Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
i think i have the virus virtumonde...? i think i have the virus virtumonde...?
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 05-16-2008, 12:34 PM   #1 (permalink)
Registered User
 
Join Date: May 2008
Posts: 8
OS: xp


i think i have the virus virtumonde...?
hey i have the problem that changes my wallpaper to saying i have a virus with yellow ad blue and then the beetles crawl all over my desktop, its ao disabled my automatic updates and every time i set t to automatic it disables it istantly, i ran DSS and this is what it says.


-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.00GHz
Percentage of Memory in Use: 65%
Physical Memory (total/avail): 511.48 MiB / 176.93 MiB
Pagefile Memory (total/avail): 1250.03 MiB / 734.95 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1908.64 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 33.25 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - ST380023A - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1124352314\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1124352314\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Disabled:WinMX Application"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Disabled:Yahoo! FT Server"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\\Program Files\\ICQ\\Icq.exe"="C:\\Program Files\\ICQ\\Icq.exe:*:Disabled:ICQ"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Pogo Games\\Sweet Tooth To Go\\WinST.exe"="C:\\Program Files\\Pogo Games\\Sweet Tooth To Go\\WinST.exe:*:Enabled:Sweet Tooth"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1124352314\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1124352314\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\Common Files\\AOL\\1135701649\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1135701649\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1135701649\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1135701649\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\SurfAnonymous\\SurfAnonymous.exe"="C:\\Program Files\\SurfAnonymous\\SurfAnonymous.exe:*:Enabled:SurfAnonymous"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\VINCO\\VOG2\\vogshell.exe"="C:\\Program Files\\VINCO\\VOG2\\vogshell.exe:*:Disabled:VOG Shell"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\RedlightCenter\\RedLightCenter\\Redlightcenter.exe"="C:\\Program Files\\RedlightCenter\\RedLightCenter\\Redlightcenter.exe:*:Enabled:Redlightcenter"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\ShAnE\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SHANEZ
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\ShAnE
LOGONSERVER=\\SHANEZ
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ShAnE\LOCALS~1\Temp
TMP=C:\DOCUME~1\ShAnE\LOCALS~1\Temp
USERDOMAIN=SHANEZ
USERNAME=ShAnE
USERPROFILE=C:\Documents and Settings\ShAnE
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

