of counterstrike source on aus servers, but majority of my computer work is for uni, myspace, net banking and sometimes ebay.

ive only done one occourance of net banking in the past week, do you recommend changing the passwords?

Here are the logs

-Dean

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:01 AM, on 26/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Dean\Desktop\New Folder\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1209450513274
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1209451186390
O17 - HKLM\System\CCS\Services\Tcpip\..\{4FD7AA10-4666-40BD-870A-68F90538EF9A}: NameServer = 192.231.203.193,192.231.203.3
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 8111 bytes

mendeye · May 25, 2008

ComboFix 08-05-24.1 - Dean 2008-05-26 8:37:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1591 [GMT 10:00]
Running from: C:\Documents and Settings\Dean\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dean\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\_delis32.ini
C:\WINDOWS\005799_.tmp
C:\WINDOWS\NV36842032.TMP
C:\WINDOWS\system32\ddcYoOFU.dll
C:\WINDOWS\system32\iiffCVmn.dll
C:\WINDOWS\system32\jkkJbxVn.dll
C:\WINDOWS\system32\setb0.tmp
C:\WINDOWS\system32\wvUmnOGa.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\_delis32.ini
C:\WINDOWS\005799_.tmp
C:\WINDOWS\system32\ddcYoOFU.dll
C:\WINDOWS\system32\iiffCVmn.dll
C:\WINDOWS\system32\jkkJbxVn.dll
C:\WINDOWS\system32\setb0.tmp
C:\WINDOWS\system32\wvUmnOGa.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-26 08:29 . 2008-05-26 08:29 370,688 --a------ C:\WINDOWS\system32\qoMeDSlK.dll
2008-05-25 21:58 . 2008-05-25 21:58 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-25 21:58 . 2008-05-25 21:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-25 21:19 . 2008-05-25 21:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-25 17:02 . 2008-05-25 17:19 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-25 17:02 . 2008-05-25 17:02 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\PC Tools
2008-05-25 17:02 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-25 17:02 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-25 17:02 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-25 17:02 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-25 11:56 . 2008-05-25 11:56 <DIR> d-------- C:\Program Files\CCleaner
2008-05-25 10:22 . 2008-05-25 10:34 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-24 20:41 . 2008-05-25 15:57 <DIR> d-------- C:\Program Files\BitDefender
2008-05-24 20:38 . 2008-05-25 16:07 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-05-24 16:41 . 2008-05-24 16:41 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-20 16:57 . 2008-05-20 16:57 <DIR> d-------- C:\Program Files\AVG
2008-05-20 16:57 . 2008-05-24 16:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-20 16:37 . 2008-05-20 16:37 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-20 11:43 . 2008-05-20 11:43 <DIR> d-------- C:\Program Files\Panda Security
2008-05-19 13:31 . 2008-05-20 09:44 <DIR> d-------- C:\Program Files\Common Files\LogiShrd
2008-05-19 13:31 . 2008-05-20 09:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2008-05-19 13:30 . 2008-05-19 13:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-05-18 22:07 . 2008-05-19 13:48 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-05-18 22:06 . 2008-05-20 09:48 <DIR> d-------- C:\Program Files\Logitech
2008-05-18 03:01 . 2008-05-18 03:01 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-17 13:37 . 2008-05-20 10:08 <DIR> d-------- C:\Program Files\Notepad++
2008-05-17 13:37 . 2008-05-20 10:08 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\Notepad++
2008-05-17 09:57 . 2008-05-18 12:15 269 --a------ C:\WINDOWS\wininit.ini
2008-05-17 09:00 . 2008-05-17 08:57 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-17 09:00 . 2008-05-17 09:00 2,543 --a------ C:\WINDOWS\unins000.dat
