Been infected for quite some time. I need of help.

[tigris67]

Hello,
I've been infected with this virus for quite some time that will randomly start up iexplorer in the background to where I cannot see it, and start randomly named processes on my computer, "bruefqnuhrlx.exe" being an example of one running right now. If I run the "msconfig" command, you can see nearly 1000 or more of these gibberish names listed there which I have to uncheck constantly otherwise my computer will never boot up.(I was only able to turn them off by going into safe mode and unchecking them there)

I've run spybot s&d, spyware doctor, and ESET NOD32 with no solutions to the problem.
I read other people's problems and downloaded Hijack this to see if anyone might be able to help me with my problem.

Here is the Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:50 PM, on 3/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\OO Software\CleverCache\ooccag.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\CRW\shwicon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Michael Luckhardt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\bruefqnuhrlx.exe
C:\Documents and Settings\Michael Luckhardt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michael Luckhardt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michael Luckhardt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michael Luckhardt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michael Luckhardt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 202.75.52.203 goin.perfectworld.com.my
O2 - BHO: C:\WINDOWS\system32\hs78344kjkfd.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hs78344kjkfd.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ShowIcon_Apacer_CRW Series Driver v1.17r016] "C:\Program Files\CRW\shwicon.exe" -t"Apacer\CRW Series Driver v1.17r016"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [posi02hxrl] C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\whvixser3s7h.exe
O4 - HKCU\..\Run: [n9wh70681gql1q2tbln2ojcdtln2ji89vg9qimr83rb] C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\srcbym8rvypa.exe
O4 - HKCU\..\Run: [b31199xy5vmply6505on] C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\cnn57iilgr77s.exe
O4 - HKCU\..\Run: [u322xfr2lor] C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\drb915wet.exe
O4 - HKCU\..\Run: [kqrd5pckp] C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\bruefqnuhrlx.exe
O4 - HKCU\..\Run: [ke0a6kqnpcnxbbajkiy7ozr] C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\vrgcgyqwsk3uq.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186868306453
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15105/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: yorqzr.dll ztcdie.dll
O20 - Winlogon Notify: hgGvuUmj - hgGvuUmj.dll (file missing)
O20 - Winlogon Notify: vtUmMfFU - vtUmMfFU.dll (file missing)
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hs78344kjkfd.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\Mabinogi\npkcmsvc.exe (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: O&O CleverCache Agent (OOCleverCacheAgent) - O&O Software GmbH - C:\Program Files\OO Software\CleverCache\ooccag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 9106 bytes


Thank you in advance.

 

[Osiris]

Remove these entries

O1 - Hosts: 202.75.52.203 goin.perfectworld.com.my

O2 - BHO: C:\WINDOWS\system32\hs78344kjkfd.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hs78344kjkfd.dll

O4 - HKCU\..\Run: [posi02hxrl] C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\whvixser3s7h.ex e

O4 - HKCU\..\Run: [n9wh70681gql1q2tbln2ojcdtln2ji89vg9qimr83rb] C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\srcbym8rvypa.ex e

O4 - HKCU\..\Run: [b31199xy5vmply6505on] C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\cnn57iilgr77s.e xe

O4 - HKCU\..\Run: [u322xfr2lor] C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\drb915wet.exe

O4 - HKCU\..\Run: [kqrd5pckp] C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\bruefqnuhrlx.ex e

O4 - HKCU\..\Run: [ke0a6kqnpcnxbbajkiy7ozr] C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\vrgcgyqwsk3uq.e xe


O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalgamecdn.com/dist/n...fyLauncher.cab

O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab

O20 - AppInit_DLLs: yorqzr.dll ztcdie.dll

O20 - Winlogon Notify: hgGvuUmj - hgGvuUmj.dll (file missing)

O20 - Winlogon Notify: vtUmMfFU - vtUmMfFU.dll (file missing)

O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hs78344kjkfd.dll


then I need you to run Combofix and then Malwarebytes, post both of their logs and then post a new hijackthis log.