ShAnE (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
1TabView --> C:\WINDOWS\iun503.exe C:\Program Files\Grouppk\1TabView\irunin.ini
Ability Office 2002 --> C:\WINDOWS\UNINST.EXE -fC:\PROGRA~1\ABILIT~1\DeIsL1.isu
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~2\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\INSTALL.LOG
Adobe Acrobat eBook Reader --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adobe\Acrobat eBook Reader\Uninst.isu"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 7.0.7 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Avance AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
CheckerBoard 1.64 --> "C:\Program Files\CheckerBoard\unins000.exe"
Checkers Buddy - Pogo Version 1.10 --> "C:\Program Files\Checkers Buddy Pogo\unins000.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
Enable S3 for USB Device --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gigabyte\Enable S3 for USB Device\Uninst.isu"
Full Tilt Poker --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -l0x9 -removeonly
Gigabyte Management Tools --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Gigabyte\Gigabyte Management Tools\Uninst.isu" -cC:\WINDOWS\System32\UninstGMT.dll
Google Earth --> MsiExec.exe /I{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}
Hide Files and Folders v2.2 --> C:\PROGRAM FILES\HIDE FILES AND FOLDERS\HFF.EXE /U
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
InCD --> C:\WINDOWS\NuNInst.exe /UNINSTALL
InterVideo DVDCopy 2 --> "C:\Program Files\InstallShield Installation Information\{96BF9A2A-1835-4DEE-A94F-9EA4F77976BF}\setup.exe" --u:{96BF9A2A-1835-4DEE-A94F-9EA4F77976BF}
InterVideo WinDVD Creator 2 --> "C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
InterVideo WinDVD Recorder 5 --> "C:\Program Files\InstallShield Installation Information\{0B168FED-B9EC-4DA8-AC17-9A41F284640B}\setup.exe" REMOVEALL
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{59C4F14F-7590-45FC-BE9F-A67AB3590709} /l1033
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment Standard Edition v1.3.1_02 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1_02\Uninst.isu"
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LG Internetkit --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{82A26C9D-FB57-475E-88CC-7E44FC20CBE7}\setup.exe" -l0x9 -removeonly
LG PhoneManager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B83245C1-AB8A-40C1-91C0-CEDBDB84255D}\setup.exe" -l0x9 -removeonly
LimeWire Acceleration Patch 1.0 --> "C:\Program Files\LimeWire Acceleration Patch\unins000.exe"
LimeWire PRO 4.16.7 --> "C:\Program Files\LimeWire\uninstall.exe"
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft Word 2000 --> MsiExec.exe /I{00170409-78E1-11D2-B60F-006097C998E7}
Mozilla Firefox (1.0.7) --> C:\WINDOWS\UninstallFirefox.exe /ua "1.0.7 (en-US)"
MSN Color Changer 2.0 --> "C:\Program Files\MSN Color Changer\unins000.exe"
MSVC80_x86 --> MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
NB1200 ADSL USB Modem --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BEBED42E-0BF4-11D5-928C-0060677630C4}\Setup.exe"
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Netscape (7.1) --> C:\WINDOWS\NSUninst.exe /ua "7.1b1 (en)"
Netscape (7.2) --> C:\WINDOWS\NSUninst.exe /ua "7.2 (en)"
Netscape Browser (remove only) --> "C:\Program Files\Netscape\Netscape Browser\NSUninst.exe"
Nokia Connectivity Cable Driver --> MsiExec.exe /X{4F1DCA42-2030-437C-A94E-736692A499C1}
Nokia PC Suite --> C:\Documents and Settings\All Users\Application Data\Installations\{9C05FA75-0337-4523-AA57-9D3511018887}\Nokia_PC_Suite_rel_6_86_9_3_eng.exe
Nokia PC Suite --> MsiExec.exe /I{9C05FA75-0337-4523-AA57-9D3511018887}