2008-05-17 08:51 . 2008-05-25 21:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 21:00 . 2008-05-12 21:00 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-12 20:59 . 2008-05-12 20:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-12 20:59 . 2008-05-12 21:00 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-10 14:51 . 2008-05-10 14:51 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-10 14:51 . 2008-05-10 14:51 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-10 14:51 . 2008-05-10 14:51 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-10 14:42 . 2007-10-26 13:36 8,454,656 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-05-10 13:40 . 2004-08-04 17:56 96,768 --a------ C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-05-10 13:40 . 2004-08-04 17:56 24,064 --a------ C:\WINDOWS\system32\dllcache\pidgen.dll
2008-05-06 20:34 . 2008-05-06 20:34 <DIR> d-------- C:\Documents and Settings\Dean\.netbeans-derby
2008-05-06 20:34 . 2008-05-06 20:34 <DIR> d-------- C:\Documents and Settings\Dean\.netbeans
2008-05-06 20:32 . 2008-05-06 20:32 <DIR> d-------- C:\Documents and Settings\Dean\.netbeans-registration
2008-05-06 20:26 . 2008-05-06 20:26 <DIR> d-------- C:\Program Files\Sun
2008-05-06 19:58 . 2008-05-06 20:03 <DIR> d-------- C:\Documents and Settings\Dean\.SunDownloadManager
2008-05-06 19:48 . 2008-05-25 12:31 <DIR> d-------- C:\Documents and Settings\Dean\.nbi
2008-05-06 18:59 . 2008-05-06 18:59 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\Helios
2008-05-06 17:40 . 2008-05-13 20:59 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\dvdcss
2008-05-05 12:19 . 2008-05-05 12:19 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\vlc
2008-05-05 12:17 . 2008-05-05 12:17 <DIR> d-------- C:\Program Files\VideoLAN
2008-05-04 15:37 . 2008-05-04 16:09 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\SSH
2008-05-04 15:27 . 2008-05-04 15:27 <DIR> d-------- C:\Program Files\vso
2008-05-04 15:27 . 2008-05-16 12:03 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\Vso
2008-05-04 15:27 . 2008-05-04 15:27 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-02 10:34 . 2008-05-02 10:34 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\HP
2008-05-02 10:33 . 2008-05-02 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-05-02 10:31 . 2008-05-02 10:32 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-05-02 10:30 . 2008-05-02 10:32 <DIR> d-------- C:\Program Files\Common Files\HP
2008-05-02 10:29 . 2008-05-02 10:29 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-05-02 10:28 . 2008-05-02 10:28 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-05-02 10:28 . 2006-01-04 19:12 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll
2008-05-02 10:28 . 2006-04-13 10:04 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-05-02 10:28 . 2006-04-10 14:03 38,400 --a------ C:\WINDOWS\system32\hpz3l054.dll
2008-05-02 10:28 . 2006-04-13 10:04 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-05-02 10:27 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-05-02 10:27 . 2006-03-03 21:03 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-05-02 10:27 . 2006-03-03 21:02 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-05-02 10:27 . 2006-03-03 21:02 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-05-02 10:27 . 2006-03-03 21:03 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-05-02 10:27 . 2006-03-03 21:03 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-05-02 10:27 . 2006-03-03 21:02 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-05-02 10:26 . 2008-05-02 10:33 <DIR> d-------- C:\Program Files\HP
2008-05-02 10:24 . 2008-05-02 10:34 117,108 --a------ C:\WINDOWS\hpoins11.dat
2008-05-02 09:50 . 2008-05-02 09:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-05-02 08:57 . 2008-05-02 08:57 38 --a------ C:\WINDOWS\avisplitter.INI
2008-04-30 22:12 . 2008-04-30 22:14 <DIR> d-------- C:\WINDOWS\NV36842032.TMP
2008-04-30 22:12 . 2007-12-10 14:24 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-04-30 22:11 . 2008-04-30 22:11 <DIR> d-------- C:\NVIDIA
