Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Can't get rid of virtumonde and popups Can't get rid of virtumonde and popups
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2 >
 
Thread Tools
Old 12-27-2007, 06:24 PM   #1 (permalink)
Registered User
 
Join Date: Jan 2006
Posts: 21
OS: win XP


Can't get rid of virtumonde and popups
Hello guys,
You helped me greatly in the past and now I need your help again. I have somehow got the Virtumonde trojan and can't get rid of it. Spybot, adaware, and norton say they remove it, but it keeps reappearing. I am also prompted for "windows XP disc 2" on startup. This computer came with XP installed, i have recovery disks, but no Windows disks.
Here is my Panda scan:

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\urqnkji.dll
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Bobby\Cookies\bobby@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Bobby\Cookies\bobby@doubleclick[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Bobby\Cookies\bobby@server.iad.liveperson[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Bobby\Cookies\bobby@tribalfusion[1].txt
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Bobby\Local Settings\Temp\TMP30.tmp
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Christine\Local Settings\Temp\Cookies\christine@atdmt[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Christine\Local Settings\Temp\Cookies\christine@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Christine\Local Settings\Temp\Cookies\christine@doubleclick[1].txt
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Shellie\Local Settings\Temp\TMP1C6.tmp
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\eakootij.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\prmcpykb.dll
Here is my Hijack this main log:
Deckard's System Scanner v20071014.68
Run by Bobby on 2007-12-27 20:11:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2007-12-28 01:11:33 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2007-12-27 02:22:50 UTC - RP2 - Last known good configuration
1: 2007-12-27 02:22:25 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Bobby.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:25 PM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray .exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif .exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA .EXE
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB .exe
C:\PROGRA~1\SYMANT~1\VPTray .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Bobby\Desktop\New Folder\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Bobby.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.spysubtract.com/imbuy....2=&500=2&501=0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=C:\WINDOWS\system32\awvvt.exe
O2 - BHO: (no name) - {06541D3A-B5EF-481C-B2B4-72A372F77308} - C:\WINDOWS\system32\awvvt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1610EF56-2B58-4D73-96D5-69A5FCEC5745} - (no file)
O2 - BHO: (no name) - {31C9E560-B364-4A77-AF99-3A603775FF46} - (no file)
O2 - BHO: {aaf040ce-396d-0569-9f94-8d33bf29df34} - {43fd92fb-33d8-49f9-9650-d693ec040faa} - C:\WINDOWS\system32\hfdenexl.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67B9C00E-0497-4042-8BB7-07D1626418B9} - (no file)
O2 - BHO: (no name) - {9bfe0f03-f84a-407b-9a5a-f7f1d91ee9e7} - (no file)
O2 - BHO: (no name) - {A3D48BF3-24E3-47D9-8FF4-9D62678E0AE0} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\urqnkji.dll
O2 - BHO: (no name) - {DC0E6843-52F7-44BE-8330-4A43F004A0D5} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [VAIO Update 3] "C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [e46338e0] rundll32.exe "C:\WINDOWS\system32\bnnmbcne.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Epson printer Registration.lnk = D:\Titles\Ereg\English\EPSONREG.EXE
O4 - Startup: Epson scanner Registration.lnk = D:\Titles\E_Reg\EPSONREG.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ALLTEL DSL Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://care.alltel.com
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet...ller_2-0-0.cab
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} (McciUtilsSpecialFolder Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab
O16 - DPF: {528BF874-2681-4CE3-8C62-AA0D3BC0A719} (McciSysSCM Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1147837279695
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1147837778671
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BB3B91F7-1070-4BFD-AA42-6C523B9162B9} (McciHTTPClient Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab
O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab
O20 - Winlogon Notify: urqnkji - C:\WINDOWS\SYSTEM32\urqnkji.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 15488 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 NAVAP - c:\program files\navnt\navap.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AdobeActiveFileMonitor (Adobe Active File Monitor) - c:\program files\adobe\photoshop elements 3.0\photoshopelementsfileagent.exe
R2 PhotoshopElementsDeviceConnect (Photoshop Elements Device Connect) - c:\program files\adobe\photoshop elements 3.0\photoshopelementsdeviceconnect.exe
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 PACSPTISVR - "c:\program files\common files\sony shared\avlib\pacsptisvr.exe" <Not Verified; ; PACSPTISVR Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-12-22 12:05:47 436 --a------ C:\WINDOWS\Tasks\EasyShare Registration Task.job