NVIDIA WDM Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B023185F-F1EF-4F97-B0BD-AE6D802226D1}\setup.exe"
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\system32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PC Connectivity Solution --> MsiExec.exe /I{AC599724-5755-48C1-ABE7-ABB857652930}
PokerStars --> C:\Program Files\PokerStars\Uninstall.EXE /u:"PokerStars"
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
ShortKeys Lite --> C:\PROGRA~1\shortkey\UNWISE.EXE C:\PROGRA~1\shortkey\INSTALL.LOG
SurfAnonymous (Remove Only) --> C:\Program Files\SurfAnonymous\Uninstall.exe
Titan Poker --> "C:\Poker\Titan Poker\_SetupPoker.exe" /uninstall
USB Flash Disk Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{241913C4-453F-4A18-879A-75857C51860D}\Setup.exe" -l0x9
WebVideo Support --> C:\WINDOWS\oadkxrts.exe
Windows Driver Package - 2Wire (2WIREPCP) Net (09/18/2002 1.4.0.5) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\DPInst.exe /u C:\WINDOWS\system32\DRVSTORE\2wirepcp_69FADC00605194186DA779D20303F74BFB7E55F3\2wirepcp.inf
Windows Driver Package - NETGEAR Inc. (RTLWUSB) Net (02/07/2007 5.1283.0207.2007) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\DPInst.exe /u C:\WINDOWS\system32\DRVSTORE\net111v2_7DE4D3AC2A0901C4EA5B41EACC580A28E5A12747\net111v2.inf
Windows Driver Package - Nokia Modem (03/05/2008 3.7) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokia_blue_635B28EFCFA9395123BB1C251595CB16129E2560\nokia_bluetooth.inf
Windows Driver Package - Nokia Modem (03/13/2008 6.86.0.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_28F2EAC406838DA65AFF6C6886FE9FE96AEF5186\nokbtmdm.inf
Windows Driver Package - Nokia Modem (08/03/2007 6.84.0.2) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_1EB5F2E6F54A6BEDE9F436D1BA5D830FC71739BE\nokbtmdm.inf
Windows Driver Package - Nokia Modem (10/12/2007 3.6) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokia_blue_0A5D98F754C6588B2E3DDE89DDEF097075ADFFB7\nokia_bluetooth.inf
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccsmcfd_4A1E30386F4D0DEC8F5DF262CFBD8845EEBAB175\pccsmcfd.inf
Windows Installer Clean Up --> MsiExec.exe /I{121634B0-2F4A-11D3-ADA3-00C04F52DD53}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type23216 / Success
Event Submitted/Written: 05/16/2008 08:36:57 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type23192 / Success
Event Submitted/Written: 05/16/2008 05:36:02 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type23164 / Success
Event Submitted/Written: 05/15/2008 10:04:34 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type23156 / Error
Event Submitted/Written: 05/15/2008 09:49:17 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application YahooMessenger.exe, version 8.1.0.421, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type23155 / Error
Event Submitted/Written: 05/15/2008 09:49:14 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application YahooMessenger.exe, version 8.1.0.421, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type65886 / Error
Event Submitted/Written: 05/16/2008 09:10:29 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type65885 / Error
Event Submitted/Written: 05/16/2008 09:10:16 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type65882 / Error
Event Submitted/Written: 05/16/2008 08:36:50 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type65865 / Error
Event Submitted/Written: 05/16/2008 03:23:10 PM
Event ID/Source: 30009 / ipnathlp
Event Description:
The DHCP allocator encountered a network error while attempting to reply
on IP address 240.49.70.102 to a request from a client.
The data is the error code.

