Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Got infected with virtumode Got infected with virtumode
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2 >
 
Thread Tools
Old 01-04-2008, 09:44 PM   #1 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 13
OS: WIN XP SP2


Cry Got infected with virtumode
I run Norton antivirus & Spyware Doctor. I thought I was OK.
Spyware Doctor is finding infections and cannot clean them all.
Spyware Doc pinpointed these 4 files: pmkjj.dll, pmkjj.exe,
jjkmp.ini & jjkmp.ini2.
I could not delete these files.
I've tried Vundofix, FxVMonde, xcleaner, CleanUp40 in Safe mode and not.
HiJackThis cannot clean these files
None of it worked.
I even, with fingers crossed, went into Regedit and searched for all those files and the browser helper entry; deleted all. They were back upon reboot.
I am humbly asking for expert advise.
I tried the 5 steps before posting. I them all done with thes 3 exceptions:
1. Panda Active scan ran and found 4 spyware/ 1 hacking tool & rootkit.
The scan froze at the 23674th file C:\Fdisk\zipprep.bat and closed without
my being able to get a report. I ran the scan 5 times with the same non-results.
2. I ran Deckards System Scanner and it ran up to "examining event logs",
then the scanner shuts down, a box pops up with the message: dss.exe has encountered a problem and needs to close.
3. I downloaded but couldn't open IE-spyad. ???
I was able to run HiJackThis and am posting that log file.
Please advise if my situation is not hopeless and I don't have to reformat.
Mahalo!

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:57:08 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer .exe
C:\Program Files\Spyware Doctor\SDTrayApp .exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kauluwehi\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {18142D0E-E391-4C57-92A5-C327F20186FF} - C:\WINDOWS\system32\pmkjj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {3f951d39-8de9-d458-1c94-425af55293c7} - {7c39255f-a524-49c1-854d-9ed893d159f3} - C:\WINDOWS\system32\ioblohaf.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [265d8a8f] rundll32.exe "C:\WINDOWS\system32\kgueynsp.dll",b
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1177810849578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFFE0912-FF1F-490C-9B22-88109990E29B}: NameServer = 64.75.176.66 64.75.176.12
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7947 bytes
kaulu is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-07-2008, 03:14 PM   #2 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 21,771
OS: Win XP Pro SP3

My System

Blog Entries: 10
Send a message via MSN to Glaswegian
Re: Got infected with virtumode
Hi and welcome to TSF.

Apologies for any delay in replying, but we have been rather busy lately, and, of course, all our helpers are volunteers.


Download ComboFix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

CAUTION! Combofix should not be run without supervision - we cannot be held responsible if you end up re-installing Windows!

1. Close any open browsers and physically disconnect from the Internet.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
See here for a guide to disabling AV, Firewall and Anti-malware programmes.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the log C:\ComboFix.txt along with a fresh HijackThis Log for further review.


Do not mouseclick combofix's window whilst it's running. This may cause it to stall.
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::5 Steps For Infected PCs
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-07-2008, 06:33 PM   #3 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 13
OS: WIN XP SP2


Re: Got infected with virtumode
Hi and thanks,
Here are the logs.


ComboFix 07-12-31.4 - Kauluwehi 2008-01-07 15:01:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.108 [GMT -10:00]
Running from: C:\Documents and Settings\Kauluwehi\Desktop\ComboFix.exe
.
/wow section - STAGE 3
/wow section - STAGE 4
/wow section - STAGE 5
/wow section - STAGE 7
/wow section - STAGE 8
/wow section - STAGE 9
/wow section - STAGE 10
/wow section - STAGE 19
/wow section - STAGE 23
/wow section - STAGE 30
/wow section - STAGE 31
/wow section - STAGE 34
/wow section not completed

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
.
---- Previous Run -------
.
C:\WINDOWS\system32\pmkjj.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-08 to 2008-01-08 )))))))))))))))))))))))))))))))
.

