Tech Support Forum - View Single Post - Trojan.virtumonde found by Spyware doctor but infection still on pc

pcnooby · 12-06-2008, 04:44 PM

Thanks for that, I haven't used this since it was rebuilt and only using it because my partner's kids wanted to use it. I installed AVG but it was having difficulty uploading updates on it. The AVG installer has remained on the machine, but as you have pointed out, the actual program itself isn't there. :(
I haven't used it for internet banking thankfully, but will still change all my passwords and advise the bank just in case. I've only viewed my Gmail once or twice on this.

Initially i couldn't get back on the internet, but IE's diagnostics fixed it up and the logs are as follows:

COMBOFIX:

ComboFix 08-12-06.04 - Michelle 2008-12-07 10:09:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.563 [GMT 11:00]
Running from: c:\documents and settings\Michelle\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\frmwrk32.exe
c:\windows\system32\jjgtmjwv.ini
c:\windows\system32\kkdgrjtq.dll
c:\windows\system32\kpkada.dll
c:\windows\system32\ntdll64.exe
c:\windows\system32\rCMUBccf.ini
c:\windows\system32\rCMUBccf.ini2
c:\windows\system32\wvUlJBTK.dll
c:\windows\Tasks\imqczzls.job

c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-07 09:51 . 2008-12-07 09:51 <DIR> d-------- c:\program files\Trend Micro
2008-12-03 18:42 . 2008-12-07 09:57 461 --a------ c:\windows\system32\win32hlp.cnf
2008-12-03 18:31 . 2008-12-03 18:31 250 --a------ c:\windows\gmer.ini
2008-11-30 20:45 . 2008-11-30 20:45 <DIR> d-------- C:\VundoFix Backups
2008-11-30 20:01 . 2008-11-30 20:02 51,200 --a------ c:\windows\system32\dcyklsoj.dll
2008-11-30 19:53 . 2008-12-07 09:57 4,785 --a------ c:\windows\system32\warning.gif
2008-11-30 19:53 . 2008-12-07 09:57 1,349 --a------ c:\windows\system32\ahtn.htm
2008-11-30 19:53 . 2008-11-30 19:53 1 --a------ c:\windows\system32\uniq.tll
2008-11-30 19:53 . 2008-11-30 19:53 1 --a------ c:\windows\system32\test.ttt
2008-11-30 19:52 . 2008-11-30 19:52 38,400 --a------ c:\windows\system32\khfCvSKc.dll
2008-11-29 08:54 . 2008-11-30 21:13 <DIR> d-------- c:\documents and settings\Michelle\Application Data\Skype
2008-11-26 20:58 . 2008-11-26 20:58 297,697 --a------ c:\windows\system32\SpywareRemover.exe
2008-11-23 16:59 . 2008-11-23 16:59 319 --a------ C:\drmHeader.bin
2008-11-22 18:55 . 2008-11-22 18:55 <DIR> d-------- c:\documents and settings\Michelle\Application Data\DivX
2008-11-22 18:51 . 2008-11-22 18:51 <DIR> d-------- c:\program files\DivX
2008-11-22 18:51 . 2008-09-20 08:57 129,784 --------- c:\windows\system32\pxafs.dll
2008-11-22 18:51 . 2008-09-20 08:57 120,056 --------- c:\windows\system32\pxcpyi64.exe
2008-11-22 18:51 . 2008-09-20 08:57 118,520 --------- c:\windows\system32\pxinsi64.exe
2008-11-22 17:36 . 2008-11-22 17:36 <DIR> d-------- c:\program files\Real
2008-11-22 17:36 . 2008-11-22 17:36 <DIR> d-------- c:\program files\Common Files\xing shared
2008-11-22 17:36 . 2008-11-22 17:36 <DIR> d-------- c:\program files\Common Files\Real
2008-11-22 14:44 . 2008-12-03 18:32 <DIR> d-------- c:\program files\Spyware Doctor
2008-11-22 14:44 . 2008-11-22 14:44 <DIR> d-------- c:\documents and settings\Michelle\Application Data\PC Tools
2008-11-22 14:44 . 2008-12-07 09:47 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-22 14:44 . 2008-11-22 15:03 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-11-22 14:44 . 2008-11-22 15:04 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-11-22 14:44 . 2008-11-22 15:03 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-11-22 14:44 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-11-22 14:31 . 2008-11-22 14:31 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-22 14:19 . 2008-11-22 14:19 <DIR> d-------- c:\program files\Skype
2008-11-22 14:19 . 2008-11-22 14:19 <DIR> d-------- c:\program files\Common Files\Skype
2008-11-22 14:19 . 2008-11-22 14:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2008-11-22 14:05 . 2008-11-22 14:37 <DIR> d-------- c:\program files\Norton Security Scan
2008-11-22 14:05 . 2008-11-22 15:08 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-11-22 14:02 . 2008-11-22 14:02 <DIR> d-------- c:\program files\Picasa2
2008-11-22 14:02 . 2006-10-05 13:42 2,560 --------- c:\windows\system32\drivers\cdralw2k.sys
2008-11-22 14:02 . 2006-10-05 13:42 2,432 --------- c:\windows\system32\drivers\cdr4_xp.sys
2008-11-22 13:59 . 2008-11-22 13:59 <DIR> d-------- c:\windows\system32\runtime
