Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
[SOLVED] Virtumonde.dll – Spybot alarm. [SOLVED] Virtumonde.dll – Spybot alarm.
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 06-30-2008, 01:02 PM   #1 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 6
OS: XP SP3


[SOLVED] Virtumonde.dll – Spybot alarm.
Ran McAfee full scan including Heuristic scanning as a weekly routine and found nothing. Ran Spybot that found Virtumonde.dll, Spybot tried to remove it but it keeps coming back.
IE7 – “Add on” has dll that appears to be part of Virtumonde. Privacy tab on IE7 Internet options set to “Accept all cookies” even though I keep changing it to high.
When I open a windows folder it closes after 10-15 seconds, desktop refreshes but folder stays closed. Desktop originally refreshed every 10-15 seconds until I set my IE7 zones to medium high and running Spybot Search and Destroy.
Last month had Vundo problem which cleared using Vundo-Fix.
Ran Panda On Line Scanning - see attached file.
Followed 5 steps prior to posting.
Thanks in advance for any help you can give

When I ran DSS it did not produce an extra.txt file so I was unable to upload it

Deckard's System Scanner v20071014.68
Run by John Mcardle on 2008-06-30 19:55:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as John Mcardle.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:56:21, on 30/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JOHNMC~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skyuser.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20E59CA2-78B0-4431-BFD0-D8B5ADFC0056} - C:\WINDOWS\system32\geBtQgDt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: (no name) - {4605CE6E-9D6F-4A8D-B71D-344CE51BD284} - C:\WINDOWS\system32\pmnnKDuS.dll (file missing)
O2 - BHO: (no name) - {52A9F000-1AEE-4EBF-895D-E8FFA6C08941} - C:\WINDOWS\system32\iifcDtSM.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {913E59E0-2054-499A-9DF0-8ACF84E98AA7} - C:\WINDOWS\system32\efcARheb.dll (file missing)
O2 - BHO: (no name) - {BE56BC2C-0FE6-455A-89B8-7CC2BBE9841E} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1209060590867
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames...o.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames...1.cab60096.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/...ws-i586-jc.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames...p.cab56961.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: geBtQgDt - C:\WINDOWS\SYSTEM32\geBtQgDt.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 10553 bytes