2008-01-05 23:21 . 2008-01-07 15:01 1,044,289 ---hs---- C:\WINDOWS\system32\ydfktvyw.ini
2008-01-05 23:21 . 2008-01-05 23:21 90,176 --a------ C:\WINDOWS\system32\wyvtkfdy.dll
2008-01-05 23:18 . 2008-01-05 23:18 75,840 --a------ C:\WINDOWS\system32\aipvnsyo.dll
2008-01-05 23:15 . 2008-01-05 23:16 1,043,800 ---hs---- C:\WINDOWS\system32\laiwdotd.ini
2008-01-05 23:12 . 2008-01-05 23:12 75,840 --a------ C:\WINDOWS\system32\emladbcu.dll
2008-01-05 08:30 . 2008-01-07 15:05 721,499 --ahs---- C:\WINDOWS\system32\jjkmp.ini
2008-01-05 08:30 . 2008-01-07 15:02 341,504 --a------ C:\WINDOWS\system32\pmkjj.exe
2008-01-05 07:53 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 17:34 . 2008-01-04 17:34 <DIR> d-------- C:\Deckard
2008-01-04 17:28 . 2008-01-04 17:28 <DIR> d-------- C:\ie-spyad_zo
2008-01-04 17:18 . 2008-01-04 17:26 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-04 17:18 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-04 17:13 . 2008-01-04 17:13 1,043,980 ---hs---- C:\WINDOWS\system32\psnyeugk.ini
2008-01-04 17:11 . 2008-01-04 17:11 1,043,920 ---hs---- C:\WINDOWS\system32\ekchgkeb.ini
2008-01-04 17:04 . 2008-01-04 17:05 79,424 --a------ C:\WINDOWS\system32\gnttxyoy.dll
2008-01-04 17:01 . 2008-01-04 17:12 1,946,157,568 --a------ C:\B3B.tmp
2008-01-04 16:45 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-04 16:44 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\jxptloigjakn.sys
2008-01-04 16:10 . 2008-01-04 16:10 1,043,860 ---hs---- C:\WINDOWS\system32\hhyidaxk.ini
2008-01-04 16:08 . 2008-01-04 16:09 1,043,800 ---hs---- C:\WINDOWS\system32\axrbymcw.ini
2008-01-02 18:57 . 2008-01-07 05:10 19,441 --a------ C:\logfile
2008-01-02 18:45 . 2008-01-02 18:45 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2008-01-02 18:43 . 2008-01-02 18:43 <DIR> d-------- C:\Program Files\Common Files\Kodak
2008-01-02 18:40 . 2008-01-02 18:45 <DIR> d-------- C:\Program Files\Kodak
2008-01-02 18:39 . 2008-01-02 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2007-12-31 22:16 . 2007-12-31 22:27 1,919,166,464 --a------ C:\E86.tmp
2007-12-31 21:27 . 2007-12-31 21:38 1,946,157,568 --a------ C:\719.tmp
2007-12-30 18:27 . 2007-12-30 18:34 1,946,157,568 --a------ C:\22CE.tmp
2007-12-30 17:49 . 2007-12-30 17:54 1,946,157,568 --a------ C:\1A9B.tmp
2007-12-30 17:29 . 2007-12-30 17:36 1,946,157,568 --a------ C:\1276.tmp
2007-12-30 17:07 . 2007-12-30 17:14 1,946,157,568 --a------ C:\A4C.tmp
2007-12-30 13:35 . 2008-01-04 16:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-30 13:35 . 2008-01-04 16:41 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-30 13:35 . 2008-01-04 16:41 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-30 13:35 . 2008-01-04 16:41 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-30 13:19 . 2008-01-07 15:05 721,499 --ahs---- C:\WINDOWS\system32\jjkmp.ini2
2007-12-30 12:03 . 2007-12-30 12:03 337,920 --a------ C:\WINDOWS\system32\pmkjj.dll
2007-12-27 09:43 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-27 09:41 . 2007-12-27 09:43 <DIR> d-------- C:\Program Files\Java
2007-12-27 09:41 . 2007-12-27 09:41 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-25 23:20 . 2007-12-25 23:20 1,018,562 ---hs---- C:\WINDOWS\system32\rqwnalhn.ini
2007-12-25 18:45 . 2007-01-18 02:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-12-25 17:17 . 2007-12-25 17:17 75 --a------ C:\WINDOWS\WININIT.INI
2007-12-25 17:03 . 2007-12-25 17:03 <DIR> d-------- C:\Program Files\X-Cleaner
2007-12-25 13:32 . 2008-01-07 14:39 53,248 --a------ C:\WINDOWS\system32\VTTimer .exe
2007-12-25 09:10 . 2007-12-30 10:51 <DIR> d-------- C:\VundoFix Backups
2007-12-25 08:35 . 2007-12-25 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2007-12-23 00:10 . 2008-01-07 05:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-23 00:10 . 2007-12-23 00:10 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15:21, on 2008-01-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer .exe
C:\Program Files\Spyware Doctor\SDTrayApp .exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kauluwehi\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: {7cb1727a-499a-445a-4034-7442869ee8a6} - {6a8ee968-2447-4304-a544-a994a7271bc7} - C:\WINDOWS\system32\aipvnsyo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7AE8FA83-8964-4FC7-ADB7-C63C8A27F716} - C:\WINDOWS\system32\pmkjj.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [265d8a8f] rundll32.exe "C:\WINDOWS\system32\wyvtkfdy.dll",b
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1177810849578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7582 bytes
kaulu is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-08-2008, 02:11 PM   #4 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 21,771
OS: Win XP Pro SP3