-- Files created between 2007-11-27 and 2007-12-27 -----------------------------

2007-12-27 20:13:16 0 d-------- C:\Program Files\Trend Micro
2007-12-27 19:30:12 0 d-------- C:\Program Files\SpywareBlaster
2007-12-27 18:28:17 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2007-12-27 18:27:45 8576 --a------ C:\WINDOWS\system32\drivers\hcdmwectpcno.sys <Not Verified; Panda Software International; RKPavProc Driver>
2007-12-27 18:16:23 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-27 18:16:22 0 d-------- C:\WINDOWS\LastGood
2007-12-27 1018 81984 --a------ C:\WINDOWS\system32\hfdenexl.dll
2007-12-27 10:03:18 90176 --a------ C:\WINDOWS\system32\mgcnralp.dll
2007-12-27 09:57:19 81984 --a------ C:\WINDOWS\system32\fbpguuea.dll
2007-12-27 06:10:24 0 dr-h----- C:\Documents and Settings\Bobby\Recent
2007-12-26 10:03:18 77376 --a------ C:\WINDOWS\system32\xuguqgcq.dll
2007-12-26 10:00:18 77376 --a------ C:\WINDOWS\system32\jhrreejw.dll
2007-12-24 22:53:38 0 d-------- C:\Program Files\Enigma Software Group
2007-12-24 22:23:55 6199296 --a------ C:\Documents and Settings\Bobby\rminstall.exe <Not Verified; PC Tools; >
2007-12-24 18:35:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2007-12-24 18:32:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-12-24 18:25:49 0 d-------- C:\WINDOWS\CSC
2007-12-24 10:02:37 87104 --a------ C:\WINDOWS\system32\coafgfhb.dll
2007-12-24 09:59:37 75840 --a------ C:\WINDOWS\system32\lggglmcd.dll
2007-12-23 22:04:33 87104 --a------ C:\WINDOWS\system32\bjvesmui.dll
2007-12-23 22:01:33 78912 --a------ C:\WINDOWS\system32\prmcpykb.dll
2007-12-23 10:03:56 78912 --a------ C:\WINDOWS\system32\eakootij.dll
2007-12-23 08:54:59 341504 --a------ C:\WINDOWS\system32\awvvt.exe
2007-12-23 08:54:56 749828 --ahs---- C:\WINDOWS\system32\tvvwa.ini2
2007-12-23 08:54:51 337920 --a------ C:\WINDOWS\system32\awvvt.dll
2007-12-23 08:45:30 382464 --a------ C:\WINDOWS\mrofinu72.exe
2007-12-23 08:45:18 40448 --a------ C:\WINDOWS\system32\urqnkji.dll
2007-12-23 08:45:17 0 d-------- C:\Program Files\QdrModule
2007-12-22 12:28:26 0 d-------- C:\Program Files\Lavasoft
2007-12-22 12:28:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-22 12:27:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-14 19:58:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-13 06:12:30 0 d-------- C:\Documents and Settings\Bobby\Application Data\Apple Computer
2007-12-03 17:41:49 0 d-------- C:\Documents and Settings\Ashleigh\Application Data\Motive
2007-12-01 14:57:19 0 d-------- C:\Documents and Settings\Ashleigh\Application Data\Macromedia