-- Files created between 2008-05-30 and 2008-06-30 -----------------------------

2008-06-30 19:13:28 0 d-------- C:\Program Files\Trend Micro
2008-06-29 21:03:50 0 d-------- C:\ie-spyad_zo
2008-06-29 20:53:56 0 d-------- C:\Program Files\SpywareBlaster
2008-06-29 20:26:47 0 d-------- C:\Program Files\Panda Security
2008-06-28 22:35:12 564043 --ahs---- C:\WINDOWS\system32\MStDcfii.ini2
2008-06-28 22:35:07 319488 --a------ C:\WINDOWS\system32\iifcDtSM.dll
2008-06-26 21:56:05 0 d-------- C:\WINDOWS\system32\dxdll
2008-06-26 21:56:03 25088 --a------ C:\WINDOWS\system32\geBtQgDt.dll
2008-06-26 21:55:48 0 d-------- C:\WinRAR Pro 7.0
2008-06-26 20:48:29 0 d-------- C:\Program Files\Flagship Studios
2008-06-22 11:42:55 0 d-------- C:\sniper
2008-06-21 21:04:40 0 d-------- C:\Program Files\SEGA
2008-06-21 11:30:38 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\ATI
2008-06-20 20:37:02 0 d-------- C:\WINDOWS\A6W_DATA
2008-06-19 18:20:26 0 d-------- C:\Program Files\IVT Corporation
2008-06-19 18:19:46 0 d-------- C:\bluesoleil
2008-06-19 17:03:29 0 --a------ C:\WINDOWS\system32\0
2008-06-19 17:03:29 32 --a------ C:\WINDOWS\0
2008-06-08 20:45:51 0 d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-06-06 13:54:28 0 d-------- C:\IVT_BlueSoleil_6.0.227.0_for_32bit_OS
2008-06-03 19:52:18 31232 --a------ C:\WINDOWS\system32\Lfpct10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-06-03 19:52:18 25600 --a------ C:\WINDOWS\system32\Lfmac10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-06-03 19:52:18 27136 --a------ C:\WINDOWS\system32\Lfimg10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-06-03 19:52:18 240640 --a------ C:\WINDOWS\system32\Lfdic10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-06-03 19:52:18 27136 --a------ C:\WINDOWS\system32\Lfcal10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-06-03 19:52:17 117760 --a------ C:\WINDOWS\system32\Ltimg10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-06-03 19:52:17 228864 --a------ C:\WINDOWS\system32\Ltdis10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-06-03 19:52:17 28160 --a------ C:\WINDOWS\system32\Lfwmf10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-06-03 19:52:17 33280 --a------ C:\WINDOWS\system32\Lfpcx10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-06-03 19:52:17 31232 --a------ C:\WINDOWS\system32\Lflmb10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-06-03 19:52:17 35840 --a------ C:\WINDOWS\system32\Lflma10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-06-03 19:52:16 81946 --a------ C:\WINDOWS\system32\Vb5ko.dll <Not Verified; Microsoft Corporation; Visual Basic Environment>
2008-06-03 19:52:16 600576 --a------ C:\WINDOWS\system32\Ltwrp10n.dll <Not Verified; LEAD Technologies, Inc.; LEAD Technologies, Inc. ltwrp10n>
2008-06-03 19:52:16 297472 --a------ C:\WINDOWS\system32\Ltkrn10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-06-03 19:52:16 103424 --a------ C:\WINDOWS\system32\Ltfil10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-06-03 19:52:16 122368 --a------ C:\WINDOWS\system32\Lftif10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-06-03 19:52:16 77824 --a------ C:\WINDOWS\system32\Lffax10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-06-03 19:52:16 266752 --a------ C:\WINDOWS\system32\Lfcmp10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-06-03 19:52:16 34304 --a------ C:\WINDOWS\system32\Lfbmp10n.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS® DLL for Win32>
2008-06-03 19:52:16 996872 --a------ C:\WINDOWS\system32\Cp3240mt.dll <Not Verified; Borland International; Borland C++ Builder 3.0>
2008-06-03 19:52:13 172032 --a------ C:\WINDOWS\system32\SpotSaver.scr <Not Verified; BearPaw; BearPaw ScreenSaver>
2008-06-03 19:52:13 176128 --a------ C:\WINDOWS\system32\PuzzSaver.scr <Not Verified; BearPaw; BearPaw ScreenSaver>
2008-06-03 19:52:13 135168 --a------ C:\WINDOWS\system32\ParaSaver.scr <Not Verified; ; ScreenSaver Application>
2008-06-02 20:59:51 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SSScanAppDataDir
2008-06-02 20:59:31 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MSScanAppDataDir
2008-06-02 19:28:22 0 d-------- C:\cmdcons
2008-06-02 17:19:40 0 d--h----- C:\Documents and Settings\Administrator.JOHNMCARDLE\Templates
2008-06-02 17:19:40 0 dr------- C:\Documents and Settings\Administrator.JOHNMCARDLE\Start Menu
2008-06-02 17:19:40 0 dr-h----- C:\Documents and Settings\Administrator.JOHNMCARDLE\SendTo
2008-06-02 17:19:40 0 d--h----- C:\Documents and Settings\Administrator.JOHNMCARDLE\Recent
2008-06-02 17:19:40 0 d--h----- C:\Documents and Settings\Administrator.JOHNMCARDLE\PrintHood
2008-06-02 17:19:40 0 d--h----- C:\Documents and Settings\Administrator.JOHNMCARDLE\NetHood
2008-06-02 17:19:40 0 d-------- C:\Documents and Settings\Administrator.JOHNMCARDLE\My Documents
2008-06-02 17:19:40 0 d--h----- C:\Documents and Settings\Administrator.JOHNMCARDLE\Local Settings
2008-06-02 17:19:40 0 d-------- C:\Documents and Settings\Administrator.JOHNMCARDLE\Favorites
2008-06-02 17:19:40 0 d-------- C:\Documents and Settings\Administrator.JOHNMCARDLE\Desktop
2008-06-02 17:19:40 0 d--hs---- C:\Documents and Settings\Administrator.JOHNMCARDLE\Cookies
2008-06-02 17:19:40 0 dr-h----- C:\Documents and Settings\Administrator.JOHNMCARDLE\Application Data
2008-06-02 17:19:40 0 d---s---- C:\Documents and Settings\Administrator.JOHNMCARDLE\Application Data\Microsoft
2008-06-02 17:19:39 2097152 --ah----- C:\Documents and Settings\Administrator.JOHNMCARDLE\NTUSER.DAT
2008-06-02 16:23:29 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-06-01 22:01:42 0 d-------- C:\Program Files\Common Files\Java
2008-06-01 20:15:04 0 d-------- C:\WINDOWS\LEGO Chic Boutique
2008-05-31 00:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-31 00:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-31 00:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-31 00:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-31 00:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>