These can be found in my guide below

 

[tigris67]

Osiris,
I've removed those listed from Hijack this, downloaded and ran Combofix as well as Malawarebyes and recorded their logs. I also reran Hijack this and have all the logs. The ComboFix log exceeds the amount of space I am aloud to type within the reply though(because of the thousands of startup programs the virus installed), but here is Malawarebytes and the new Hijack this log.

MALAWAREbyes:

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/16/2009 9:15:08 PM
mbam-log-2009-03-16 (21-15-08).txt

Scan type: Quick Scan
Objects scanned: 63345
Time elapsed: 3 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\vbdygupu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:25 PM, on 3/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\OO Software\CleverCache\ooccag.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\CRW\shwicon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Michael Luckhardt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michael Luckhardt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michael Luckhardt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michael Luckhardt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michael Luckhardt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [ShowIcon_Apacer_CRW Series Driver v1.17r016] "C:\Program Files\CRW\shwicon.exe" -t"Apacer\CRW Series Driver v1.17r016"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186868306453
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15105/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\Mabinogi\npkcmsvc.exe (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: O&O CleverCache Agent (OOCleverCacheAgent) - O&O Software GmbH - C:\Program Files\OO Software\CleverCache\ooccag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 6925 bytes

 

[Osiris]

Log look 100% better.

Run Malwarebytes one more time and post its log.

 

[tigris67]

edit: let me rerun this

 

[tigris67]

Osiris, I just checked my startup list in msconfig and its completely clean...WoW...
This is the new Malawarebyte Log:

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/16/2009 9:33:10 PM
mbam-log-2009-03-16 (21-33-10).txt

Scan type: Quick Scan
Objects scanned: 63400
Time elapsed: 2 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Osiris]

so are you still having issues?

I would still like to see a new scan done with combofix. All you need to do is post parts of the log in each post till the whole log is posted.

 

[tigris67]

I sure can post it, here you are:

ComboFix 09-03-15.01 - Michael Luckhardt 2009-03-16 20:29:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1551 [GMT -4:00]
Running from: d:\downloads\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Outdated)
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Michael Luckhardt\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\program files\Internet Explorer\setup.exe
c:\windows\Bgulevoganidesug.dll
c:\windows\system32\adgwev.dll
c:\windows\system32\adoyijiv.ini
c:\windows\system32\aKkTBJjl.ini
c:\windows\system32\aKkTBJjl.ini2
c:\windows\system32\bkkfvgrd.ini
c:\windows\system32\brdiakjf.ini
c:\windows\system32\cilligjl.ini
c:\windows\system32\dixsqoyj.ini
c:\windows\system32\ektgos.dll
c:\windows\system32\esgpcimf.dll
c:\windows\system32\fccaArop.dll
c:\windows\system32\fdkypghd.dll
c:\windows\system32\filnldkt.ini
c:\windows\system32\fqdfxidk.ini
c:\windows\system32\hrfsfbdj.dll
c:\windows\system32\hs78344kjkfd.dll
c:\windows\system32\jRtEOnmp.ini
c:\windows\system32\jRtEOnmp.ini2
c:\windows\system32\jufqiehc.dll
c:\windows\system32\lhwcngca.ini
c:\windows\system32\lvnijfnx.ini
c:\windows\system32\onvxlyqu.dll
c:\windows\system32\pcpsoxqy.dll
c:\windows\system32\pfzzjj.dll
c:\windows\system32\rBLoVvut.ini
c:\windows\system32\rBLoVvut.ini2
c:\windows\system32\rxsdluiu.ini
c:\windows\system32\sthwod.dll
c:\windows\system32\svrmhtmd.dll
c:\windows\system32\tnooobqy.ini
c:\windows\system32\tqkpqvht.dll
c:\windows\system32\tuvVoLBr.dll.vir
c:\windows\system32\udgkcegy.ini
c:\windows\system32\urliuh.dll
c:\windows\system32\vdyknb.dll
c:\windows\system32\ydgzix.dll
c:\windows\system32\ygeckgdu.dll
c:\windows\system32\ztcdie.dll
c:\windows\Tasks\vaijmbpp.job
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2009-02-17 to 2009-03-17 )))))))))))))))))))))))))))))))
.