2007-12-01 14:57:02 0 d-------- C:\Documents and Settings\Ashleigh\Application Data\Google
2007-12-01 14:49:55 0 d-------- C:\Documents and Settings\Ashleigh\Application Data\Real
2007-12-01 14:49:38 0 d--h----- C:\Documents and Settings\Ashleigh\Templates
2007-12-01 14:49:38 0 dr------- C:\Documents and Settings\Ashleigh\Start Menu
2007-12-01 14:49:38 0 dr-h----- C:\Documents and Settings\Ashleigh\SendTo
2007-12-01 14:49:38 0 dr-h----- C:\Documents and Settings\Ashleigh\Recent
2007-12-01 14:49:38 0 d--h----- C:\Documents and Settings\Ashleigh\PrintHood
2007-12-01 14:49:38 2621440 --ah----- C:\Documents and Settings\Ashleigh\NTUSER.DAT
2007-12-01 14:49:38 0 d--h----- C:\Documents and Settings\Ashleigh\NetHood
2007-12-01 14:49:38 0 dr------- C:\Documents and Settings\Ashleigh\My Documents
2007-12-01 14:49:38 0 d--h----- C:\Documents and Settings\Ashleigh\Local Settings
2007-12-01 14:49:38 0 dr------- C:\Documents and Settings\Ashleigh\Favorites
2007-12-01 14:49:38 0 d-------- C:\Documents and Settings\Ashleigh\Desktop
2007-12-01 14:49:38 0 d--hs---- C:\Documents and Settings\Ashleigh\Cookies
2007-12-01 14:49:38 0 dr-h----- C:\Documents and Settings\Ashleigh\Application Data
2007-12-01 14:49:38 0 d-------- C:\Documents and Settings\Ashleigh\Application Data\Symantec
2007-12-01 14:49:38 0 d-------- C:\Documents and Settings\Ashleigh\Application Data\Sony Corporation
2007-12-01 14:49:38 0 d---s---- C:\Documents and Settings\Ashleigh\Application Data\Microsoft
2007-12-01 14:49:38 0 d-------- C:\Documents and Settings\Ashleigh\Application Data\Intuit
2007-12-01 14:49:38 0 d-------- C:\Documents and Settings\Ashleigh\Application Data\Identities
2007-12-01 14:49:38 0 d-------- C:\Documents and Settings\Ashleigh\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2007-12-27 19:00:09 0 d-------- C:\Program Files\Symantec AntiVirus
2007-12-27 18:51:12 0 d-------- C:\Program Files\Google
2007-12-27 18:50:24 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-27 18:14:32 0 d-------- C:\Program Files\QuickTime
2007-12-27 18:14:32 0 d-------- C:\Program Files\Picasa2
2007-12-27 08:33:16 0 d-------- C:\Program Files\Messenger
2007-12-27 05:53:20 0 d-------- C:\Documents and Settings\Bobby\Application Data\U3
2007-12-26 21:16:01 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-23 17:26:01 0 d-------- C:\Program Files\Common Files
2007-12-23 14:03:09 34564 --a------ C:\logfile
2007-10-28 20:50:15 0 d-------- C:\Program Files\Suze Orman
2007-10-27 09:09:23 0 d-------- C:\Program Files\Kodak