-- Find3M Report ---------------------------------------------------------------

2008-06-30 16:54:20 0 d-------- C:\Program Files\McAfee
2008-06-29 19:08:11 0 d-------- C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\BitTorrent
2008-06-29 11:33:41 0 d-------- C:\Program Files\BitTorrent
2008-06-27 18:45:01 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-06-27 14:30:24 0 d-------- C:\Program Files\RegistrySmart
2008-06-23 19:19:24 0 d-------- C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\DivX
2008-06-21 15:37:02 0 d-------- C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\GetRight Pro
2008-06-21 15:29:06 0 d-------- C:\Program Files\GetRight
2008-06-21 11:27:26 0 d-------- C:\Program Files\ATI Technologies
2008-06-21 10:57:54 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-13 18:31:20 0 d-------- C:\Program Files\SopCast
2008-06-13 18:25:40 0 d-------- C:\Program Files\TVAnts
2008-06-08 13:11:13 0 d-------- C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\Vso
2008-06-07 17:36:27 0 d-------- C:\Program Files\DivX
2008-06-02 21:05:00 593920 --a------ C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-06-01 22:02:41 0 d-------- C:\Program Files\Java
2008-06-01 22:01:42 0 d-------- C:\Program Files\Common Files
2008-05-30 16:34:47 0 d-------- C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\McAfee
2008-05-28 18:18:07 0 d-------- C:\Program Files\Avery
2008-05-22 23:22:18 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 23:19:46 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 23:19:46 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 23:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-19 15:33:10 0 d-------- C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\MSN6
2008-05-18 17:53:20 0 d-------- C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\iWin
2008-05-16 20:17:01 2337865 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-05-16 20:04:15 0 d-------- C:\Program Files\Ubisoft
2008-05-12 19:39:56 0 d-------- C:\Program Files\Windows Live
2008-05-12 19:38:13 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-08 19:41:36 0 d-------- C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\Google
2008-05-08 19:38:59 0 d-------- C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\Adobe
2008-05-08 19:38:28 0 d-------- C:\Program Files\Google
2008-05-07 20:36:43 0 d-------- C:\Program Files\Messenger
2008-05-07 20:36:26 0 d-------- C:\Program Files\Movie Maker
2008-05-07 20:33:21 0 d-------- C:\Program Files\Windows NT
2008-05-05 21:53:43 0 d-------- C:\Program Files\Creative Labs
2008-05-05 21:46:57 0 d-------- C:\Program Files\MagicDisc
2008-05-05 17:16:17 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-05-05 17:07:45 0 d-------- C:\Program Files\Sierra
2008-05-05 11:27:45 34 --a------ C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\pcouffin.log
2008-05-05 11:27:39 47360 --a------ C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-05-05 11:27:39 1144 --a------ C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\pcouffin.inf
2008-05-05 11:27:39 7887 --a------ C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\pcouffin.cat
2008-05-05 11:27:34 0 d-------- C:\Program Files\DVDFab 5
2008-05-04 12:58:49 0 d-------- C:\Program Files\DVD Shrink
2008-05-01 21:44:34 0 d-------- C:\Program Files\Apple Software Update
2008-04-30 20:26:50 0 d-------- C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\Corel
2008-04-30 20:24:31 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-04-30 19:45:37 0 d-------- C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\Apple Computer
2008-04-29 19:45:54 204812 --a------ C:\WINDOWS\Win32install.exe <Not Verified; Collapp; Project1>
2008-04-29 19:45:54 338944 --a------ C:\WINDOWS\Activator.exe
2008-04-24 22:16:11 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-04-24 22:04:07 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-04-24 1922 62 --ahs---- C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\desktop.ini
2008-04-24 18:14:28 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-21 22:21:12 485 --a------ C:\Program Files\Shortcut to McAfee.com.lnk
2008-04-19 11:51:15 2 --a------ C:\-1263336681
2008-04-09 20:44:32 0 --a------ C:\enjoy


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20E59CA2-78B0-4431-BFD0-D8B5ADFC0056}]
26/06/2008 21:56 25088 --a------ C:\WINDOWS\system32\geBtQgDt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
26/11/2007 10:46 324936 --a------ c:\PROGRA~1\mcafee\msk\mcapbho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4605CE6E-9D6F-4A8D-B71D-344CE51BD284}]
C:\WINDOWS\system32\pmnnKDuS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52A9F000-1AEE-4EBF-895D-E8FFA6C08941}]
28/06/2008 22:35 319488 --a------ C:\WINDOWS\system32\iifcDtSM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{913E59E0-2054-499A-9DF0-8ACF84E98AA7}]
C:\WINDOWS\system32\efcARheb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE56BC2C-0FE6-455A-89B8-7CC2BBE9841E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [01/11/2007 19:12]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [08/01/2007 11:22]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [21/01/2008 12:17]
"RTHDCPL"="RTHDCPL.EXE" [10/05/2007 10:08 C:\WINDOWS\RTHDCPL.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 01:12]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{20E59CA2-78B0-4431-BFD0-D8B5ADFC0056}"= C:\WINDOWS\system32\geBtQgDt.dll [26/06/2008 21:56 25088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtQgDt]
geBtQgDt.dll 26/06/2008 21:56 25088 C:\WINDOWS\system32\geBtQgDt.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\iifcDtSM