Event Record #/Type65864 / Error
Event Submitted/Written: 05/16/2008 03:23:10 PM
Event ID/Source: 30005 / ipnathlp
Event Description:
The DHCP allocator has detected a DHCP server with IP address 10.0.0.138
on the same network as the interface with IP address 192.168.0.1.
The allocator has disabled itself on the interface in order to avoid
confusing DHCP clients.



-- End of Deckard's System Scanner: finished at 2008-05-16 21:53:01 ------------
stunner07 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-20-2008, 09:33 AM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 25,395
OS: 2000 Pro; XP Pro; XP Home


Re: i think i have the virus virtumonde...?
Hello and Welcome.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

You've only posted the extra.txt from Deckard's System Scanner. You should also have a log from Panda ActiveScan, and another log from DSS, main.txt

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:
Having problems with spyware and pop-ups? First Steps
link at the top of each page.
---------------------------------------------------------------------------------------------

Please follow our 5 Step process outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

After running through all the steps, you shall have a proper set of logs. Please post them.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006
Our help is voluntary, but this site needs donations to operate.
Please consider Donating to the Forum.

Please do not ask for help via Private Message. Ask in the forums, so all may gain from the experience.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-23-2008, 09:51 PM   #3 (permalink)
Registered User
 
Join Date: May 2008
Posts: 8
OS: xp


Re: i think i have the virus virtumonde...?
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-05-24 13:05:36
PROTECTIONS: 1
MALWARE: 28
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus Free 8.0 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00020302 adware/ncase Adware No 0 Yes No hkey_current_user\software\microsoft\internet explorer\main\search bar_bak
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.casalemedia.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.doubleclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.fastclick.net/]
00145470 Cookie/Match TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.promo.match.com/]
00145470 Cookie/Match TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.promo.match.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.tribalfusion.com/]
00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.belnk.com/]
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.revenue.net/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Mozilla\Profiles\default\rbtg5jqk.slt\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Mozilla\Profiles\default\rbtg5jqk.slt\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.com.com/]
00167672 Cookie/DomainSponsor TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.landing.domainsponsor.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.statcounter.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.apmebf.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.burstnet.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.advertising.com/]
00170087 Cookie/Hbmediapro TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.adopt.hbmediapro.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.realmedia.com/]
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.bravenet.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[.go.com/]
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Cookies\shane@searchportal.information[1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\ShAnE\Application Data\Netscape\NSB\Profiles\391d3ryn.default\cookies.txt[searchportal.information.com/]
01073397 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\ShAnE\My Documents\Pogo\UltraCracker_latest.rar[UltraCracker\ultra_cracker.exe]
01692557 Application/ScanSpyware HackTools No 0 Yes No C:\Program Files\ScanSpyware v3.8.0.4\Scanner.exe.bak
02294441 Spyware/New Spyware No 0 Yes No C:\Documents and Settings\ShAnE\My Documents\SETUPS\ares_galaxy_fasterdownloads.exe
02960973 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\ShAnE\Local Settings\Temporary Internet Files\Content.IE5\4BSFSEM7\setupxv[1].exe
02960973 Generic Malware Virus/Trojan No 0 Yes No C:\RECYCLER\S-1-5-21-1993962763-1035525444-725345543-1004\Dc4.exe
02960973 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{3A42346D-2DA7-4B78-8D7B-7F83920BA16C}\RP803\A0189417.exe
02960973 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{3A42346D-2DA7-4B78-8D7B-7F83920BA16C}\RP805\A0189432.exe
02974418 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{3A42346D-2DA7-4B78-8D7B-7F83920BA16C}\RP794\A0189367.dll
02974420 Adware/WinIFixer Adware No 0 Yes No C:\System Volume Information\_restore{3A42346D-2DA7-4B78-8D7B-7F83920BA16C}\RP794\A0189365.exe
02974499 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{3A42346D-2DA7-4B78-8D7B-7F83920BA16C}\RP794\A0189368.dll
02977740 Generic Trojan Virus/Trojan No 0 Yes No C:\Documents and Settings\ShAnE\My Documents\SETUPS\CheatEngine52.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
126092 MEDIUM MS06-050
;===================================================================================================================================================================================

Deckard's System Scanner v20071014.68
Run by ShAnE on 2008-05-24 13:15:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-24 13:16:09
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HotFixQ0306270.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\PL15Co2K.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ltmsg.exe
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
C:\WINDOWS\hffext\hffsrv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\avgemc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\InterVideo\DVD5R\SchSvr.exe
C:\Program Files\ErrorSmart\ErrorSmart.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\ShAnE\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.playok.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O2 - BHO: (no name) - {A4DA823C-BB96-476A-A444-4FCC750B6E42} - (no file)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hffsrv] c:\windows\hffext\hffsrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ErrorSmart] C:\Program Files\ErrorSmart\ErrorSmart.exe
O4 - HKLM\..\RunOnce: [ppupdstub] C:\PROGRA~1\COMMON~1\Scanner\PPUPDS~1.EXE "C:\PROGRA~1\COMMON~1\Scanner\ppctl.dll" "C:\DOCUME~1\ShAnE\LOCALS~1\Temp\PPCTLD~1.PPU"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo Scheduler server.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\fciext.dll/FCIEXT.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - (no file)
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe (file missing)
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - res://C:\Program Files\FlashCapture\fciext.dll/FCIEXT.htm (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: https://account01.ea.com (HKCU)
O15 - Trusted Zone: https://www.pogo.com (HKCU)
O15 - Trusted Zone: https://vogclub.com (HKCU)
O15 - Trusted Zone: https://yahoo.com (HKCU)
O16 - DPF: Checkers by pogo () - http://game1.pogo.com/applet-6.8.4.5...kers-en_US.cab
O16 - DPF: Texas Hold'em Poker by pogo () - http://game1.pogo.com/applet-6.8.4.5...ldem-en_US.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://shanezdaman.spaces.msn.com//P...d/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/.../GAME_UNO1.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmnnlLfD - C:\WINDOWS\system32\pmnnlLfD.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prolific HotFix Q0306270 (PLQ0306270) - Unknown owner - C:\WINDOWS\system32\HotFixQ0306270.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