2009-03-16 16:33 . 2009-03-16 16:33 <DIR> d-------- c:\program files\Trend Micro
2009-03-12 10:20 . 2009-03-14 22:40 <DIR> d-------- c:\program files\Linkrealms
2009-03-08 17:35 . 2009-03-08 17:37 <DIR> d-------- c:\documents and settings\Michael Luckhardt\Application Data\Audacity
2009-03-08 17:34 . 2009-03-08 17:34 <DIR> d-------- c:\program files\Audacity 1.3 Beta (Unicode)
2009-02-18 18:12 . 2009-02-18 18:12 72,704 --a------ c:\windows\system32\vbdygupu.dll
2009-02-18 18:12 . 2009-02-18 18:12 2,424 --a------ C:\1620582311
2009-02-18 18:12 . 2009-02-18 18:12 2,372 --a------ C:\jttgds.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 00:27 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-17 00:27 --------- d-----w c:\program files\Spyware Doctor
2009-03-17 00:22 41,192 ----a-w c:\documents and settings\Michael Luckhardt\Application Data\GDIPFONTCACHEV1.DAT
2009-03-16 23:29 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 5
2009-03-16 15:15 --------- d-----w c:\documents and settings\Michael Luckhardt\Application Data\Skype
2009-03-15 20:18 --------- d-----w c:\documents and settings\Michael Luckhardt\Application Data\Azureus
2009-03-15 00:30 --------- d-----w c:\documents and settings\Michael Luckhardt\Application Data\Move Networks
2009-03-03 22:22 --------- d-----w c:\program files\CINEMA 4D R10
2009-02-27 12:06 --------- d-----w c:\program files\Azureus
2009-02-20 23:47 --------- d-----w c:\documents and settings\Michael Luckhardt\Application Data\dvdcss
2009-02-20 05:51 --------- d-----w c:\documents and settings\Michael Luckhardt\Application Data\FileZilla
2009-02-19 03:16 --------- d-----w c:\program files\Savage 2 - A Tortured Soul
2009-02-19 03:13 --------- d-----w c:\program files\Java
2009-02-16 03:45 --------- d-----w c:\program files\Runes of Magic
2009-02-16 02:58 --------- d-----w c:\program files\Quake III Arena
2009-02-12 08:13 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-09 14:16 --------- d-----w c:\documents and settings\Michael Luckhardt\Application Data\Launchy
2009-02-09 05:00 --------- d-----w c:\documents and settings\Michael Luckhardt\Application Data\GetRightToGo
2009-02-04 21:23 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-29 03:36 --------- d-----w c:\program files\PSP Pandora Deluxe
2009-01-19 07:17 139,176 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-19 07:00 --------- d-----w c:\documents and settings\Michael Luckhardt\Application Data\id Software
2009-01-19 06:57 22,328 ----a-w c:\documents and settings\Michael Luckhardt\Application Data\PnkBstrK.sys
2009-01-19 06:57 --------- d-----w c:\documents and settings\All Users\Application Data\id Software
2009-01-18 00:17 --------- d-----w c:\program files\QuickTime Alternative
2009-01-18 00:17 --------- d-----w c:\program files\Common Files\Apple
2009-01-18 00:17 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-18 00:16 --------- d-----w c:\program files\Apple Software Update
2009-01-18 00:16 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-01-11 01:08 137,728 ----a-w c:\windows\enihuvilitac.dll
2008-07-11 02:17 23 ----a-w c:\documents and settings\Michael Luckhardt\jagex_runescape_preferences.dat
2006-05-03 09:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r c:\windows\system32\msfDX.dll
2008-06-20 15:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008062020080621\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2008-08-06 233576]
"ShowIcon_Apacer_CRW Series Driver v1.17r016"="c:\program files\CRW\shwicon.exe" [2003-01-09 73728]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2008-09-06 413696]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]
"Ptipbmf"="ptipbmf.dll" [2003-05-29 c:\windows\system32\ptipbmf.dll]
"CTHelper"="CTHELPER.EXE" [2006-05-24 c:\windows\CTHELPER.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launchy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Launchy.lnk
backup=c:\windows\pss\Launchy.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 18:29 165784 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeathAdder]
--a------ 2007-05-07 17:40 159744 c:\program files\Razer\DeathAdder\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 12:32 133104 c:\documents and settings\Michael Luckhardt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-09-20 11:35 1077032 c:\program files\Nero\Nero8\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 16:57 153136 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
--a------ 2008-09-04 07:01 2524416 c:\windows\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2007-09-20 11:36 2044712 c:\program files\Nero\Nero8\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seticon]
--a------ 2002-10-04 10:39 39936 c:\program files\Icons\SetIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tmezefimife]
--a------ 2009-01-10 21:08 137728 c:\windows\enihuvilitac.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"ATI Smart"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"InCDsrv"=2 (0x2)
"Bonjour Service"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"StartCCC"=c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
"CTxfiHlp"=CTXFIHLP.EXE
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"c:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"=
"c:\\Program Files\\Adobe\\Adobe Flash CS3\\Flash.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\CINEMA 4D R10\\NET Render Client.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17326:TCP"= 17326:TCP:BitCometLite 17326 TCP
"17326:UDP"= 17326:UDP:BitCometLite 17326 UDP