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06541D3A-B5EF-481C-B2B4-72A372F77308}]
12/23/2007 08:54 AM 337920 --a------ C:\WINDOWS\system32\awvvt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1610EF56-2B58-4D73-96D5-69A5FCEC5745}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31C9E560-B364-4A77-AF99-3A603775FF46}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43fd92fb-33d8-49f9-9650-d693ec040faa}]
12/27/2007 10:06 AM 81984 --a------ C:\WINDOWS\system32\hfdenexl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67B9C00E-0497-4042-8BB7-07D1626418B9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9bfe0f03-f84a-407b-9a5a-f7f1d91ee9e7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3D48BF3-24E3-47D9-8FF4-9D62678E0AE0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}]
12/23/2007 08:45 AM 40448 --a------ C:\WINDOWS\system32\urqnkji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC0E6843-52F7-44BE-8330-4A43F004A0D5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [12/27/2007 06:14 PM]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [08/12/2004 07:45 PM C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [12/27/2007 06:14 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [12/27/2007 06:14 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/23/2004 06:56 PM]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [12/27/2007 06:14 PM]
"Motive SmartBridge"="C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe" [12/27/2007 06:14 PM]
"EPSON Stylus Photo R320 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.exe" [12/27/2007 06:14 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [12/27/2007 06:14 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [12/27/2007 06:14 PM]
"SoundMan"="SOUNDMAN.EXE" [05/03/2005 05:43 PM C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [05/04/2005 09:01 AM C:\WINDOWS\ALCWZRD.EXE]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 05:43 PM C:\WINDOWS\ALCMTR.EXE]
"x3watch"="C:\Program Files\X3watch\x3watch.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/27/2007 06:14 PM]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [12/27/2007 06:14 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [12/27/2007 06:14 PM]
"VAIO Update 3"="C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe" [12/27/2007 06:14 PM]
"e46338e0"="C:\WINDOWS\system32\bnnmbcne.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [12/27/2007 06:14 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [12/27/2007 06:14 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}"= C:\WINDOWS\system32\urqnkji.dll [12/23/2007 08:45 AM 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqnkji]
urqnkji.dll 12/23/2007 08:45 AM 40448 C:\WINDOWS\system32\urqnkji.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awvvt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ImInstaller_IncrediMail]
C:\DOCUME~1\Shellie\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install.exe -startup -product IncrediMail