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^John Mcardle.JOHNMCARDLE^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BBC Alerts]
"C:\Program Files\BBC Alerts\BBC_Alerts.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
"C:\Program Files\DNA\btdna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtTray]
"C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
"C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C62 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Express]
websploit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistrySmart]
C:\Program Files\RegistrySmart\RegistrySmart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
"C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_15\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"Microsoft Windows Express"=websploit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-06-30 19:58:06 ------------
tigerfish is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 06-30-2008, 05:10 PM   #2 (permalink)
Analyst, Security Team
 
greyknight17's Avatar
 
Join Date: Jul 2004
Location: New York
Posts: 14,327
OS: Windows 98 & Windows XP Home/Pro

My System

Re: Virtumonde.dll – Spybot alarm.
Welcome to TSF.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: (no name) - {20E59CA2-78B0-4431-BFD0-D8B5ADFC0056} - C:\WINDOWS\system32\geBtQgDt.dll
O2 - BHO: (no name) - {4605CE6E-9D6F-4A8D-B71D-344CE51BD284} - C:\WINDOWS\system32\pmnnKDuS.dll (file missing)
O2 - BHO: (no name) - {52A9F000-1AEE-4EBF-895D-E8FFA6C08941} - C:\WINDOWS\system32\iifcDtSM.dll
O2 - BHO: (no name) - {913E59E0-2054-499A-9DF0-8ACF84E98AA7} - C:\WINDOWS\system32\efcARheb.dll (file missing)
O2 - BHO: (no name) - {BE56BC2C-0FE6-455A-89B8-7CC2BBE9841E} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O20 - Winlogon Notify: geBtQgDt - C:\WINDOWS\SYSTEM32\geBtQgDt.dll

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\iifcDtSM.dll
C:\WINDOWS\SYSTEM32\geBtQgDt.dll

Go to http://www.bleepingcomputer.com/comb...o-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.
greyknight17 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-01-2008, 11:10 AM   #3 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 6
OS: XP SP3


Re: Virtumonde.dll – Spybot alarm.
Greyknight17,

Thanks for the quick response, followed instructions, see below.

ComboFix 08-06-30.2 - John Mcardle 2008-07-01 17:34:00.11 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1479 [GMT 1:00]
Running from: C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\geBtQgDt.dll
C:\WINDOWS\system32\iifcDtSM.dll
C:\WINDOWS\system32\MStDcfii.ini
C:\WINDOWS\system32\MStDcfii.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-06-30 20:14 . 2008-06-30 20:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 19:55 . 2008-06-30 19:55 <DIR> d-------- C:\Deckard
2008-06-30 18:49 . 2008-06-30 18:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-30 18:49 . 2008-06-30 18:49 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-29 21:03 . 2008-06-29 21:03 <DIR> d-------- C:\ie-spyad_zo
2008-06-29 20:53 . 2008-06-29 20:55 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-29 20:26 . 2008-06-29 20:27 <DIR> d-------- C:\Program Files\Panda Security
2008-06-27 18:44 . 2008-06-27 18:44 355,584 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-06-27 18:44 . 2008-05-29 09:28 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-06-26 21:56 . 2008-06-26 21:56 <DIR> d-------- C:\WINDOWS\system32\dxdll
2008-06-26 21:55 . 2008-06-26 21:55 <DIR> d-------- C:\WinRAR Pro 7.0
2008-06-26 20:48 . 2008-06-26 21:58 <DIR> d-------- C:\Program Files\Flagship Studios
2008-06-22 11:42 . 2008-06-22 11:44 <DIR> d-------- C:\sniper
2008-06-21 21:04 . 2008-06-21 21:04 <DIR> d-------- C:\Program Files\SEGA
2008-06-21 11:30 . 2008-06-21 11:30 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\ATI
2008-06-20 21:34 . 2008-06-20 21:34 30,160 --a------ C:\WINDOWS\Run32A60.mch
2008-06-20 20:37 . 2008-06-20 20:37 <DIR> d-------- C:\WINDOWS\A6W_DATA
2008-06-20 20:37 . 2008-06-20 20:37 35 --a------ C:\WINDOWS\A6W.INI
2008-06-19 18:26 . 2008-06-21 11:02 2,408 --a------ C:\WINDOWS\system32\SHORTCUT.INI
2008-06-19 18:25 . 2008-06-21 11:04 232 --a------ C:\WINDOWS\system32\REMOTEDEVICE.INI
2008-06-19 18:24 . 2008-06-21 11:13 4,334 --a------ C:\WINDOWS\system32\LOCALSERVICE.INI
2008-06-19 18:24 . 2008-06-21 11:00 103 --a------ C:\WINDOWS\system32\LOCALDEVICE.INI
2008-06-19 18:20 . 2008-06-19 18:20 <DIR> d-------- C:\Program Files\IVT Corporation
2008-06-19 18:20 . 2008-06-19 18:20 0 --a------ C:\WINDOWS\system32\BSPRINT.INI
2008-06-19 18:19 . 2008-06-19 18:19 <DIR> d-------- C:\bluesoleil
2008-06-19 17:10 . 2008-06-19 17:10 50 --a------ C:\im.ini
2008-06-19 17:03 . 2008-06-19 18:20 32 --a------ C:\WINDOWS\0
2008-06-19 17:03 . 2008-06-19 17:03 0 --a------ C:\WINDOWS\system32\0
2008-06-11 21:16 . 2008-06-11 21:17 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-11 17:18 . 2008-06-13 12:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 17:18 . 2008-05-08 15:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-08 20:45 . 2008-06-08 20:45 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-06-06 13:54 . 2008-06-19 17:02 <DIR> d-------- C:\IVT_BlueSoleil_6.0.227.0_for_32bit_OS
2008-06-03 03:28 . 2008-06-03 03:28 23,040 --a------ C:\WINDOWS\system32\atiadlxx.dll
2008-06-02 21:34 . 2008-06-02 21:34 0 --a------ C:\WINDOWS\WATCH.INI
2008-06-02 20:59 . 2008-06-02 20:59 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SSScanAppDataDir
2008-06-02 20:59 . 2008-06-02 20:59 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MSScanAppDataDir
2008-06-02 20:58 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-06-02 20:12 . 2002-07-26 02:28 8,065 --a------ C:\WINDOWS\system32\drivers\A2Dfw.usb
2008-06-02 17:19 . 2008-06-27 18:47 <DIR> d-------- C:\Documents and Settings\Administrator.JOHNMCARDLE
2008-06-02 16:23 . 2008-06-02 16:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-02 16:23 . 2008-06-02 17:08 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-06-01 22:02 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-01 22:01 . 2008-06-01 22:01 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-01 20:15 . 2008-06-01 21:29 <DIR> d-------- C:\WINDOWS\LEGO Chic Boutique