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-02-20 33800]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-01-12 160792]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-02-20 472320]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2008-12-30 603904]
R3 CX88XBAR;ASUS TV880 Crossbar;c:\windows\system32\drivers\cx88xbar.sys [2008-08-31 9846]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2008-09-14 10880]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [2008-08-27 36224]
R3 OOTextMode;OOTextMode;c:\windows\system32\drivers\oobctm.sys [2008-08-30 37896]
R3 PAC7311;VGA SoC PC-Camer@;c:\windows\system32\drivers\PA707UCM.SYS [2005-02-16 144768]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2006-02-28 3584]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS --> c:\windows\system32\drivers\COMMONFX.SYS [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS --> c:\windows\system32\drivers\COMMONFX.SYS [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-08-28 79360]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS --> c:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS --> c:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS --> c:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS --> c:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS --> c:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS --> c:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2007-05-11 29184]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-12 356920]
S3 SNDFCAM;Philips FunCam;c:\windows\system32\drivers\sndfcam.sys [2007-10-09 219008]
S3 XDva132;XDva132;\??\c:\windows\system32\XDva132.sys --> c:\windows\system32\XDva132.sys [?]
S3 XDva164;XDva164;\??\c:\windows\system32\XDva164.sys --> c:\windows\system32\XDva164.sys [?]
S3 XDva202;XDva202;\??\c:\windows\system32\XDva202.sys --> c:\windows\system32\XDva202.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 16:36]

2009-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-796845957-839522115-1004.job
- c:\documents and settings\Michael Luckhardt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 12:32]

2009-03-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-01-28 11:43]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-a0b2dl0ikuq0qs1ohc - c:\docume~1\MICHAE~1\LOCALS~1\Temp\ccv2xh7.exe
(1000's others with these gibberish names, literally)

*continued* next post

 

[tigris67]

Combofix Cont.