2008-04-30 21:37 . 2008-04-30 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-30 17:57 . 2008-04-30 17:57 <DIR> d-------- C:\WINDOWS\Sun
2008-04-30 13:25 . 2008-04-30 13:25 584 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-04-30 13:25 . 2008-04-30 13:25 584 --a------ C:\WINDOWS\system32\settings.sfm
2008-04-30 13:24 . 2008-04-30 13:28 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\Creative
2008-04-30 13:22 . 2000-05-22 10:58 647,872 --a------ C:\WINDOWS\system32\Mscomct2.ocx
2008-04-30 13:22 . 1999-10-10 19:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2008-04-30 13:21 . 2008-04-30 13:21 183 --a------ C:\WINDOWS\setuplog
2008-04-30 13:20 . 1999-12-13 11:01 44,032 --a------ C:\WINDOWS\system32\CTSVCCDA.EXE
2008-04-30 13:20 . 1999-11-18 11:00 25,088 --a------ C:\WINDOWS\system32\CTSVCCTL.EXE
2008-04-30 13:17 . 2008-04-30 13:17 <DIR> d-------- C:\WINDOWS\system32\Data
2008-04-30 13:17 . 2000-12-13 12:21 7,572,224 --a------ C:\WINDOWS\system32\CT8MGM.SF2
2008-04-30 13:17 . 2000-05-11 01:00 90,112 --------- C:\WINDOWS\Updreg.EXE
2008-04-30 13:15 . 2008-04-30 13:22 <DIR> d-------- C:\Program Files\Creative
2008-04-30 12:44 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-30 12:44 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-30 12:13 . 2008-04-30 12:13 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-30 12:11 . 2008-04-30 12:11 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-30 12:10 . 2008-04-30 12:10 <DIR> dr-h----- C:\MSOCache
2008-04-30 12:10 . 2008-05-14 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-30 09:51 . 2008-04-30 09:51 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-30 08:45 . 2008-04-30 08:45 <DIR> d-------- C:\WINDOWS\system32\Shell
2008-04-30 08:45 . 2007-04-21 08:51 7,307,264 --a------ C:\WINDOWS\system32\Inspirat2.msstyles
2008-04-30 00:34 . 2008-05-18 12:28 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-29 22:57 . 2008-04-29 23:08 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-29 22:57 . 2008-04-29 22:57 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\AdobeUM
2008-04-29 22:51 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-29 22:50 . 2008-05-06 20:26 <DIR> d-------- C:\Program Files\Java
2008-04-29 22:48 . 2008-04-29 22:48 <DIR> d-------- C:\WINDOWS\Cache
2008-04-29 22:47 . 2008-04-29 22:47 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-29 22:14 . 2008-04-29 22:14 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-04-29 21:49 . 2008-05-20 11:43 2,538 --a------ C:\WINDOWS\mozver.dat
2008-04-29 21:43 . 2008-05-18 18:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-04-29 21:40 . 2004-08-04 17:56 218,624 --a------ C:\WINDOWS\system32\uxtheme.backup
2008-04-29 21:13 . 2008-05-19 22:20 <DIR> d-------- C:\Program Files\Winamp
2008-04-29 21:13 . 2008-04-30 12:59 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\Winamp
2008-04-29 20:59 . 2008-04-29 20:59 <DIR> d-------- C:\WINDOWS\OPTIONS
2008-04-29 20:59 . 2008-04-29 20:59 <DIR> d-------- C:\Program Files\Realtek
2008-04-29 20:59 . 2008-04-30 13:22 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-29 20:59 . 2008-04-29 20:59 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\InstallShield
2008-04-29 20:58 . 2008-04-29 20:58 <DIR> d-------- C:\Program Files\DIFX
2008-04-29 20:58 . 2006-06-18 23:37 36,864 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2008-04-29 20:57 . 2008-04-29 20:58 16,512 --a------ C:\WINDOWS\gdrv.sys
2008-04-29 20:48 . 2008-04-29 20:48 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-04-29 20:39 . 2008-04-29 20:39 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-04-29 20:39 . 2008-04-29 20:39 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-04-29 20:39 . 2008-05-01 20:39 <DIR> d-------- C:\Documents and Settings\Dean\Contacts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 05:56 --------- d-----w C:\Program Files\microsoft frontpage
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\Data ----