My System

Blog Entries: 10
Send a message via MSN to Glaswegian
Re: Got infected with virtumode
Hi again

It looks like you did not copy and paste the complete combofix log. It contains important details to allow me to make the correct choices when providing instructions. Please make sure the next combofix log is complete.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your log is clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.


Combofix
  • Close any open browsers.
  • Open notepad and copy/paste the text in the box below into it:

Code:
File::
C:\WINDOWS\system32\ydfktvyw.ini
C:\WINDOWS\system32\wyvtkfdy.dll
C:\WINDOWS\system32\aipvnsyo.dll
C:\WINDOWS\system32\laiwdotd.ini
C:\WINDOWS\system32\emladbcu.dll
C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\pmkjj.exe
C:\WINDOWS\system32\psnyeugk.ini
C:\WINDOWS\system32\ekchgkeb.ini
C:\WINDOWS\system32\gnttxyoy.dll
C:\B3B.tmp
C:\WINDOWS\system32\drivers\jxptloigjakn.sys
C:\WINDOWS\system32\hhyidaxk.ini
C:\WINDOWS\system32\axrbymcw.ini
C:\E86.tmp
C:\719.tmp
C:\22CE.tmp
C:\1A9B.tmp
C:\1276.tmp
C:\A4C.tmp
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\jjkmp.ini2
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\rqwnalhn.ini
Looking at the image below as an example

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up re-installing Windows!


Please post the log C:\ComboFix.txt along with a fresh HijackThis Log for further review.
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::5 Steps For Infected PCs
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-08-2008, 03:05 PM   #5 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 13
OS: WIN XP SP2


Re: Got infected with virtumode
Hello, I copied, pasted & saved as CFScript, dragged it into Combofix.exe.
I found the resulting log in C:\ComboFix\ComboFix.txt.
It looks simular to the last combofix log.
Take a look, I don't know what is going wrong.

ComboFix 07-12-31.4 - Kauluwehi 2008-01-08 11:33:31.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.150 [GMT -10:00]
Running from: C:\Documents and Settings\Kauluwehi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kauluwehi\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\1276.tmp
C:\1A9B.tmp
C:\22CE.tmp
C:\719.tmp
C:\A4C.tmp
C:\B3B.tmp
C:\E86.tmp
C:\WINDOWS\system32\aipvnsyo.dll
C:\WINDOWS\system32\axrbymcw.ini
C:\WINDOWS\system32\drivers\jxptloigjakn.sys
C:\WINDOWS\system32\ekchgkeb.ini
C:\WINDOWS\system32\emladbcu.dll
C:\WINDOWS\system32\gnttxyoy.dll
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\hhyidaxk.ini
C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\jjkmp.ini2
C:\WINDOWS\system32\laiwdotd.ini
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\pmkjj.exe
C:\WINDOWS\system32\psnyeugk.ini
C:\WINDOWS\system32\rqwnalhn.ini
C:\WINDOWS\system32\wyvtkfdy.dll
C:\WINDOWS\system32\ydfktvyw.ini
.
/wow section - STAGE 3
/wow section - STAGE 4
/wow section - STAGE 5
/wow section - STAGE 7
/wow section - STAGE 8
/wow section - STAGE 9
/wow section - STAGE 19
/wow section - STAGE 30
/wow section - STAGE 33
/wow section - STAGE 36