--
End of file - 12437 bytes

-- Files created between 2008-04-24 and 2008-05-24 -----------------------------

2008-05-24 08:16:35 0 d-------- C:\WINDOWS\LastGood
2008-05-21 10:08:00 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-21 1023 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-21 1022 0 d-------- C:\Documents and Settings\ShAnE\Application Data\SUPERAntiSpyware.com
2008-05-19 05:04:48 0 d-------- C:\WINDOWS\Prefetch
2008-05-18 21:15:52 0 d-------- C:\WINDOWS\network diagnostic
2008-05-18 21:08:13 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-18 21:08:05 15360 --a------ C:\WINDOWS\system32\asfsipc.dll <Not Verified; Microsoft Corporation; Microsoft (R) DRM>
2008-05-18 20:19:23 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-18 05:23:04 0 d-------- C:\Program Files\ErrorSmart
2008-05-18 03:10:51 0 d-------- C:\Documents and Settings\ShAnE\Application Data\ErrorSmart
2008-05-17 07:40:00 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVGTOOLBAR
2008-05-17 06:20:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-05-17 05:39:18 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-17 05:38:43 0 d-------- C:\Program Files\Spyware Doctor
2008-05-17 05:38:43 0 d-------- C:\Documents and Settings\ShAnE\Application Data\PC Tools
2008-05-16 06:28:51 0 d-------- C:\Program Files\Panda Security
2008-05-15 07:13:16 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-15 04:55:02 0 d--h----- C:\$AVG8.VAULT$
2008-05-15 04:50:49 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-15 04:50:48 0 d-------- C:\Documents and Settings\ShAnE\Application Data\AVGTOOLBAR
2008-05-15 04:50:26 0 d-------- C:\Program Files\AVG
2008-05-15 04:50:25 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-15 02:50:23 344 --ahs---- C:\WINDOWS\system32\Xxwxxyay.ini2
2008-05-15 02:44:56 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-05-12 04:31:24 0 d-------- C:\Program Files\Common Files\PCSuite
2008-05-12 04:31:23 0 d-------- C:\Program Files\Common Files\Nokia
2008-05-12 04:28:49 0 d-------- C:\Program Files\PC Connectivity Solution
2008-05-06 22:09:58 0 d-------- C:\Documents and Settings\ShAnE\Application Data\Google
2008-05-06 22:09:04 0 d-------- C:\Program Files\Google


-- Find3M Report ---------------------------------------------------------------

2008-05-22 17:48:51 0 d-------- C:\Program Files\Full Tilt Poker
2008-05-22 15:19:17 0 d-------- C:\Program Files\PokerStars
2008-05-21 10:05:47 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-19 04:45:46 0 d-------- C:\Program Files\Windows NT
2008-05-19 04:45:39 0 d-------- C:\Program Files\Movie Maker
2008-05-16 20:39:25 0 d-------- C:\Program Files\Pogo Games
2008-05-16 11:11:56 0 d-------- C:\Documents and Settings\ShAnE\Application Data\Lavasoft
2008-05-16 11:11:45 0 d-------- C:\Program Files\Lavasoft
2008-05-16 06:16:59 0 d-------- C:\Program Files\Viewpoint
2008-05-16 06:11:28 0 d-------- C:\Program Files\Windows Live Toolbar
2008-05-16 01:02:35 0 d-------- C:\Program Files\Cheat Engine
2008-05-15 22:36:21 0 d-------- C:\Program Files\Holdem Indicator
2008-05-15 22:30:26 0 d-------- C:\Program Files\Yahoo!
2008-05-15 22:29:41 0 d-------- C:\Program Files\Common Files
2008-05-15 22:27:22 0 d-------- C:\Program Files\Pogo Auto loader
2008-05-15 05:03:29 0 d-------- C:\Documents and Settings\ShAnE\Application Data\AdobeUM
2008-05-12 04:31:18 0 d-------- C:\Program Files\Nokia
2008-05-08 23:12:28 0 d-------- C:\Documents and Settings\ShAnE\Application Data\Nokia
2008-05-06 00:24:18 0 d-------- C:\Documents and Settings\ShAnE\Application Data\Adobe
2008-04-28 09:00:54 0 d-------- C:\Documents and Settings\ShAnE\Application Data\Real
2008-04-23 1841 0 d-------- C:\Program Files\LimeWire
2008-04-18 10:37:08 0 d-------- C:\Program Files\DIFX
2008-03-28 23:57:12 0 d-------- C:\Program Files\Ability Office 2002