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PartSeal]
C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
c:\program files\sony\vaio survey\surveysa.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
AutoRun\command- J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{779c84d1-9384-11dc-abe0-0013d4240d2c}]
AutoRun\command- K:\LaunchU3.exe -a

*Newly Created Service* - HCDMWECTPCNO
*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SDTHOOK



-- End of Deckard's System Scanner: finished at 2007-12-27 20:13:57 ------------

Thanks in advance,
Bobby
bwbrown55 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-29-2007, 07:33 PM   #2 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 3,045
OS: XP


Re: Can't get rid of virtumonde and popups
Hi, welcome to TSF!

Disable Spybot's TeaTimer. This is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
______

Download combofix.exe
  • Save it to your desktop.
  • Double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.
Note:
  • In case you already used Combofix previously, please delete the version you are having and redownload it again, because Combofix is being updated everyday.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • Do not post the ComboFix-quarantined-files.txt - unless I ask you to.
  • If your Antivirus software is detecting combofix or a part of it as a virus, please choose to ignore it as Antivirus products cannot determine the good/bad use of some softwares embedded in combofix.
______

Download RenV.exe

1. Download & double click to run it
2. a log file will be created. Please post all the contents of that log to your next reply.


On your next reply, please include a
  • Fresh HijackThis log.
  • combofix log
  • renv log
__________________
Proud member of UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-29-2007, 10:35 PM   #3 (permalink)
Registered User
 
Join Date: Jan 2006
Posts: 21
OS: win XP


Re: Can't get rid of virtumonde and popups
Thanks for the response angelfire. Here's the fresh HJT log:
Deckard's System Scanner v20071014.68
Run by Bobby on 2007-12-30 00:29:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Bobby.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:47 AM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Symantec AntiVirus\vptray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Bobby\Desktop\New Folder\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Bobby.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.spysubtract.com/imbuy....2=&500=2&501=0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [e46338e0] rundll32.exe "C:\WINDOWS\system32\bnnmbcne.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Epson printer Registration.lnk = D:\Titles\Ereg\English\EPSONREG.EXE
O4 - Startup: Epson scanner Registration.lnk = D:\Titles\E_Reg\EPSONREG.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ALLTEL DSL Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://care.alltel.com
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet...ller_2-0-0.cab
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} (McciUtilsSpecialFolder Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab
O16 - DPF: {528BF874-2681-4CE3-8C62-AA0D3BC0A719} (McciSysSCM Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1147837279695
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1147837778671
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BB3B91F7-1070-4BFD-AA42-6C523B9162B9} (McciHTTPClient Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab
O16 - DPF: {CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306} (SecurityManager Class) - https://care.alltel.com/lwp/static/i...ller_3-0-0.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 13143 bytes