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 16:19 --------- d-----w C:\Program Files\McAfee
2008-06-30 21:18 --------- d-----w C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\BitTorrent
2008-06-30 19:51 138,408 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-06-29 10:33 --------- d-----w C:\Program Files\BitTorrent
2008-06-27 17:45 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-06-27 13:30 --------- d-----w C:\Program Files\RegistrySmart
2008-06-26 19:18 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\WinZip
2008-06-23 18:19 --------- d-----w C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\DivX
2008-06-21 14:37 --------- d-----w C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\GetRight Pro
2008-06-21 14:29 --------- d-----w C:\Program Files\GetRight
2008-06-21 10:27 --------- d-----w C:\Program Files\ATI Technologies
2008-06-21 09:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-13 17:31 --------- d-----w C:\Program Files\SopCast
2008-06-13 17:25 --------- d-----w C:\Program Files\TVAnts
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 19:32 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-06-08 12:11 --------- d-----w C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\Vso
2008-06-07 16:36 --------- d-----w C:\Program Files\DivX
2008-06-03 06:20 3,100,160 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-06-03 02:27 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-06-01 21:02 --------- d-----w C:\Program Files\Java
2008-05-30 15:35 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee
2008-05-30 15:34 --------- d-----w C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\McAfee
2008-05-28 17:18 --------- d-----w C:\Program Files\Avery
2008-05-22 22:22 9,464 ----a-w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-05-22 22:22 9,336 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-05-22 22:22 43,528 ----a-w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-05-22 19:13 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Zylom
2008-05-19 14:33 --------- d-----w C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\MSN6
2008-05-19 14:32 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\MSN6
2008-05-18 16:53 --------- d-----w C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\iWin
2008-05-16 19:18 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Ubisoft
2008-05-16 19:17 22,328 ----a-w C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\PnkBstrK.sys
2008-05-16 19:04 --------- d-----w C:\Program Files\Ubisoft
2008-05-12 18:39 --------- d-----w C:\Program Files\Windows Live
2008-05-12 18:38 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-12 18:35 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-05-08 18:38 --------- d-----w C:\Program Files\Google
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-05 20:53 --------- d-----w C:\Program Files\Creative Labs
2008-05-05 20:46 --------- d-----w C:\Program Files\MagicDisc
2008-05-05 16:07 --------- d-----w C:\Program Files\Sierra
2008-05-05 10:27 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-05 10:27 47,360 ----a-w C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\pcouffin.sys
2008-05-05 10:27 --------- d-----w C:\Program Files\DVDFab 5
2008-05-04 12:00 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\DVD Shrink
2008-05-04 11:58 --------- d-----w C:\Program Files\DVD Shrink
2008-05-01 20:44 --------- d-----w C:\Program Files\Apple Software Update
2008-04-29 18:45 338,944 ----a-w C:\WINDOWS\Activator.exe
2008-04-29 18:45 204,812 ----a-w C:\WINDOWS\Win32install.exe
2008-04-29 18:31 13,288,968 ----a-w C:\WINDOWS\RealPlayer11GOLD.exe
2008-04-25 13:37 15,600 ----a-w C:\WINDOWS\gdrv.sys
2008-04-24 21:16 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-22 20:59 22,328 ----a-w C:\Documents and Settings\John McArdle.ME-8FVBHESE4MIC\Application Data\PnkBstrK.sys
2008-04-21 21:21 485 ----a-w C:\Program Files\Shortcut to McAfee.com.lnk
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2008-03-30 19:37 22,328 ----a-w C:\Documents and Settings\John McArdle\Application Data\PnkBstrK.sys
2008-02-17 11:35 47,360 ----a-w C:\Documents and Settings\John McArdle\Application Data\pcouffin.sys
2007-06-13 10:23 204,812 --sha-r C:\WINDOWS\system32\websploit.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 10:08 16342528 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 01:12 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^John Mcardle.JOHNMCARDLE^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-04-24 20:57 288576 C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtTray]
--a------ 2007-09-10 11:08 258134 C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2007-08-28 13:00 531272 C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C62 Series]
--a------ 2002-04-10 03:00 74240 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S0BIC1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2008-02-28 17:07 1828136 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-17 07:15 221184 c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-17 07:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2008-02-18 16:29 2221352 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2008-02-28 09:59 570664 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-01-21 12:17 61440 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-29 19:33 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Express]
-rahs---- 2007-06-13 11:23 204812 C:\WINDOWS\system32\websploit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"Microsoft Windows Express"=websploit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\fpupdate.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