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
05/15/2008 04:50 AM 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4DA823C-BB96-476A-A444-4FCC750B6E42}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [05/15/2008 04:50 AM 2050816]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HI-SPEED USB DEVICE Coinstaller"="PL15Co2K.exe" [07/10/2003 04:59 PM C:\WINDOWS\PL15Co2K.exe]
"HTpatch"="C:\WINDOWS\htpatch.exe" [10/30/2002 07:10 PM]
"SoundMan"="SOUNDMAN.EXE" [09/11/2002 12:27 PM C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [07/28/2003 02:19 PM]
"nwiz"="nwiz.exe" [07/28/2003 02:19 PM C:\WINDOWS\system32\nwiz.exe]
"AME_CSA"="amecsa.cpl" [09/10/2004 07:25 PM C:\WINDOWS\system32\AmeCSA.cpl]
"LTMSG"="LTMSG.exe" [07/14/2003 10:52 AM C:\WINDOWS\ltmsg.exe]
"FastTVSync"="C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe" [03/11/2004 02:55 AM]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [06/04/2004 09:03 PM]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [06/19/2002 12:05 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"hffsrv"="c:\windows\hffext\hffsrv.exe" [05/04/2005 12:58 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 03:25 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/23/2006 04:45 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/01/2006 04:09 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/13/2007 02:17 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/15/2008 04:50 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [04/10/2008 03:14 PM]
"ErrorSmart"="C:\Program Files\ErrorSmart\ErrorSmart.exe" [05/18/2008 05:38 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [08/01/2006 03:35 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:26 PM]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 12:54 PM]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [04/16/2008 12:53 PM]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [03/26/2008 06:41 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/13/2008 12:43 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"ppupdstub"=C:\PROGRA~1\COMMON~1\Scanner\PPUPDS~1.EXE "C:\PROGRA~1\COMMON~1\Scanner\ppctl.dll" "C:\DOCUME~1\ShAnE\LOCALS~1\Temp\PPCTLD~1.PPU"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/22/2005 1:00:46 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
InterVideo Scheduler server.lnk - C:\Program Files\InterVideo\DVD5R\SchSvr.exe [2/16/2005 6:50:48 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/18/1999 5:35:56 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnlLfD]
pmnnlLfD.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\yayxxwxX
"Notification Packages"= scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCENT.SYS"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HideFilesAndFolders_S"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\autorun.exe




-- End of Deckard's System Scanner: finished at 2008-05-24 13:21:40 ------------
stunner07 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-23-2008, 10:18 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 25,395
OS: 2000 Pro; XP Pro; XP Home


Re: i think i have the virus virtumonde...?
ErrorSmart is a rogue application.

http://www.dslreports.com/forum/r200...yware-programs

Also, We do not recommend the user of registry cleaners. Our colleague miekiemoes has an excellent writeup here

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add or Remove Programs) if they exist:

ErrorSmart
WebVideo Support

---------------------------------------------------------------------------------------------

P2P - I see you have P2P software ( Limewire ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

---------------------------------------------------------------------------------------------