-- Files created between 2007-11-30 and 2007-12-30 -----------------------------

2007-12-27 20:13:16 0 d-------- C:\Program Files\Trend Micro
2007-12-27 19:30:12 0 d-------- C:\Program Files\SpywareBlaster
2007-12-27 18:28:17 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2007-12-27 18:27:45 8576 --a------ C:\WINDOWS\system32\drivers\hcdmwectpcno.sys <Not Verified; Panda Software International; RKPavProc Driver>
2007-12-27 18:16:23 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-27 06:10:24 0 dr-h----- C:\Documents and Settings\Bobby\Recent
2007-12-24 22:53:38 0 d-------- C:\Program Files\Enigma Software Group
2007-12-24 22:23:55 6199296 --a------ C:\Documents and Settings\Bobby\rminstall.exe <Not Verified; PC Tools; >
2007-12-24 18:35:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2007-12-24 18:32:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2007-12-24 18:25:49 0 d-------- C:\WINDOWS\CSC
2007-12-22 12:28:26 0 d-------- C:\Program Files\Lavasoft
2007-12-22 12:28:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-22 12:27:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-14 19:58:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-13 06:12:30 0 d-------- C:\Documents and Settings\Bobby\Application Data\Apple Computer
2007-12-03 17:41:49 0 d-------- C:\Documents and Settings\Ashleigh\Application Data\Motive
2007-12-01 14:57:19 0 d-------- C:\Documents and Settings\Ashleigh\Application Data\Macromedia
2007-12-01 14:57:02 0 d-------- C:\Documents and Settings\Ashleigh\Application Data\Google
2007-12-01 14:49:55 0 d-------- C:\Documents and Settings\Ashleigh\Application Data\Real
2007-12-01 14:49:38 0 d--h----- C:\Documents and Settings\Ashleigh\Templates
2007-12-01 14:49:38 0 dr------- C:\Documents and Settings\Ashleigh\Start Menu
2007-12-01 14:49:38 0 dr-h----- C:\Documents and Settings\Ashleigh\SendTo
2007-12-01 14:49:38 0 dr-h----- C:\Documents and Settings\Ashleigh\Recent
2007-12-01 14:49:38 0 d--h----- C:\Documents and Settings\Ashleigh\PrintHood
2007-12-01 14:49:38 2621440 --ah----- C:\Documents and Settings\Ashleigh\NTUSER.DAT
2007-12-01 14:49:38 0 d--h----- C:\Documents and Settings\Ashleigh\NetHood
2007-12-01 14:49:38 0 dr------- C:\Documents and Settings\Ashleigh\My Documents
2007-12-01 14:49:38 0 d--h----- C:\Documents and Settings\Ashleigh\Local Settings
2007-12-01 14:49:38 0 dr------- C:\Documents and Settings\Ashleigh\Favorites
2007-12-01 14:49:38 0 d-------- C:\Documents and Settings\Ashleigh\Desktop
2007-12-01 14:49:38 0 d--hs---- C:\Documents and Settings\Ashleigh\Cookies
2007-12-01 14:49:38 0 dr-h----- C:\Documents and Settings\Ashleigh\Application Data
2007-12-01 14:49:38 0 d-------- C:\Documents and Settings\Ashleigh\Application Data\Symantec
2007-12-01 14:49:38 0 d-------- C:\Documents and Settings\Ashleigh\Application Data\Sony Corporation
2007-12-01 14:49:38 0 d---s---- C:\Documents and Settings\Ashleigh\Application Data\Microsoft
2007-12-01 14:49:38 0 d-------- C:\Documents and Settings\Ashleigh\Application Data\Intuit
2007-12-01 14:49:38 0 d-------- C:\Documents and Settings\Ashleigh\Application Data\Identities
2007-12-01 14:49:38 0 d-------- C:\Documents and Settings\Ashleigh\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2007-12-30 00:26:48 0 d-------- C:\Program Files\Symantec AntiVirus
2007-12-30 00:26:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-30 00:18:43 0 d-------- C:\Program Files\Picasa2
2007-12-30 00:11:53 0 d-------- C:\Program Files\QuickTime
2007-12-29 10:09:26 0 d-------- C:\Program Files\Messenger
2007-12-27 18:51:12 0 d-------- C:\Program Files\Google
2007-12-27 05:53:20 0 d-------- C:\Documents and Settings\Bobby\Application Data\U3
2007-12-26 21:16:01 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-23 17:26:01 0 d-------- C:\Program Files\Common Files
2007-12-23 14:03:09 34564 --a------ C:\logfile


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [08/12/2004 07:45 PM C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/23/2004 06:56 PM]
"SoundMan"="SOUNDMAN.EXE" [05/03/2005 05:43 PM C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [05/04/2005 09:01 AM C:\WINDOWS\ALCWZRD.EXE]
"x3watch"="C:\Program Files\X3watch\x3watch.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [12/30/2007 12:12 AM]
"e46338e0"="C:\WINDOWS\system32\bnnmbcne.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ImInstaller_IncrediMail]
C:\DOCUME~1\Shellie\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install.exe -startup -product IncrediMail

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PartSeal]
C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
c:\program files\sony\vaio survey\surveysa.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
AutoRun\command- J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{779c84d1-9384-11dc-abe0-0013d4240d2c}]
AutoRun\command- K:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2007-12-30 00:30:05 ------------