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F4BD979C-82DD-4825-9953-571B6F82E365}]
C:\WINDOWS\system32\byXNFUlm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 18:51 172032]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 08:47 1629480]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 08:47 1057064]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-02 04:49 36352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10 57344]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 17:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.enc"= ITIG726.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Update]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"G:\\Program Files\\Steam\\steamapps\\deanmendygral\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_06\\jre\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 09:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 09:16]
S3 aswArKrn;aswArKrn;C:\DOCUME~1\Dean\LOCALS~1\Temp\aswArKrn.sys []
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-04-29 20:58]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C0-4FCB-11CF-AAX5-004016608512}]
c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1113\iuhi32.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-25 12:10:07 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 08:42:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-05-26 8:49:09 - machine was rebooted [Dean]
ComboFix-quarantined-files.txt 2008-05-25 22:49:06
ComboFix2.txt 2008-05-25 11:08:05

Pre-Run: 69,707,079,680 bytes free
Post-Run: 69,710,671,872 bytes free

264 --- E O F --- 2008-05-24 06:00:46

techpro5238 · May 25, 2008

Step1

1. Please open Notepad

Click Start, then Run
Type "notepad.exe" in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

KillAll::

DirLook::
C:\WINDOWS\OPTIONS

File::
C:\WINDOWS\NV36842032.TMP
C:\WINDOWS\system32\byXNFUlm.dll
C:\WINDOWS\system32\qoMeDSlK.dll

Folder::
C:\WINDOWS\system32\Data

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F4BD979C-82DD-4825-9953-571B6F82E365}]

3. Then in the text file go to FILE => SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply

Step2

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Logs Required In Next Post
------------------------------

ComboFix Log
MBAM Log

Kind Regards,
Techpro5238

mendeye · May 25, 2008

Malwarebytes' Anti-Malware 1.12
Database version: 786

Scan type: Quick Scan
Objects scanned: 34892
Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

mendeye · May 25, 2008

ComboFix 08-05-24.1 - Dean 2008-05-26 9:57:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1632 [GMT 10:00]
Running from: C:\Documents and Settings\Dean\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dean\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\NV36842032.TMP
C:\WINDOWS\system32\byXNFUlm.dll
C:\WINDOWS\system32\qoMeDSlK.dll
.
/wow section - STAGE 41
pv: No matching processes found
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Data
C:\WINDOWS\system32\qoMeDSlK.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.