2008-11-22 13:54 . 2008-11-22 14:09 <DIR> d-------- c:\program files\Google
2008-11-22 13:54 . 2008-12-07 08:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-11-15 14:50 . 2008-08-14 21:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-15 14:50 . 2008-08-14 21:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-15 14:50 . 2008-08-14 20:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-15 14:50 . 2008-08-14 20:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-15 14:16 . 2008-09-08 21:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-11-15 14:13 . 2008-09-15 23:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-11-15 13:58 . 2008-10-24 22:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-15 13:54 . 2008-10-16 03:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-11-15 13:50 . 2008-09-05 04:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-22 06:36 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-22 06:36 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 03:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 03:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 03:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 03:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 03:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 03:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 03:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 03:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-06 10:32 --------- d-----w c:\documents and settings\Michelle\Application Data\U3
2008-10-06 10:31 --------- d-----w c:\program files\TARI Racing Software
2008-10-06 10:26 --------- d-----w c:\program files\RomRaider
2008-10-06 10:20 --------- d-----w c:\program files\Java
2008-10-06 10:20 --------- d-----w c:\program files\DIFX
2008-10-06 10:19 --------- d-----w c:\program files\OpenECU
2008-10-06 10:17 --------- d-----w c:\program files\Common Files\Java
2008-10-06 10:09 507,904 ----a-w c:\windows\system32\winlogon.exe
2008-09-30 05:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-08 20:17 1,159,168 ----a-w c:\windows\system32\op20pt32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-22 39408]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-02-12 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-14 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-14 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-08-14 94208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-22 30192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-22 185872]
"SpywareCleaner"="c:\windows\system32\SpywareRemover.exe" [2008-11-26 297697]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Michelle\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-10 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-08-10 20560]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-22 30192]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-11-22 356920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bc1730c-938f-11dd-ac72-001302610412}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f2ab953-66c1-11dd-ac62-d13e7f2a3693}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-08-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-11-22 c:\windows\Tasks\Norton Security Scan for Michelle.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Framework Windows - frmwrk32.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\docume~1\Michelle\LOCALS~1\Temp\ntdll64.dll
FireFox -: Profile - c:\documents and settings\Michelle\Application Data\Mozilla\Firefox\Profiles\t196yv3b.default\
FF -: plugin - c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 10:12:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Skype\Phone\Skype.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-07 10:14:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 23:14:02

Pre-Run: 98,259,324,928 bytes free
Post-Run: 98,289,446,912 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

223 --- E O F --- 2008-11-22 04:55:41

HIJACK THIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:36 AM, on 7/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpywareCleaner] C:\WINDOWS\system32\SpywareRemover.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\docume~1\michelle\locals~1\temp\ntdll64.dll' missing
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{68A8056A-AC6D-4907-9CF8-A48B6595F1C7}: NameServer = 220.233.0.3 220.233.0.4
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8334 bytes