R0 BtHidBus;Bluetooth HID Bus Service;C:\WINDOWS\system32\Drivers\BtHidBus.sys [2008-01-21 19:28]
R2 BlueSoleilCS;BlueSoleilCS;C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe [2008-02-14 17:59]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 01:12]
R3 BsHelpCS;BsHelpCS;C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe [2007-08-17 15:58]
S3 IvtBtBUs;IVT Bluetooth Bus Service;C:\WINDOWS\system32\Drivers\IvtBtBus.sys [2008-01-21 19:28]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-06-27 18:44]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 18:04:34 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-24 18:04:34 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-BBC Alerts - C:\Program Files\BBC Alerts\BBC_Alerts.exe
MSConfigStartUp-RegistrySmart - C:\Program Files\RegistrySmart\RegistrySmart.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_15\bin\jusched.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 17:40:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-07-01 17:45:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-01 16:45:27

Pre-Run: 61,196,447,744 bytes free
Post-Run: 61,344,550,912 bytes free

287 --- E O F --- 2008-06-20 22:13:49
tigerfish is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-01-2008, 05:22 PM   #4 (permalink)
Analyst, Security Team
 
greyknight17's Avatar
 
Join Date: Jul 2004
Location: New York
Posts: 14,327
OS: Windows 98 & Windows XP Home/Pro

My System

Re: Virtumonde.dll – Spybot alarm.
Double click on C:\im.ini to open it up in Notepad. Copy & paste the entire contents of that file here.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:
Quote:
KILLALL::
DirLook::
C:\WINDOWS\0
C:\WINDOWS\system32\0
File::
C:\WINDOWS\Run32A60.mch
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\websploit.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Express]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"Microsoft Windows Express"=-
Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.
greyknight17 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 07-02-2008, 10:50 AM   #5 (permalink)
Registered User
 
Join Date: Jun 2008
Posts: 6
OS: XP SP3


Re: Virtumonde.dll – Spybot alarm.
greyknight17,

See contents of im.ini below:-

[IM1]
Module=C:\WINDOWS\system32\skypeagent.dll


Ran CFScript in ComboFix, an error dialog box came up but I pressed ok and ComboFix continued. See 1st run.

I then created another CFScript in case I made an error and re-ran ComboFix. error dialog box still appeared but I pressed ok and ComboFix continued. See 2nd run.