2008-05-26 09:56 . 2008-05-26 09:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-26 09:56 . 2008-05-26 09:56 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\Malwarebytes
2008-05-26 09:56 . 2008-05-26 09:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-26 09:56 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-26 09:56 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 21:58 . 2008-05-25 21:58 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-25 21:58 . 2008-05-25 21:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-25 21:19 . 2008-05-25 21:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-25 17:02 . 2008-05-25 17:19 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-25 17:02 . 2008-05-25 17:02 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\PC Tools
2008-05-25 17:02 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-25 17:02 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-25 17:02 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-25 17:02 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-25 11:56 . 2008-05-25 11:56 <DIR> d-------- C:\Program Files\CCleaner
2008-05-25 10:22 . 2008-05-25 10:34 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-05-24 20:41 . 2008-05-25 15:57 <DIR> d-------- C:\Program Files\BitDefender
2008-05-24 20:38 . 2008-05-25 16:07 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-05-24 16:41 . 2008-05-24 16:41 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-20 16:57 . 2008-05-20 16:57 <DIR> d-------- C:\Program Files\AVG
2008-05-20 16:57 . 2008-05-24 16:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-20 16:37 . 2008-05-20 16:37 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-20 11:43 . 2008-05-20 11:43 <DIR> d-------- C:\Program Files\Panda Security
2008-05-19 13:31 . 2008-05-20 09:44 <DIR> d-------- C:\Program Files\Common Files\LogiShrd
2008-05-19 13:31 . 2008-05-20 09:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2008-05-19 13:30 . 2008-05-19 13:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-05-18 22:07 . 2008-05-19 13:48 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-05-18 22:06 . 2008-05-20 09:48 <DIR> d-------- C:\Program Files\Logitech
2008-05-18 03:01 . 2008-05-18 03:01 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-17 13:37 . 2008-05-20 10:08 <DIR> d-------- C:\Program Files\Notepad++
2008-05-17 13:37 . 2008-05-20 10:08 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\Notepad++
2008-05-17 09:57 . 2008-05-18 12:15 269 --a------ C:\WINDOWS\wininit.ini
2008-05-17 09:00 . 2008-05-17 08:57 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-17 09:00 . 2008-05-17 09:00 2,543 --a------ C:\WINDOWS\unins000.dat
2008-05-17 08:51 . 2008-05-25 21:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 21:00 . 2008-05-12 21:00 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-12 20:59 . 2008-05-12 20:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-12 20:59 . 2008-05-12 21:00 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-10 14:51 . 2008-05-10 14:51 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-10 14:51 . 2008-05-10 14:51 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-10 14:51 . 2008-05-10 14:51 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-10 14:42 . 2007-10-26 13:36 8,454,656 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-05-10 13:40 . 2004-08-04 17:56 96,768 --a------ C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-05-10 13:40 . 2004-08-04 17:56 24,064 --a------ C:\WINDOWS\system32\dllcache\pidgen.dll
2008-05-06 20:34 . 2008-05-06 20:34 <DIR> d-------- C:\Documents and Settings\Dean\.netbeans-derby
2008-05-06 20:34 . 2008-05-06 20:34 <DIR> d-------- C:\Documents and Settings\Dean\.netbeans
2008-05-06 20:32 . 2008-05-06 20:32 <DIR> d-------- C:\Documents and Settings\Dean\.netbeans-registration
2008-05-06 20:26 . 2008-05-06 20:26 <DIR> d-------- C:\Program Files\Sun
2008-05-06 19:58 . 2008-05-06 20:03 <DIR> d-------- C:\Documents and Settings\Dean\.SunDownloadManager
2008-05-06 19:48 . 2008-05-25 12:31 <DIR> d-------- C:\Documents and Settings\Dean\.nbi
2008-05-06 18:59 . 2008-05-06 18:59 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\Helios
2008-05-06 17:40 . 2008-05-13 20:59 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\dvdcss
2008-05-05 12:19 . 2008-05-05 12:19 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\vlc
2008-05-05 12:17 . 2008-05-05 12:17 <DIR> d-------- C:\Program Files\VideoLAN
2008-05-04 15:37 . 2008-05-04 16:09 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\SSH
2008-05-04 15:27 . 2008-05-04 15:27 <DIR> d-------- C:\Program Files\vso
2008-05-04 15:27 . 2008-05-16 12:03 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\Vso
2008-05-04 15:27 . 2008-05-04 15:27 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-02 10:34 . 2008-05-02 10:34 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\HP
2008-05-02 10:33 . 2008-05-02 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-05-02 10:31 . 2008-05-02 10:32 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-05-02 10:30 . 2008-05-02 10:32 <DIR> d-------- C:\Program Files\Common Files\HP
2008-05-02 10:29 . 2008-05-02 10:29 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-05-02 10:28 . 2008-05-02 10:28 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-05-02 10:28 . 2006-01-04 19:12 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll
2008-05-02 10:28 . 2006-04-13 10:04 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-05-02 10:28 . 2006-04-10 14:03 38,400 --a------ C:\WINDOWS\system32\hpz3l054.dll
2008-05-02 10:28 . 2006-04-13 10:04 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-05-02 10:27 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-05-02 10:27 . 2006-03-03 21:03 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-05-02 10:27 . 2006-03-03 21:02 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-05-02 10:27 . 2006-03-03 21:02 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-05-02 10:27 . 2006-03-03 21:03 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-05-02 10:27 . 2006-03-03 21:03 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-05-02 10:27 . 2006-03-03 21:02 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-05-02 10:26 . 2008-05-02 10:33 <DIR> d-------- C:\Program Files\HP
2008-05-02 10:24 . 2008-05-02 10:34 117,108 --a------ C:\WINDOWS\hpoins11.dat
2008-05-02 09:50 . 2008-05-02 09:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LightScribe
2008-05-02 08:57 . 2008-05-02 08:57 38 --a------ C:\WINDOWS\avisplitter.INI
2008-04-30 22:12 . 2008-04-30 22:14 <DIR> d-------- C:\WINDOWS\NV36842032.TMP
2008-04-30 22:12 . 2007-12-10 14:24 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-04-30 22:11 . 2008-04-30 22:11 <DIR> d-------- C:\NVIDIA
2008-04-30 21:37 . 2008-04-30 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-30 17:57 . 2008-04-30 17:57 <DIR> d-------- C:\WINDOWS\Sun
2008-04-30 13:25 . 2008-04-30 13:25 584 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-04-30 13:25 . 2008-04-30 13:25 584 --a------ C:\WINDOWS\system32\settings.sfm
2008-04-30 13:24 . 2008-04-30 13:28 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\Creative
2008-04-30 13:22 . 2000-05-22 10:58 647,872 --a------ C:\WINDOWS\system32\Mscomct2.ocx
2008-04-30 13:22 . 1999-10-10 19:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2008-04-30 13:21 . 2008-04-30 13:21 183 --a------ C:\WINDOWS\setuplog
2008-04-30 13:20 . 1999-12-13 11:01 44,032 --a------ C:\WINDOWS\system32\CTSVCCDA.EXE
2008-04-30 13:20 . 1999-11-18 11:00 25,088 --a------ C:\WINDOWS\system32\CTSVCCTL.EXE
2008-04-30 13:17 . 2000-12-13 12:21 7,572,224 --a------ C:\WINDOWS\system32\CT8MGM.SF2
2008-04-30 13:17 . 2000-05-11 01:00 90,112 --------- C:\WINDOWS\Updreg.EXE
2008-04-30 13:15 . 2008-04-30 13:22 <DIR> d-------- C:\Program Files\Creative
2008-04-30 12:44 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-30 12:44 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-30 12:13 . 2008-04-30 12:13 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-30 12:11 . 2008-04-30 12:11 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-30 12:10 . 2008-04-30 12:10 <DIR> dr-h----- C:\MSOCache
2008-04-30 12:10 . 2008-05-14 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-30 09:51 . 2008-04-30 09:51 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-30 08:45 . 2008-04-30 08:45 <DIR> d-------- C:\WINDOWS\system32\Shell
2008-04-30 08:45 . 2007-04-21 08:51 7,307,264 --a------ C:\WINDOWS\system32\Inspirat2.msstyles
2008-04-30 00:34 . 2008-05-18 12:28 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-29 22:57 . 2008-04-29 23:08 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-29 22:57 . 2008-04-29 22:57 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\AdobeUM
2008-04-29 22:51 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-29 22:50 . 2008-05-06 20:26 <DIR> d-------- C:\Program Files\Java
2008-04-29 22:48 . 2008-04-29 22:48 <DIR> d-------- C:\WINDOWS\Cache
2008-04-29 22:47 . 2008-04-29 22:47 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-29 22:14 . 2008-04-29 22:14 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-04-29 21:49 . 2008-05-20 11:43 2,538 --a------ C:\WINDOWS\mozver.dat
2008-04-29 21:43 . 2008-05-18 18:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-04-29 21:40 . 2004-08-04 17:56 218,624 --a------ C:\WINDOWS\system32\uxtheme.backup
2008-04-29 21:13 . 2008-05-19 22:20 <DIR> d-------- C:\Program Files\Winamp
2008-04-29 21:13 . 2008-04-30 12:59 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\Winamp
2008-04-29 20:59 . 2008-04-29 20:59 <DIR> d-------- C:\WINDOWS\OPTIONS
2008-04-29 20:59 . 2008-04-29 20:59 <DIR> d-------- C:\Program Files\Realtek
2008-04-29 20:59 . 2008-04-30 13:22 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-29 20:59 . 2008-04-29 20:59 <DIR> d-------- C:\Documents and Settings\Dean\Application Data\InstallShield
2008-04-29 20:58 . 2008-04-29 20:58 <DIR> d-------- C:\Program Files\DIFX
2008-04-29 20:58 . 2006-06-18 23:37 36,864 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2008-04-29 20:57 . 2008-04-29 20:58 16,512 --a------ C:\WINDOWS\gdrv.sys
2008-04-29 20:48 . 2008-04-29 20:48 <DIR> d-------- C:\Program Files\Messenger Plus! Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 03:15 28,672 ----a-w C:\WINDOWS\system32\verclsid.exe
2008-05-24 03:14 757,760 ----a-w C:\WINDOWS\system32\nvcplui.exe
2008-05-23 13:53 5,632 ----a-w C:\WINDOWS\system32\cisvc.exe
2008-05-23 13:40 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2008-05-23 13:25 183,808 ----a-w C:\WINDOWS\system32\accwiz.exe
2008-05-23 13:23 89,600 ----a-w C:\WINDOWS\system32\smlogsvc.exe
2008-05-23 13:23 8,192 ----a-w C:\WINDOWS\system32\lpr.exe
2008-04-29 05:56 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-14 00:12 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2008-03-28 17:41 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\OPTIONS ----