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1276.tmp
C:\1A9B.tmp
C:\22CE.tmp
C:\719.tmp
C:\A4C.tmp
C:\B3B.tmp
C:\E86.tmp
C:\WINDOWS\system32\aipvnsyo.dll
C:\WINDOWS\system32\axrbymcw.ini
C:\WINDOWS\system32\drivers\jxptloigjakn.sys
C:\WINDOWS\system32\ekchgkeb.ini
C:\WINDOWS\system32\emladbcu.dll
C:\WINDOWS\system32\gnttxyoy.dll
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\hhyidaxk.ini
C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\jjkmp.ini2
C:\WINDOWS\system32\laiwdotd.ini
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\pmkjj.exe
C:\WINDOWS\system32\psnyeugk.ini
C:\WINDOWS\system32\rqwnalhn.ini
C:\WINDOWS\system32\ydfktvyw.ini
C:\WINDOWS\system32\pmkjj.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-08 to 2008-01-08 )))))))))))))))))))))))))))))))
.

2008-01-08 11:47 . 2008-01-08 11:47 388,608 --a------ C:\WINDOWS\system32\cmd .exe
2008-01-08 11:47 . 2008-01-08 11:47 337,920 --------- C:\WINDOWS\system32\pmkjj.dll
2008-01-08 04:59 . 2008-01-08 05:02 77,888 --a------ C:\WINDOWS\system32\yuxxdens.dll
2008-01-08 04:58 . 2008-01-08 11:49 1,044,875 ---hs---- C:\WINDOWS\system32\pasoyplt.ini
2008-01-08 04:56 . 2008-01-08 04:58 90,176 --a------ C:\WINDOWS\system32\tlpyosap.dll
2008-01-08 04:51 . 2008-01-08 04:55 1,044,575 --ahs---- C:\WINDOWS\system32\boqqvtef.ini
2008-01-08 04:41 . 2008-01-08 04:42 77,888 --a------ C:\WINDOWS\system32\lxchbmbb.dll
2008-01-05 07:53 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 17:34 . 2008-01-04 17:34 <DIR> d-------- C:\Deckard
2008-01-04 17:28 . 2008-01-04 17:28 <DIR> d-------- C:\ie-spyad_zo
2008-01-04 17:18 . 2008-01-04 17:26 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-04 17:18 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-04 16:45 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-02 18:57 . 2008-01-08 11:50 24,679 --a------ C:\logfile
2008-01-02 18:45 . 2008-01-02 18:45 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2008-01-02 18:43 . 2008-01-02 18:43 <DIR> d-------- C:\Program Files\Common Files\Kodak
2008-01-02 18:40 . 2008-01-02 18:45 <DIR> d-------- C:\Program Files\Kodak
2008-01-02 18:39 . 2008-01-02 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2007-12-30 13:35 . 2008-01-04 16:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-30 13:35 . 2008-01-04 16:41 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-27 09:43 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-27 09:41 . 2007-12-27 09:43 <DIR> d-------- C:\Program Files\Java
2007-12-27 09:41 . 2007-12-27 09:41 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-25 18:45 . 2007-01-18 02:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-12-25 17:17 . 2007-12-25 17:17 75 --a------ C:\WINDOWS\WININIT.INI
2007-12-25 17:03 . 2007-12-25 17:03 <DIR> d-------- C:\Program Files\X-Cleaner
2007-12-25 13:32 . 2008-01-08 11:48 53,248 --a------ C:\WINDOWS\system32\VTTimer .exe
2007-12-25 09:10 . 2007-12-30 10:51 <DIR> d-------- C:\VundoFix Backups
2007-12-25 08:35 . 2007-12-25 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2007-12-23 00:10 . 2008-01-08 11:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-23 00:10 . 2007-12-23 00:10 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:53, on 2008-01-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Kauluwehi\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkjj.exe
O2 - BHO: {c5fda177-ef63-fb4a-0594-f7b9550fe747} - {747ef055-9b7f-4950-a4bf-36fe771adf5c} - C:\WINDOWS\system32\yuxxdens.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A6160C36-B162-4E66-A8C2-A10704E4FEB8} - C:\WINDOWS\system32\pmkjj.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [265d8a8f] rundll32.exe "C:\WINDOWS\system32\tlpyosap.dll",b
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1177810849578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7676 bytes
kaulu is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-08-2008, 03:27 PM   #6 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 13
OS: WIN XP SP2