Combofix log:
ComboFix 07-12-30.1 - Bobby 2007-12-30 0:15:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.627 [GMT -5:00]
Running from: C:\Documents and Settings\Bobby\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Christine\Application Data\macromedia\Flash Player\#SharedObjects\3DNNHKKE\www.broadcaster.com
C:\Documents and Settings\Christine\Application Data\macromedia\Flash Player\#SharedObjects\3DNNHKKE\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Christine\Application Data\macromedia\Flash Player\#SharedObjects\3DNNHKKE\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Christine\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Christine\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\QdrModule11 .exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\setup.exe
C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
C:\WINDOWS\system32\awvvt.dll
C:\WINDOWS\system32\awvvt.exe
C:\WINDOWS\system32\bhfgfaoc.ini
C:\WINDOWS\system32\dsxcwcow.ini
C:\WINDOWS\system32\fbpguuea.dll
C:\WINDOWS\system32\gtkvdrbu.dll
C:\WINDOWS\system32\hfdenexl.dll
C:\WINDOWS\system32\hhnhhilu.dll
C:\WINDOWS\system32\iumsevjb.ini
C:\WINDOWS\system32\jhrreejw.dll
C:\WINDOWS\system32\kteabvfq.ini
C:\WINDOWS\system32\mgcnralp.dll
C:\WINDOWS\system32\plarncgm.ini
C:\WINDOWS\system32\qfvbaetk.dll
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\WINDOWS\system32\tjuvdqcw.dll
C:\WINDOWS\system32\tvvwa.ini
C:\WINDOWS\system32\tvvwa.ini2
C:\WINDOWS\system32\urqnkji.dll
C:\WINDOWS\system32\vqhqxhdm.dll
C:\WINDOWS\system32\xuguqgcq.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 )))))))))))))))))))))))))))))))
.

2007-12-29 22:02 . 2007-12-29 22:02 1,031,319 --ahs---- C:\WINDOWS\system32\mxqcntqu.ini
2007-12-28 10:08 . 2007-12-29 10:10 1,031,259 --ahs---- C:\WINDOWS\system32\dmvdthnq.ini
2007-12-28 10:02 . 2007-12-28 10:02 1,031,139 --ahs---- C:\WINDOWS\system32\dqunkwmo.ini
2007-12-27 20:13 . 2007-12-27 20:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 19:30 . 2007-12-27 19:30 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-27 18:28 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-27 18:27 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\hcdmwectpcno.sys
2007-12-27 18:16 . 2007-12-27 19:18 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-27 18:16 . 2007-12-27 18:16 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-27 18:16 . 2007-12-27 18:16 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-27 18:16 . 2007-12-27 18:16 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-27 10:00 . 2007-12-27 10:01 1,069,127 --ahs---- C:\WINDOWS\system32\kyqjwwab.ini
2007-12-27 06:33 . 2007-12-27 06:33 <DIR> d-------- C:\Deckard
2007-12-27 00:11 . 2007-12-27 00:11 341,504 --a------ C:\WINDOWS\system32\RCX71.tmp
2007-12-26 10:09 . 2007-12-27 08:34 1,704,660 --ahs---- C:\WINDOWS\system32\encbmnnb.ini
2007-12-26 10:06 . 2007-12-26 10:06 1,027,833 --ahs---- C:\WINDOWS\system32\vkbhsdpq.ini
2007-12-24 22:53 . 2007-12-24 22:53 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-24 22:23 . 2007-12-27 18:14 6,199,296 --a------ C:\Documents and Settings\Bobby\rminstall.exe
2007-12-23 15:27 . 2007-12-23 15:27 341,504 --a------ C:\WINDOWS\system32\RCX31.tmp
2007-12-23 14:31 . 2007-12-23 14:31 341,504 --a------ C:\WINDOWS\system32\RCX37.tmp
2007-12-23 13:59 . 2007-12-30 00:12 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-23 09:02 . 2007-12-23 09:02 0 --a------ C:\WINDOWS\VAIOUpdt .INI
2007-12-23 08:45 . 2007-12-24 18:41 382,464 --a------ C:\WINDOWS\mrofinu72.exe.tmp
2007-12-22 12:28 . 2007-12-22 12:28 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-22 12:28 . 2007-12-22 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-22 12:27 . 2007-12-22 12:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-14 19:58 . 2007-12-22 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-13 06:12 . 2007-12-13 06:12 <DIR> d-------- C:\Documents and Settings\Bobby\Application Data\Apple Computer
2007-12-13 06:12 . 2007-12-27 05:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-13 06:12 . 2007-12-13 06:12 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-03 17:41 . 2007-12-03 17:41 <DIR> d-------- C:\Documents and Settings\Ashleigh\Application Data\Motive
2007-12-01 14:49 . 2006-05-17 00:51 <DIR> d-------- C:\Documents and Settings\Ashleigh\Application Data\Symantec
2007-12-01 14:49 . 2006-05-17 00:32 <DIR> d-------- C:\Documents and Settings\Ashleigh\Application Data\Sony Corporation
2007-12-01 14:49 . 2006-05-17 00:45 <DIR> d-------- C:\Documents and Settings\Ashleigh\Application Data\Intuit
2007-11-23 16:46 . 2007-12-27 05:53 <DIR> d-------- C:\Documents and Settings\Bobby\Application Data\U3
2007-11-03 10:12 . 2007-11-24 18:42 <DIR> d-------- C:\KODAK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 05:24 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-12-30 05:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-30 05:18 --------- d-----w C:\Program Files\Picasa2
2007-12-30 05:11 --------- d-----w C:\Program Files\QuickTime
2007-12-27 23:51 --------- d-----w C:\Program Files\Google
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 04:06 --------- d-----w C:\Documents and Settings\Shellie\Application Data\Apple Computer
2007-10-29 01:50 --------- d-----w C:\Program Files\Suze Orman
2006-09-13 02:50 1,378 ----a-w C:\Documents and Settings\Shellie\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 19:45 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-10 07:00 C:\WINDOWS\system32\rundll32.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-05-03 17:43 C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-05-04 09:01 C:\WINDOWS\ALCWZRD.EXE]
"x3watch"="C:\Program Files\X3watch\x3watch.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-30 00:12]
"e46338e0"="C:\WINDOWS\system32\bnnmbcne.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ImInstaller_IncrediMail]
C:\DOCUME~1\Shellie\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install.exe -startup -product IncrediMail