1st Run

ComboFix 08-06-30.2 - John Mcardle 2008-07-02 16:56:41.12 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1622 [GMT 1:00]
Running from: C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\Run32A60.mch
C:\WINDOWS\system32\websploit.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\imsins.BAK
C:\WINDOWS\Run32A60.mch
C:\WINDOWS\system32\websploit.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-01 20:02 . 2008-07-01 20:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-01 20:02 . 2008-07-01 20:02 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-30 20:14 . 2008-06-30 20:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 19:55 . 2008-06-30 19:55 <DIR> d-------- C:\Deckard
2008-06-29 21:03 . 2008-06-29 21:03 <DIR> d-------- C:\ie-spyad_zo
2008-06-29 20:53 . 2008-06-29 20:55 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-29 20:26 . 2008-06-29 20:27 <DIR> d-------- C:\Program Files\Panda Security
2008-06-27 18:44 . 2008-06-27 18:44 355,584 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-06-27 18:44 . 2008-05-29 09:28 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-06-26 21:56 . 2008-06-26 21:56 <DIR> d-------- C:\WINDOWS\system32\dxdll
2008-06-26 21:55 . 2008-06-26 21:55 <DIR> d-------- C:\WinRAR Pro 7.0
2008-06-26 20:48 . 2008-06-26 21:58 <DIR> d-------- C:\Program Files\Flagship Studios
2008-06-22 11:42 . 2008-06-22 11:44 <DIR> d-------- C:\sniper
2008-06-21 21:04 . 2008-06-21 21:04 <DIR> d-------- C:\Program Files\SEGA
2008-06-21 11:30 . 2008-06-21 11:30 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\ATI
2008-06-20 20:37 . 2008-06-20 20:37 <DIR> d-------- C:\WINDOWS\A6W_DATA
2008-06-20 20:37 . 2008-06-20 20:37 35 --a------ C:\WINDOWS\A6W.INI
2008-06-19 18:26 . 2008-06-21 11:02 2,408 --a------ C:\WINDOWS\system32\SHORTCUT.INI
2008-06-19 18:25 . 2008-06-21 11:04 232 --a------ C:\WINDOWS\system32\REMOTEDEVICE.INI
2008-06-19 18:24 . 2008-06-21 11:13 4,334 --a------ C:\WINDOWS\system32\LOCALSERVICE.INI
2008-06-19 18:24 . 2008-06-21 11:00 103 --a------ C:\WINDOWS\system32\LOCALDEVICE.INI
2008-06-19 18:20 . 2008-06-19 18:20 <DIR> d-------- C:\Program Files\IVT Corporation
2008-06-19 18:20 . 2008-06-19 18:20 0 --a------ C:\WINDOWS\system32\BSPRINT.INI
2008-06-19 18:19 . 2008-06-19 18:19 <DIR> d-------- C:\bluesoleil
2008-06-19 17:10 . 2008-06-19 17:10 50 --a------ C:\im.ini
2008-06-19 17:03 . 2008-06-19 18:20 32 --a------ C:\WINDOWS\0
2008-06-19 17:03 . 2008-06-19 17:03 0 --a------ C:\WINDOWS\system32\0
2008-06-11 17:18 . 2008-06-13 12:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 17:18 . 2008-05-08 15:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-08 20:45 . 2008-06-08 20:45 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-06-06 13:54 . 2008-06-19 17:02 <DIR> d-------- C:\IVT_BlueSoleil_6.0.227.0_for_32bit_OS
2008-06-03 03:28 . 2008-06-03 03:28 23,040 --a------ C:\WINDOWS\system32\atiadlxx.dll
2008-06-02 21:34 . 2008-06-02 21:34 0 --a------ C:\WINDOWS\WATCH.INI
2008-06-02 20:59 . 2008-06-02 20:59 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SSScanAppDataDir
2008-06-02 20:59 . 2008-06-02 20:59 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MSScanAppDataDir
2008-06-02 20:58 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-06-02 20:12 . 2002-07-26 02:28 8,065 --a------ C:\WINDOWS\system32\drivers\A2Dfw.usb
2008-06-02 17:19 . 2008-06-27 18:47 <DIR> d-------- C:\Documents and Settings\Administrator.JOHNMCARDLE
2008-06-02 16:23 . 2008-06-02 16:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-02 16:23 . 2008-06-02 17:08 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 21:32 --------- d-----w C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\BitTorrent
2008-07-01 20:32 136,888 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-07-01 19:02 --------- d-----w C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\Vso
2008-07-01 16:19 --------- d-----w C:\Program Files\McAfee
2008-06-29 10:33 --------- d-----w C:\Program Files\BitTorrent
2008-06-27 17:45 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-06-27 13:30 --------- d-----w C:\Program Files\RegistrySmart
2008-06-26 19:18 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\WinZip
2008-06-23 18:19 --------- d-----w C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\DivX
2008-06-21 14:37 --------- d-----w C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\GetRight Pro
2008-06-21 14:29 --------- d-----w C:\Program Files\GetRight
2008-06-21 10:27 --------- d-----w C:\Program Files\ATI Technologies
2008-06-21 09:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-13 17:31 --------- d-----w C:\Program Files\SopCast
2008-06-13 17:25 --------- d-----w C:\Program Files\TVAnts
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 19:32 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-06-07 16:36 --------- d-----w C:\Program Files\DivX
2008-06-03 06:20 3,100,160 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-06-03 02:27 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-06-01 21:02 --------- d-----w C:\Program Files\Java
2008-06-01 21:01 --------- d-----w C:\Program Files\Common Files\Java
2008-05-30 15:35 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee
2008-05-30 15:34 --------- d-----w C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\McAfee
2008-05-28 17:18 --------- d-----w C:\Program Files\Avery
2008-05-22 22:22 9,464 ----a-w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-05-22 22:22 9,336 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-05-22 22:22 43,528 ----a-w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-05-22 19:13 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Zylom
2008-05-19 14:33 --------- d-----w C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\MSN6
2008-05-19 14:32 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\MSN6
2008-05-18 16:53 --------- d-----w C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\iWin
2008-05-16 19:18 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Ubisoft
2008-05-16 19:17 22,328 ----a-w C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\PnkBstrK.sys
2008-05-16 19:04 --------- d-----w C:\Program Files\Ubisoft
2008-05-12 18:39 --------- d-----w C:\Program Files\Windows Live
2008-05-12 18:38 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-12 18:35 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2008-05-08 18:38 --------- d-----w C:\Program Files\Google
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-05 20:53 --------- d-----w C:\Program Files\Creative Labs
2008-05-05 20:46 --------- d-----w C:\Program Files\MagicDisc
2008-05-05 16:07 --------- d-----w C:\Program Files\Sierra
2008-05-05 10:27 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-05 10:27 47,360 ----a-w C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Application Data\pcouffin.sys
2008-05-05 10:27 --------- d-----w C:\Program Files\DVDFab 5
2008-05-04 12:00 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\DVD Shrink
2008-05-04 11:58 --------- d-----w C:\Program Files\DVD Shrink
2008-04-29 18:45 338,944 ----a-w C:\WINDOWS\Activator.exe
2008-04-29 18:45 204,812 ----a-w C:\WINDOWS\Win32install.exe
2008-04-29 18:31 13,288,968 ----a-w C:\WINDOWS\RealPlayer11GOLD.exe
2008-04-25 13:37 15,600 ----a-w C:\WINDOWS\gdrv.sys
2008-04-24 21:16 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-22 20:59 22,328 ----a-w C:\Documents and Settings\John McArdle.ME-8FVBHESE4MIC\Application Data\PnkBstrK.sys
2008-04-21 21:21 485 ----a-w C:\Program Files\Shortcut to McAfee.com.lnk
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 34,816 ----a-w C:\WINDOWS\Help\sniffpol.dll
2008-04-14 00:12 33,280 ----a-w C:\WINDOWS\Help\sstub.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 279,040 ----a-w C:\WINDOWS\Help\tshoot.dll
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2008-03-30 19:37 22,328 ----a-w C:\Documents and Settings\John McArdle\Application Data\PnkBstrK.sys
2008-02-17 11:35 47,360 ----a-w C:\Documents and Settings\John McArdle\Application Data\pcouffin.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\0 ----