Re: Got infected with virtumode
Short note: after this last combofix scan, upon reboot, right after the screen said creating log, the text "access denied" appeared, then the screen closed.
kaulu is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-08-2008, 03:40 PM   #7 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 13
OS: WIN XP SP2


Re: Got infected with virtumode
Sorry Kaulu again,
Deckards Scanner did create a log on 4 Jan, after searching I found it.
Hope it helps.


Deckard's System Scanner v20071014.68
Run by Kauluwehi on 2008-01-04 17:35:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-01-05 03:35:15 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2008-01-05 01:52:21 UTC - RP2 - System Checkpoint
1: 2008-01-03 15:27:29 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 479 MiB (512 MiB recommended).


-- HijackThis (run as Kauluwehi.exe) -------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-04 17:36:13
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\Speed Disk\NOPDB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer .exe
C:\Program Files\Spyware Doctor\SDTrayApp .exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kauluwehi\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {18142D0E-E391-4C57-92A5-C327F20186FF} - C:\WINDOWS\system32\pmkjj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {3f951d39-8de9-d458-1c94-425af55293c7} - {7c39255f-a524-49c1-854d-9ed893d159f3} - C:\WINDOWS\system32\ioblohaf.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [265d8a8f] rundll32.exe "C:\WINDOWS\system32\kgueynsp.dll",b
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1177810849578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\Speed Disk\NOPDB.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


--
End of file - 7626 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 GBDevice - c:\windows\system32\drivers\gbdevice.sys <Not Verified; Symantec Corporation; Norton GoBack>
R0 GoBack2K - c:\windows\system32\drivers\goback2k.sys <Not Verified; Symantec Corporation; Norton GoBack>
R2 GBFSHook - c:\windows\system32\drivers\gbfshook.sys <Not Verified; Symantec Corporation; Norton GoBack>

S3 SDdriver - c:\windows\system32\drivers\sddriver.sys <Not Verified; Symantec Corporation; Norton Speed Disk>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Speed Disk service - c:\progra~1\norton~1\norton~3\speedd~1\nopdb.exe <Not Verified; Symantec Corporation; Norton Speed Disk>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-04 14:47:16 366 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-01-03 00:00:00 324 --a------ C:\WINDOWS\Tasks\Symantec Drmc.job
2008-01-02 18:39:54 450 --a------ C:\WINDOWS\Tasks\EasyShare Registration Task.job
2008-01-01 18:00:00 414 --a------ C:\WINDOWS\Tasks\Pareto UNS.job
2007-12-21 20:00:00 556 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Kauluwehi.job
2007-11-26 12:00:00 308 --a------ C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job