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PartSeal]
C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
2004-08-19 19:07 331776 --a------ c:\program files\sony\vaio survey\surveysa.exe

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 06:47]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 05:40]
S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-17 19:26]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;C:\Program Files\Sony\Image Converter 2\IcVzMon.exe [2005-02-14 23:30]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-17 19:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{779c84d1-9384-11dc-abe0-0013d4240d2c}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-22 17:05:47 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-30 00:24:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-30 0:27:16 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-30 05:26:26
.
2007-12-13 08:04:45 --- E O F ---

Renv Log:

Code:
Ran on Sun 12/30/2007 -  0:28:08.67

----a-w           393,216 2007-12-30 05:12:24  C:\Program Files\ALLTEL DSL Check-up Center\SmartBridge\MotiveSB .exe
----a-w           339,968 2007-12-30 05:12:16  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w           185,896 2007-12-30 05:12:27  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            48,752 2007-12-30 05:12:21  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w            68,856 2007-12-30 05:12:29  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           139,264 2007-12-30 05:12:15  C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif .exe
----a-w         1,694,208 2007-12-30 04:56:09  C:\Program Files\Messenger\msmsgs .exe
----a-w           366,400 2007-12-30 05:12:29  C:\Program Files\Picasa2\PicasaMediaDetector .exe
----a-w           651,264 2007-12-29 15:09:34  C:\Program Files\QuickTime\qttask                     .exe
----a-w           282,624 2007-12-30 05:12:29  C:\Program Files\QuickTime\qttask                    .exe
----a-w           651,264 2007-12-30 05:11:53  C:\Program Files\QuickTime\qttask                   .exe
----a-w           651,264 2007-12-27 22:35:03  C:\Program Files\QuickTime\qttask                  .exe
----a-w           651,264 2007-12-27 10:52:14  C:\Program Files\QuickTime\qttask                 .exe
----a-w           651,264 2007-12-27 05:11:13  C:\Program Files\QuickTime\qttask                .exe
----a-w           651,264 2007-12-27 01:32:48  C:\Program Files\QuickTime\qttask               .exe
----a-w           651,264 2007-12-25 14:06:18  C:\Program Files\QuickTime\qttask              .exe
----a-w           651,264 2007-12-25 04:04:50  C:\Program Files\QuickTime\qttask             .exe
----a-w           651,264 2007-12-25 03:19:38  C:\Program Files\QuickTime\qttask            .exe
----a-w           651,264 2007-12-25 03:05:18  C:\Program Files\QuickTime\qttask           .exe
----a-w           651,264 2007-12-25 02:17:24  C:\Program Files\QuickTime\qttask          .exe
----a-w           651,264 2007-12-25 00:34:17  C:\Program Files\QuickTime\qttask         .exe
----a-w           651,264 2007-12-24 23:41:54  C:\Program Files\QuickTime\qttask        .exe
----a-w           651,264 2007-12-24 23:31:32  C:\Program Files\QuickTime\qttask       .exe
----a-w           651,264 2007-12-24 23:27:55  C:\Program Files\QuickTime\qttask      .exe
----a-w           651,264 2007-12-23 21:15:09  C:\Program Files\QuickTime\qttask     .exe
----a-w           651,264 2007-12-23 20:27:18  C:\Program Files\QuickTime\qttask    .exe
----a-w           651,264 2007-12-23 19:58:47  C:\Program Files\QuickTime\qttask   .exe
----a-w           651,264 2007-12-23 19:30:51  C:\Program Files\QuickTime\qttask  .exe
----a-w           651,264 2007-12-23 19:02:34  C:\Program Files\QuickTime\qttask .exe
----a-w           551,032 2007-12-30 05:12:29  C:\Program Files\Sony\VAIO Update 3\VAIOUpdt .exe
----a-w         1,460,560 2007-12-30 05:12:33  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w            85,696 2007-12-30 05:12:23  C:\Program Files\Symantec AntiVirus\VPTray .exe
----a-w            59,392 2007-12-30 05:12:13  C:\WINDOWS\ehome\ehtray .exe
----a-w            28,672 2007-12-30 05:12:18  C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w            15,360 2007-12-30 05:12:31  C:\WINDOWS\system32\ctfmon .exe
----a-w            98,304 2007-12-30 05:12:23  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATI9FA .EXE

 Entries:               36  (36)
 Directories:            0  Files:            36
 Bytes:         18,843,480  Blocks:       36,808
Thanks,
Bobby
bwbrown55 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-29-2007, 10:51 PM   #4 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Posts: 3,045
OS: XP


Re: Can't get rid of virtumonde and popups
You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.


Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
______

Open NOTEPAD and copy/paste the text in the codebox below into it:

Code:
C:\Program Files\ALLTEL DSL Check-up Center\SmartBridge\MotiveSB .exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Picasa2\PicasaMediaDetector .exe   
C:\Program Files\QuickTime\qttask                    .exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Symantec AntiVirus\VPTray .exe
C:\WINDOWS\ehome\ehtray .exe
C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATI9FA .EXE
Save this as Log.txt



Refering to the picture above, drag Log.txt into RenV.exe

When finished, it shall produce a new log for you. Post that log in your next reply.
__________________
Proud member of UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Last edited by Angelfire777 : 12-29-2007 at 11:09 PM.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 12-30-2007, 06:55 AM   #5 (permalink)
Registered User
 
Join Date: Jan 2006
Posts: 21
OS: win XP


Re: Can't get rid of virtumonde and popups
new RenV log:
Code:
Ran on Sun 12/30/2007 -  8:18:24.92

----a-w           651,264 2007-12-29 15:09:34  C:\Program Files\QuickTime\qttask                     .exe
----a-w           651,264 2007-12-30 05:11:53  C:\Program Files\QuickTime\qttask                   .exe
----a-w           651,264 2007-12-27 22:35:03  C:\Program Files\QuickTime\qttask                  .exe
----a-w           651,264 2007-12-27 10:52:14  C:\Program Files\QuickTime\qttask                 .exe
----a-w           651,264 2007-12-27 05:11:13  C:\Program Files\QuickTime\qttask                .exe
----a-w           651,264 2007-12-27 01:32:48  C:\Program Files\QuickTime\qttask               .exe
----a-w           651,264 2007-12-25 14:06:18  C:\Program Files\QuickTime\qttask