Please download HijackThis to your desktop

Alternate link

Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

With HijackThis open, click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - {A4DA823C-BB96-476A-A444-4FCC750B6E42} - (no file)
O4 - HKLM\..\Run: [ErrorSmart] C:\Program Files\ErrorSmart\ErrorSmart.exe
O20 - Winlogon Notify: pmnnlLfD - C:\WINDOWS\system32\pmnnlLfD.dll (file missing)

It may be helpful to know that when you put an item in your Trusted Zone, it has pretty much full access to your computer... Are you sure you trust this site to that degree?? If you're not sure, and/or you do not need these in your trusted zone to facilitate access, or you did not knowingly permit this access yourself, then please fix the following O15 entries:

O15 - Trusted Zone: https://account01.ea.com (HKCU)
O15 - Trusted Zone: https://www.pogo.com (HKCU)
O15 - Trusted Zone: https://vogclub.com (HKCU)
O15 - Trusted Zone: https://yahoo.com (HKCU)

Close HijackThis now.


---------------------------------------------------------------------------------------------

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.



If you have any questions along the way, STOP and ask them before proceeding.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006
Our help is voluntary, but this site needs donations to operate.
Please consider Donating to the Forum.

Please do not ask for help via Private Message. Ask in the forums, so all may gain from the experience.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-24-2008, 05:53 PM   #5 (permalink)
Registered User
 
Join Date: May 2008
Posts: 8
OS: xp


Re: i think i have the virus virtumonde...?
hey thanks tetonbob, but i couldt find WebVideo Support, but did delete error smart thanks, heres the log from combo fix.