-- Files created between 2007-12-04 and 2008-01-04 -----------------------------

2008-01-04 17:28:33 0 d-------- C:\ie-spyad_zo
2008-01-04 17:18:40 0 d-------- C:\Program Files\SpywareBlaster
2008-01-04 17:13:36 90176 --a------ C:\WINDOWS\system32\kgueynsp.dll
2008-01-04 17:11:04 90176 -----n--- C:\WINDOWS\system32\bekghcke.dll
2008-01-04 17:05:43 79424 --a------ C:\WINDOWS\system32\ioblohaf.dll
2008-01-04 17:04:51 79424 --a------ C:\WINDOWS\system32\gnttxyoy.dll
2008-01-04 16:45:07 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-04 16:44:16 8576 --a------ C:\WINDOWS\system32\drivers\jxptloigjakn.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-04 16:10:31 90176 -----n--- C:\WINDOWS\system32\kxadiyhh.dll
2008-01-04 16:07:46 90176 -----n--- C:\WINDOWS\system32\wcmybrxa.dll
2008-01-03 16:00:31 1751 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2008-01-02 18:57:09 10821 --a------ C:\logfile
2008-01-02 18:45:21 0 d-------- C:\WINDOWS\system32\BWKDLogs
2008-01-02 18:43:59 0 d-------- C:\Program Files\Common Files\Kodak
2008-01-02 18:40:41 0 d-------- C:\Program Files\Kodak
2008-01-02 18:39:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2007-12-30 13:35:36 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-30 13:19:01 341504 --a------ C:\WINDOWS\system32\pmkjj.exe
2007-12-30 13:19:01 721491 --ahs---- C:\WINDOWS\system32\jjkmp.ini2
2007-12-30 12:03:10 337920 --a------ C:\WINDOWS\system32\pmkjj.dll
2007-12-27 09:41:37 0 d-------- C:\Program Files\Java
2007-12-27 09:41:34 0 d-------- C:\Program Files\Common Files\Java
2007-12-25 17:03:33 0 d-------- C:\Program Files\X-Cleaner
2007-12-25 09:10:55 0 d-------- C:\VundoFix Backups
2007-12-25 08:35:05 0 d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware


-- Find3M Report ---------------------------------------------------------------

2008-01-04 16:45:50
kaulu is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-09-2008, 12:04 AM   #8 (permalink)
Registered User
 
Join Date: Dec 2007
Posts: 13
OS: WIN XP SP2


Re: Got infected with virtumode
I just found the extra.txt file. I tried uploading, but It failed to upload.
I hope these help. Like I said in my first post, deckard closed on its own
& did not open Main.txt or extra.txt. I found these deep in c:\deckard.

pasteing file:


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) CPU 3.06GHz
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 478.43 MiB / 134.3 MiB
Pagefile Memory (total/avail): 1119.83 MiB / 483.76 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.27 MiB

C: is Fixed (NTFS) - 93.35 GiB total, 39.47 GiB free.
D: is Fixed (NTFS) - 75.39 GiB total, 71.58 GiB free.
E: is Fixed (NTFS) - 17.57 GiB total, 17.41 GiB free.
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is CDROM (No Media)
K: is CDROM (No Media)
L: is Removable (FAT)

\\.\PHYSICALDRIVE0 - WDC WD2000JB-00REA0 - 186.31 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 93.35 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 92.96 GiB - D: - E:

\\.\PHYSICALDRIVE1 - IC USB Storage-CFC USB Device

\\.\PHYSICALDRIVE3 - IC USB Storage-MMC USB Device

\\.\PHYSICALDRIVE4 - IC USB Storage-MSC USB Device

\\.\PHYSICALDRIVE2 - IC USB Storage-SMC USB Device

\\.\PHYSICALDRIVE5 - Kingston DataTraveler 2.0 USB Device - 1961.06 MiB - 1 partition
\PARTITION0 - Win95 w/Extended Int 13 - 1967.98 MiB - L:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton Internet Worm Protection v2006 (Symantec)
AV: Norton AntiVirus v2005 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Kauluwehi\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SUPPORT-DB6ED54
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Kauluwehi
LOGONSERVER=\\SUPPORT-DB6ED54
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\KAULUW~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\KAULUW~1\LOCALS~1\Temp
USERDOMAIN=SUPPORT-DB6ED54
USERNAME=Kauluwehi
USERPROFILE=C:\Documents and Settings\Kauluwehi
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Kawaikealoha (admin)
Kaimi (admin)
Kauluwehi (admin)
BuBBLeS (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\system32\UninstIPP.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{329899E1-CBBA-49BC-9FFE-199E94316727}\setup.exe" -l0x9 -removeonly
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
--> VTUninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Timer'
ArcSoft PhotoStudio 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85309D89-7BE9-4094-BB17-24999C6118FC}\SETUP.EXE" -l0x9
AVG Anti-Rootkit Free --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{26BDE7D8-93F0-4A07-AD47-1707DB417941} /l1033
Canon Camera Window for ZoomBrowser EX --> C:\Program Files\Common