12-06-2008, 04:44 PM	#5 (permalink)
pcnooby Registered User Join Date: Nov 2008 Posts: 12 OS: XP	Re: Trojan.virtumonde found by Spyware doctor but infection still on pc Thanks for that, I haven't used this since it was rebuilt and only using it because my partner's kids wanted to use it. I installed AVG but it was having difficulty uploading updates on it. The AVG installer has remained on the machine, but as you have pointed out, the actual program itself isn't there. :( I haven't used it for internet banking thankfully, but will still change all my passwords and advise the bank just in case. I've only viewed my Gmail once or twice on this. Initially i couldn't get back on the internet, but IE's diagnostics fixed it up and the logs are as follows: COMBOFIX: ComboFix 08-12-06.04 - Michelle 2008-12-07 10:09:56.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.563 [GMT 11:00] Running from: c:\documents and settings\Michelle\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Downloaded Program Files\setup.inf c:\windows\system32\frmwrk32.exe c:\windows\system32\jjgtmjwv.ini c:\windows\system32\kkdgrjtq.dll c:\windows\system32\kpkada.dll c:\windows\system32\ntdll64.exe c:\windows\system32\rCMUBccf.ini c:\windows\system32\rCMUBccf.ini2 c:\windows\system32\wvUlJBTK.dll c:\windows\Tasks\imqczzls.job c:\windows\system32\userinit.exe . . . is infected!! . ((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 ))))))))))))))))))))))))))))))) . 2008-12-07 09:51 . 2008-12-07 09:51 <DIR> d-------- c:\program files\Trend Micro 2008-12-03 18:42 . 2008-12-07 09:57 461 --a------ c:\windows\system32\win32hlp.cnf 2008-12-03 18:31 . 2008-12-03 18:31 250 --a------ c:\windows\gmer.ini 2008-11-30 20:45 . 2008-11-30 20:45 <DIR> d-------- C:\VundoFix Backups 2008-11-30 20:01 . 2008-11-30 20:02 51,200 --a------ c:\windows\system32\dcyklsoj.dll 2008-11-30 19:53 . 2008-12-07 09:57 4,785 --a------ c:\windows\system32\warning.gif 2008-11-30 19:53 . 2008-12-07 09:57 1,349 --a------ c:\windows\system32\ahtn.htm 2008-11-30 19:53 . 2008-11-30 19:53 1 --a------ c:\windows\system32\uniq.tll 2008-11-30 19:53 . 2008-11-30 19:53 1 --a------ c:\windows\system32\test.ttt 2008-11-30 19:52 . 2008-11-30 19:52 38,400 --a------ c:\windows\system32\khfCvSKc.dll 2008-11-29 08:54 . 2008-11-30 21:13 <DIR> d-------- c:\documents and settings\Michelle\Application Data\Skype 2008-11-26 20:58 . 2008-11-26 20:58 297,697 --a------ c:\windows\system32\SpywareRemover.exe 2008-11-23 16:59 . 2008-11-23 16:59 319 --a------ C:\drmHeader.bin 2008-11-22 18:55 . 2008-11-22 18:55 <DIR> d-------- c:\documents and settings\Michelle\Application Data\DivX 2008-11-22 18:51 . 2008-11-22 18:51 <DIR> d-------- c:\program files\DivX 2008-11-22 18:51 . 2008-09-20 08:57 129,784 --------- c:\windows\system32\pxafs.dll 2008-11-22 18:51 . 2008-09-20 08:57 120,056 --------- c:\windows\system32\pxcpyi64.exe 2008-11-22 18:51 . 2008-09-20 08:57 118,520 --------- c:\windows\system32\pxinsi64.exe 2008-11-22 17:36 . 2008-11-22 17:36 <DIR> d-------- c:\program files\Real 2008-11-22 17:36 . 2008-11-22 17:36 <DIR> d-------- c:\program files\Common Files\xing shared 2008-11-22 17:36 . 2008-11-22 17:36 <DIR> d-------- c:\program files\Common Files\Real 2008-11-22 14:44 . 2008-12-03 18:32 <DIR> d-------- c:\program files\Spyware Doctor 2008-11-22 14:44 . 2008-11-22 14:44 <DIR> d-------- c:\documents and settings\Michelle\Application Data\PC Tools 2008-11-22 14:44 . 2008-12-07 09:47 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2008-11-22 14:44 . 2008-11-22 15:03 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys 2008-11-22 14:44 . 2008-11-22 15:04 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys 2008-11-22 14:44 . 2008-11-22 15:03 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys 2008-11-22 14:44 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys 2008-11-22 14:31 . 2008-11-22 14:31 <DIR> d-------- c:\program files\Common Files\Adobe 2008-11-22 14:19 . 2008-11-22 14:19 <DIR> d-------- c:\program files\Skype 2008-11-22 14:19 . 2008-11-22 14:19 <DIR> d-------- c:\program files\Common Files\Skype 2008-11-22 14:19 . 2008-11-22 14:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype 2008-11-22 14:05 . 2008-11-22 14:37 <DIR> d-------- c:\program files\Norton Security Scan 2008-11-22 14:05 . 2008-11-22 15:08 <DIR> d-------- c:\program files\Common Files\Symantec Shared 2008-11-22 14:02 . 2008-11-22 14:02 <DIR> d-------- c:\program files\Picasa2 2008-11-22 14:02 . 2006-10-05 13:42 2,560 --------- c:\windows\system32\drivers\cdralw2k.sys 2008-11-22 14:02 . 2006-10-05 13:42 2,432 --------- c:\windows\system32\drivers\cdr4_xp.sys 2008-11-22 13:59 . 2008-11-22 13:59 <DIR> d-------- c:\windows\system32\runtime 2008-11-22 13:54 . 2008-11-22 14:09 <DIR> d-------- c:\program files\Google 2008-11-22 13:54 . 2008-12-07 08:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater 2008-11-15 14:50 . 2008-08-14 21:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-11-15 14:50 . 2008-08-14 21:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-11-15 14:50 . 2008-08-14 20:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-11-15 14:50 . 2008-08-14 20:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe 2008-11-15 14:16 . 2008-09-08 21:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys 2008-11-15 14:13 . 2008-09-15 23:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys 2008-11-15 13:58 . 