ComboFix 08-05-21.3 - ShAnE 2008-05-25 9:43:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.212 [GMT 9.5:30]
Running from: C:\Documents and Settings\ShAnE\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\byndfbmj.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\wxwotlga.ini
C:\WINDOWS\system32\Xxwxxyay.ini
C:\WINDOWS\system32\Xxwxxyay.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-25 09:01 . 2008-05-25 09:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-21 10:08 . 2008-05-21 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-21 10:06 . 2008-05-21 10:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-21 10:06 . 2008-05-21 10:06 <DIR> d-------- C:\Documents and Settings\ShAnE\Application Data\SUPERAntiSpyware.com
2008-05-18 21:14 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-05-18 21:09 . 2002-08-29 21:30 13,463,552 --a------ C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-05-18 20:47 . 2006-12-29 04:31 19,569 --a------ C:\WINDOWS\005782_.tmp
2008-05-18 20:19 . 2008-05-18 20:53 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-18 05:23 . 2008-05-25 09:07 <DIR> d-------- C:\Program Files\ErrorSmart
2008-05-18 03:10 . 2008-05-18 05:37 <DIR> d-------- C:\Documents and Settings\ShAnE\Application Data\ErrorSmart
2008-05-17 07:40 . 2008-05-17 07:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVGTOOLBAR
2008-05-17 06:20 . 2008-05-17 06:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-05-17 05:39 . 2008-05-25 09:36 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-17 05:38 . 2008-05-17 06:52 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-17 05:38 . 2008-05-17 05:38 <DIR> d-------- C:\Documents and Settings\ShAnE\Application Data\PC Tools
2008-05-17 05:38 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-17 05:38 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-17 05:38 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-17 05:38 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-16 21:43 . 2008-05-16 21:43 <DIR> d-------- C:\Deckard
2008-05-16 06:28 . 2008-05-16 06:29 <DIR> d-------- C:\Program Files\Panda Security
2008-05-15 07:13 . 2008-05-15 07:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-15 04:55 . 2008-05-20 15:46 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-15 04:51 . 2008-05-15 04:51 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-15 04:51 . 2008-05-15 04:51 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-15 04:50 . 2008-05-24 20:46 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-15 04:50 . 2008-05-15 04:50 <DIR> d-------- C:\Program Files\AVG
2008-05-15 04:50 . 2008-05-17 05:43 <DIR> d-------- C:\Documents and Settings\ShAnE\Application Data\AVGTOOLBAR
2008-05-15 04:50 . 2008-05-15 04:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-15 04:50 . 2008-05-15 04:50 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-15 02:52 . 2008-05-15 07:14 870 ---hs---- C:\WINDOWS\system32\rxqlkqgn.ini
2008-05-15 02:44 . 2008-05-17 05:20 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-13 18:10 . 2008-05-13 18:10 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-05-13 18:10 . 2008-05-13 18:10 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-05-12 04:31 . 2008-05-12 04:31 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-05-12 04:31 . 2008-05-12 04:31 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-05-12 04:29 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys
2008-05-12 04:28 . 2008-05-12 04:28 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-05-12 04:27 . 2007-11-29 10:33 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-05-12 04:27 . 2007-11-29 10:39 95,744 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-05-12 04:27 . 2007-11-29 10:39 19,328 --a------ C:\WINDOWS\system32\drivers\ccdcmbo.sys
2008-05-12 04:27 . 2007-11-29 10:39 16,896 --a------ C:\WINDOWS\system32\drivers\ccdcmb.sys
2008-05-12 04:27 . 2007-11-29 10:39 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys
2008-05-12 04:27 . 2007-11-29 10:39 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerflt.sys
2008-05-06 22:09 . 2008-05-06 22:09 <DIR> d-------- C:\Program Files\Google
2008-05-05 14:43 . 2008-05-16 03:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-05 14:43 . 2008-05-05 14:43 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-29 22:25 . 2007-12-20 00:13 68,672 -ra------ C:\WINDOWS\system32\drivers\2WirePCP.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 08:18 --------- d-----w C:\Program Files\Full Tilt Poker
2008-05-22 05:49 --------- d-----w C:\Program Files\PokerStars
2008-05-21 00:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-16 11:09 --------- d-----w C:\Program Files\Pogo Games
2008-05-16 01:41 --------- d-----w C:\Program Files\Lavasoft
2008-05-16 01:41 --------- d-----w C:\Documents and Settings\ShAnE\Application Data\Lavasoft
2008-05-15 20:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-15 20:46 --------- d-----w C:\Program Files\Viewpoint
2008-05-15 20:41 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-05-15 15:32 --------- d-----w C:\Program Files\Cheat Engine
2008-05-15 13:06 --------- d-----w C:\Program Files\Holdem Indicator
2008-05-15 13:00 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2008-05-15 13:00 --------- d-----w C:\Program Files\Yahoo!
2008-05-15 12:57 --------- d-----w C:\Program Files\Pogo Auto loader
2008-05-14 19:33 --------- d-----w C:\Documents and Settings\ShAnE\Application Data\AdobeUM
2008-05-11 19:01 --------- d-----w C:\Program Files\Nokia
2008-05-11 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-05-08 13:42 --------- d-----w C:\Documents and Settings\ShAnE\Application Data\Nokia
2008-04-23 08:36 --------- d-----w C:\Program Files\LimeWire
2008-04-18 01:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Emotum
2008-04-18 01:07 --------- d-----w C:\Program Files\DIFX
2008-04-18 01:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-28 14:27 --------- d-----w C:\Program Files\Ability Office 2002
2006-04-08 10:25 917,788 ----a-w C:\Documents and Settings\ShAnE\HandRankings2.Dat
2006-04-08 10:25 11,156 ----a-w C:\Documents and Settings\ShAnE\Cards.Dat
2005-11-05 06:18 613,728 ----a-w C:\Documents and Settings\ShAnE\ShotIndex.Dat
2005-01-22 06:04 457 ----a-w C:\Program Files\INSTALL.LOG
2004-12-18 18:14 4 ----a-w C:\Documents and Settings\ShAnE\game.dat
2005-09-15 13:36 80 --sh--r C:\WINDOWS\system32\C2D80706A3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-05-15 04:50 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-15 04:50 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Inte