C:\WINDOWS\0\

---- Directory of C:\WINDOWS\system32\0 ----

C:\WINDOWS\system32\0\


((((((((((((((((((((((((((((( snapshot@2008-07-01_17.45.16.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-01 16:39:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-02 16:00:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-07-01 16:28:31 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-02 15:55:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-01 16:28:31 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-02 15:55:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-30 19:51:21 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
+ 2008-07-01 20:32:15 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 10:08 16342528 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 01:12 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^John Mcardle.JOHNMCARDLE^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-04-24 20:57 288576 C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtTray]
--a------ 2007-09-10 11:08 258134 C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2007-08-28 13:00 531272 C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C62 Series]
--a------ 2002-04-10 03:00 74240 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S0BIC1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2008-02-28 17:07 1828136 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-17 07:15 221184 c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-17 07:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2008-02-18 16:29 2221352 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2008-02-28 09:59 570664 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-01-21 12:17 61440 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-29 19:33 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\fpupdate.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

R0 BtHidBus;Bluetooth HID Bus Service;C:\WINDOWS\system32\Drivers\BtHidBus.sys [2008-01-21 19:28]
R2 BlueSoleilCS;BlueSoleilCS;C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe [2008-02-14 17:59]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 01:12]
R3 BsHelpCS;BsHelpCS;C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe [2007-08-17 15:58]
S3 IvtBtBUs;IVT Bluetooth Bus Service;C:\WINDOWS\system32\Drivers\IvtBtBus.sys [2008-01-21 19:28]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-06-27 18:44]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 18:04:34 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-04-24 18:04:34 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{08A43D84-B9D8-459A-8EAD-03870DEDB571} - (no file)
BHO-{20E59CA2-78B0-4431-BFD0-D8B5ADFC0056} - (no file)
Notify-geBtQgDt - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 17:01:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-07-02 17:07:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-02 16:07:12
ComboFix2.txt 2008-07-01 16:45:32

Pre-Run: 60,236,259,328 bytes free
Post-Run: 60,290,727,936 bytes free

300 --- E O F --- 2008-06-20 22:13:49

2nd Run

ComboFix 08-06-30.2 - John Mcardle 2008-07-02 17:14:21.13 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1591 [GMT 1:00]
Running from: C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John Mcardle.JOHNMCARDLE\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\Run32A60.mch
C:\WINDOWS\system32\