2008-10-24 22:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-15 13:54 . 2008-10-16 03:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-11-15 13:50 . 2008-09-05 04:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-22 06:36 499,712 ----a-w c:\windows\system32\msvcp71.dll 2008-11-22 06:36 348,160 ----a-w c:\windows\system32\msvcr71.dll 2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll 2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll 2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll 2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll 2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 03:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 03:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 03:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 03:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 03:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 03:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 03:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 03:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-06 10:32 --------- d-----w c:\documents and settings\Michelle\Application Data\U3 2008-10-06 10:31 --------- d-----w c:\program files\TARI Racing Software 2008-10-06 10:26 --------- d-----w c:\program files\RomRaider 2008-10-06 10:20 --------- d-----w c:\program files\Java 2008-10-06 10:20 --------- d-----w c:\program files\DIFX 2008-10-06 10:19 --------- d-----w c:\program files\OpenECU 2008-10-06 10:17 --------- d-----w c:\program files\Common Files\Java 2008-10-06 10:09 507,904 ----a-w c:\windows\system32\winlogon.exe 2008-09-30 05:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll 2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll 2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll 2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll 2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe 2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll 2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll 2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll 2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll 2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe 2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll 2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll 2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll 2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll 2008-09-08 20:17 1,159,168 ----a-w c:\windows\system32\op20pt32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-22 39408] "Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-02-12 21898024] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-14 98304] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-14 114688] "Persistence"="c:\windows\system32\igfxpers.exe" [2006-08-14 94208] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-22 30192] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-22 185872] "SpywareCleaner"="c:\windows\system32\SpywareRemover.exe" [2008-11-26 297697] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Michelle\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-10 78416] R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-08-10 20560] S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-22 30192] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-11-22 356920] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bc1730c-938f-11dd-ac72-001302610412}] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f2ab953-66c1-11dd-ac62-d13e7f2a3693}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2008-08-10 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57] 2008-11-22 c:\windows\Tasks\Norton Security Scan for Michelle.job - c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18] . - - - - ORPHANS REMOVED - - - - HKLM-Run-Framework Windows - frmwrk32.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com.au/ uInternet Settings,ProxyOverride = .local IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 LSP: c:\docume~1\Michelle\LOCALS~1\Temp\ntdll64.dll FireFox -: Profile - c:\documents and settings\Michelle\Application Data\Mozilla\Firefox\Profiles\t196yv3b.default\ FF -: plugin - c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - c:\program files\Picasa2\npPicasa2.dll . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-07 10:12:27 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Skype\Phone\Skype.exe c:\program files\Internet Explorer\iexplore.exe c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\RealVNC\VNC4\winvnc4.exe c:\windows\system32\wscntfy.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2008-12-07 10:14:05 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-06 23:14:02 Pre-Run: 98,259,324,928 bytes free Post-Run: 98,289,446,912 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 223 --- E O F --- 2008-11-22 04:55:41 HIJACK THIS: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:20:36 AM, on 7/12/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SpywareCleaner] C:\WINDOWS\system32\SpywareRemover.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider 'c:\docume~1\michelle\locals~1\temp\ntdll64.dll' missing O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{68A8056A-AC6D-4907-9CF8-A48B6595F1C7}: NameServer = 220.233.0.3 220.233.0.4 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 8334 bytes