2008-04-29 20:59 331 --a------ C:\WINDOWS\OPTIONS\CABS\InstallLog.txt
2007-07-19 15:46 83543 -r------- C:\WINDOWS\OPTIONS\CABS\Netrtle.inf
2007-07-19 10:18 52692 -r------- C:\WINDOWS\OPTIONS\CABS\netrtle.cat
2007-05-31 17:19 96896 -r------- C:\WINDOWS\OPTIONS\CABS\Rtenicxp.sys
2007-05-31 17:19 111616 -r------- C:\WINDOWS\OPTIONS\CABS\Rtenic64.sys
2007-05-31 17:18 95872 -r------- C:\WINDOWS\OPTIONS\CABS\Rtenic.sys
2007-05-23 23:59 81920 --a------ C:\WINDOWS\OPTIONS\CABS\lanset64.exe
2007-05-23 23:58 78848 --a------ C:\WINDOWS\OPTIONS\CABS\lansetup.exe
2007-05-23 23:58 76288 --a------ C:\WINDOWS\OPTIONS\CABS\lansetx.exe
2007-05-23 23:57 74752 --a------ C:\WINDOWS\OPTIONS\CABS\lansetm.exe

((((((((((((((((((((((((((((( snapshot@2008-05-26_ 8.48.53.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 22:41:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-26 00:03:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-26 00:03:34 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_668.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 18:51 172032]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 08:47 1629480]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 08:47 1057064]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-02 04:49 36352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10 57344]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 17:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.enc"= ITIG726.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Update]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"G:\\Program Files\\Steam\\steamapps\\deanmendygral\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_06\\jre\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 09:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 09:16]
S3 aswArKrn;aswArKrn;C:\DOCUME~1\Dean\LOCALS~1\Temp\aswArKrn.sys []
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-04-29 20:58]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C0-4FCB-11CF-AAX5-004016608512}]
c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1113\iuhi32.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-26 00:09:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 10:04:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

mendeye · May 25, 2008

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-05-26 10:10:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-26 00:10:39
ComboFix2.txt 2008-05-25 22:49:10
ComboFix3.txt 2008-05-25 11:08:05

Pre-Run: 69,652,709,376 bytes free
Post-Run: 69,656,580,096 bytes free

290 --- E O F --- 2008-05-24 06:00:46

Virtumonde Virus

mendeye

Solid State Member

mendeye

Solid State Member

mendeye

Solid State Member

techpro5238

In Runtime

mendeye

Solid State Member

mendeye

Solid State Member

techpro5238

In Runtime

mendeye

Solid State Member

mendeye

Solid State Member

mendeye

Solid State Member

Similar threads