.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\Michael Luckhardt\Application Data\Mozilla\Firefox\Profiles\qmdi9lxh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\documents and settings\Michael Luckhardt\Application Data\Mozilla\Firefox\Profiles\qmdi9lxh.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Michael Luckhardt\Application Data\Mozilla\Firefox\Profiles\qmdi9lxh.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\documents and settings\Michael Luckhardt\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 600000
FF - user.js: nglayout.initialpaint.delay - 600
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-16 20:36:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1409082233-796845957-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="02FCBEBD0BAE265A6B74A2856672A39C233DA254632FED65D0186E5079D72474613A63E74CA796C128F9FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC7933A6A0AC4980AC7933A9C6AECB7A5D1407441712FCE0D79222885D3E4AFD75381CC3FD6F656D879534A05E45F90BBFB47E4C2A1D461AF8AEB02841C9F613ADCA474BB61AA1D40467C3D05C26BD185B3CF57863FB3F3AFA5E53998D8D36D243A869E1E4787E22F75BCFE5921D88C09221B882347BA3B2ACDA058A537069B4F4B5764BDC32A9EEB4A1E65C35ABEDE567040EB9519C11C6E04CE340E811D90184CA86E0B5A0322A0CDEB63E3D8A6AB85C765F01B3140A12EA54B310E9C031563933568E49528D96D6AD17AE65A4DAC47A7D3B4D984AF4FDA505D966320501A5DCAE43D4380B92CA711A7EE22F1AFD624F93D2A881DA9CCD6EE4E2416617B9363F725346644000B2B9A48CA25E3D7B43EB267DB2B396AF15276F7C36EA65B59F33A52E0EF41C740C9343FECDFA965C6A6398331E3782BE3D35157AEAE9122FD10EE41FE5577EF3E9E8DEBDD2D0620D2FCFBF93AFD957C10282B5D39AD2EF458D2ABE961F38F8E8B222D35039708E61BECDE5DEC0AC0193757DAA2315D58AFBE8E8B8A71D0B529E22B1F3E3192E3F0C98FBC97CC20620F07C16BEA6BD6C1FB9CDA9C98B5A0804C4C50904C8A0A1CB288F819CF5357D0A7DCE42B0410CCC9FCAF8D5DF9DE02ABEF081A13C740FA7C0B14B068477B071C5BE787DB3FB0AF7B05EFC55D85CD1AF631B8BF54A7FBC605C0C49369B55DD8211A0DC44ED7FD72E2C87BF990AEDE19B0A206E06CFA690AE92FA57427084F9155C70AE17FA1BA8771F3E7B933B9959377B3F8956614B09BB0BA79BDF041F5AD2CB5FF6FCEA42449C4C5D3DB9284A130CB61D8E6C0872B573A1218BC6CD626329B78693FE3F0B06AB28A5E509809081686EC28656BF453E07E4D7F3B3B6B00F49ADDE342B6F325B775C38AD7C68A0A661891DC9A17B0F5AE91AA173671D106C28EBC65E1467944A96479E1C9979D19C4C22FA88E39F42D8D237B68027522B9D7F6A80E94D0535E7E1794210E5BD210FC58692C4B383F31940E7B5DFBB9DCD594B4EB285F19B3DDFF8B8743A6DB5AC3DACBAFA562C765C90F00C9F2F70B8EA684D76E72F1F7375F23CFE67A2BCD6397DA373B0666E39574AE9B759DD1751992A8A728EBDF6C5CCF1537933A0E607AFB6929B94741DFE68E2F1312EAF83881212CD8679D81EC1D6C5A789D26383A499E4A3516BD3DF72320A95F5493B0F763224A12CDD7E3F0CCA6AE745266C2DFCA999C6E85CAB63307D8627B23CEE9523FD7B588F567E883A03ED86F4EF9102D5B178AFE7F475D549393137CC7E08F88E99478710E27D2A"
"OOCC06.00.00.01WSSV"="D6EE0A5DB432094FB7443238583AF76404A842E4EC05E104CE97407A49CA7F6E11DF7C359CBD64E5966BD5BE28F644D77BC785BC7B2A4C56320BFB3E4AB3086D1F83D5E64F6C5735C5B750773B54F546803762263B0C11EFCBBCD2BC0A1A6F4C209A6C8D1286A515DC00B7BE2041DFD4C405D0D8255DB3E1078EBA290A968A2AD5FDD9FC132A165197B068A34D015A1E9ED10D3F97283C31717773EC32163219A8987C3BDEC8F32BD64B01E619A9BF2D85D197F8D246B9D8BC807C25CAD9C621226A78FE6B2A8CD39CE26300C126720495D0B45BFDE7B9C5BF491B2203F627BCF10531380FFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC7933A6A0AC4980AC7933A9C6AECB7A5D14072D37CA0978AAE3979EA220577E48F348A9EE8B3BFAE71CE0B2B09D2C29FD10944CBE2D137B25A8EEFD5768A4914657816457304EF25C708C1182C6ADA240B8C54959C71E828ACE2B8AFB774F7AFBDEE266A6E1740502243227B2417A764241FA4C3040562139E1D0D08D01DCC569B01CC14800ACD2191DCBACBB3BAB78A36A1552EF308F83D11DCBB0852BF811CEA5C05DA9DE1C90A46EB3AC9C557E1248A758A948A7BFE6B9706960E8127290B4CCC672BE478A07EAE42B065AA35441D71FEFF76FA67F9D1A81DC67BBC23C8B63650A0FFDF36311787ED6EA7C30B017C02E68339C258D0FDFA73B2387C16EDD6866CA93E095379F9AEC40610EF73DB830E233A78D8B4B343BF080C4DA8641F41878AC38E74FB8B6E59851C51F6B46DE1D82A57482383F9B241D8A4F477B155587F9B504933B416FB11ADC46C3EFBE57BD03F88FBFFC146850209B1E61FEED17107CD2D66C634C7597C01565135FB8040E10CA3E8D2115CF40235ADBC3E370E25144D1607BC8F889788F94FAA7856F594F891C9DB95D369CB282D08A8B73697B2CCCE729D05F8BFEF5BC55AFA2A3BEE00683531D15E00CAD2D4F6E7E5B6647B1C7C02B09FD0F6D3E78B13A05286FA63779443901F24BD2F379CD83E0576C9B6D8D06972E9A34A7C42A0F864B5E114E8EB448FB602DB5E5762575C7AC2A289FA92CAD0B1BC19DEC22FAA5E2AAF1A5FC2D0B3F2B2820A8494F00F3D6350232AC7616044BA410908EFA1D7CDA9C91BE20E80E0C3D162CA1A1ACA02AAC9E8F14C1F60005FE752AC4070609CDDF72F16148B216478CBF3514B7D1DE2BADE087CD0262E5E3B00AB5667012F909C54C4986AA8A403AD58C2564FB9358C01E48A6D1B403840550B45D958BFCEC50C422551B9F84EBE63937E86EFE5D6EE72B772707C3B8DE81B21CD0653BBCA77A793FD480A44BBDFE3E516FFEF62D46CE6161CD48BE77BAA78C39415F09D72F10E4418A8ADA1C9EEBCC3D2F583D1449DB32CFDDE5"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(460)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\system32\oodag.exe
c:\program files\OO Software\CleverCache\ooccag.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\CTxfispi.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-03-16 20:44:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-17 00:44:14

Pre-Run: 3,965,882,368 bytes free
Post-Run: 3,834,331,136 bytes free

5870 --- E O F --- 2009-02-12 08:04:57


MALAWAREbyes:

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/16/2009 9:15:08 PM
mbam-log-2009-03-16 (21-15-08).txt

Scan type: Quick Scan
Objects scanned: 63345
Time elapsed: 3 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\vbdygupu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:25 PM, on 3/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\OO Software\CleverCache\ooccag.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\CRW\shwicon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Michael Luckhardt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michael Luckhardt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michael Luckhardt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michael Luckhardt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michael Luckhardt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [ShowIcon_Apacer_CRW Series Driver v1.17r016] "C:\Program Files\CRW\shwicon.exe" -t"Apacer\CRW Series Driver v1.17r016"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186868306453
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15105/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\Mabinogi\npkcmsvc.exe (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: O&O CleverCache Agent (OOCleverCacheAgent) - O&O Software GmbH - C:\Program Files\OO Software\CleverCache\ooccag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 6925 bytes

 

[Osiris]

It all looks good