Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page This Virtumonde just won't die!!
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 12-06-2008, 04:37 PM   #1 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 15
OS: Vista


This Virtumonde just won't die!!
So I'm a first time poster here and I would be grateful if someone could help me out. Beers on me!

Background
Running Vista on a Toshiba Satellite. I've been using computers since 486mhz and dialup modems. I can work my way through MSConfig and Regedit without much problem. So two weeks ago I get a popup about some "Antivirus 2009" or something of the like, never accepted and always closed it... and with a bit of research found it was Virtumonde, or some form of it. I got Malwarebytes to try and get rid of it... which it does but Virtumonde.pcx always seems to return no matter what I do. I tried Malwarebytes, Spybot and VundoFix .. none would fully get rid of it and VundoFix never found it.

Now there is something that keeps coming back in my MSConfig as a startup called yejubano.dll. The process is called 'wilofobuze'. I restarted my computer into safe mode + command line, entered Regedit and tried to delete every reference to it... but as soon as I navigated out of the /CurrentVer/Run/ folder in the registry and went back in... the process had recreated itself. I can see it in the DSS report below.

Thanks to anyone who can help me out with this challenge... Instant email notification is turned on... and I'll be checking back here asap.

And without further adieu...

DDS (Version 1.0) - NTFSx86
Run by Mike at 17:29:23.90 on 06/12/2008
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.2.1033.18.2038.1199 [GMT -5:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\dlbtcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\mobsync.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\conime.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Mike\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.shoptoshiba.ca/welcome
uInternet Settings,ProxyOverride = *.local
BHO: {2D74EFDC-7D66-7FF8-98B8-5B0B9A406BF1} - c:\windows\system32\amqneozkhpjfe.dll
BHO: {4FD130AE-D8D2-4137-A680-C5CF233BE545} - c:\windows\system32\iifcYSJA.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6524E433-B7BE-480E-A146-2D764D6D7849} - c:\windows\system32\iIBuuVMF.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {8513278c-2b39-4f12-9a52-2ffcd904cb8e} - c:\windows\system32\nusijavu.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {C81B3B86-175D-4659-AB67-1C59DC63AFE3} - c:\windows\system32\khfeCVom.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [HWSetup] c:\program files\toshiba\utilities\HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [DLBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBTtime.dll,_RunDLLEntry@16
mRun: [FinePrint Dispatcher v5] "c:\windows\system32\spool\drivers\w32x86\3\fpdisp5a.exe" /source=HKLM
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CPMb72c8c12] Rundll32.exe "c:\windows\system32\yamomenu.dll",a
mRun: [wilofobuze] Rundll32.exe "c:\windows\system32\yejubano.dll",s
dRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\opanda\iexif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\opanda\iexif 2.3\IExifCom.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: ozzzow.dll c:\windows\ c:\windows\system32\pmagdxll.dll rvywea.dll skwfje.dll uvhmme.dll c:\windows\system32\vusotibu.dll c:\windows\system32\gagufade.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: {C31C05B4-0A01-4DC2-8E5E-0315459F508E} - c:\windows\system32\mLecAqrQ.dll
SEH: {B58C9513-8896-4A6A-9BA8-0FBA3423F821} - c:\windows\system32\jkKeeBsS.dll
SEH: {C81B3B86-175D-4659-AB67-1C59DC63AFE3} - c:\windows\system32\khfeCVom.dll
SEH: {4FD130AE-D8D2-4137-A680-C5CF233BE545} - c:\windows\system32\iifcYSJA.dll
LSA: Notification Packages = scecli c:\windows\system32\vusotibu.dll
LSA: Authentication Packages = msv1_0 c:\\windows\\system32\\mlJawWmn

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2008-12-06 16:36 <DIR> --d----- c:\program files\Trend Micro
2008-12-05 17:02 <DIR> --d----- c:\windows\system32\vos
2008-12-05 17:02 <DIR> --d----- c:\windows\system32\op4
2008-12-05 17:02 <DIR> --d----- c:\windows\system32\ecs1
2008-12-05 17:02 278,301 a------- c:\temp\St8REV2.exe
2008-12-05 17:02 36,864 a------- c:\windows\system32\opnkljki.dll
2008-12-05 17:02 <DIR> --d----- c:\windows\system32\uXPi02
2008-12-05 17:02 <DIR> --d----- c:\temp\DIV55
2008-12-05 14:46 129,024 a------- c:\windows\system32\tasgmuft.dll
2008-12-03 02:31 129,024 a------- c:\windows\system32\exesudbc.dll
2008-12-02 19:50 36,864 a------- c:\windows\system32\awtqrspN.dll
2008-12-02 13:08 <DIR> --d----- c:\program files\wamp
2008-12-02 02:30 129,024 a------- c:\windows\system32\kjdndoai.dll
2008-12-02 00:01 129,024 a------- c:\windows\system32\rchkaajo.dll
2008-12-01 22:01 37,376 a------- c:\windows\system32\qoMdDvVN.dll
2008-12-01 17:38 129,024 a------- c:\windows\system32\llgoxwch.dll
2008-12-01 17:37 120 ---sh--- c:\windows\system32\vudikrlw.ini
2008-12-01 01:32 120 ---sh--- c:\windows\system32\bkwrqahs.ini
2008-11-30 13:06 250 a------- c:\windows\gmer.ini
2008-11-30 11:02 120 ---sh--- c:\windows\system32\adulokup.ini
2008-11-28 01:04 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2008-11-28 01:04 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-28 01:04 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2008-11-28 00:53 123,904 a------- c:\windows\system32\nmbianfh.dll
2008-11-26 12:22 120,832 -------- c:\windows\system32\wtavuodu.dll
2008-11-26 12:19 307,200 -------- c:\windows\system32\yATJbxXr.dll
2008-11-25 14:38 64 a------- c:\users\mike\w.bat
2008-11-25 12:40 <DIR> --d----- c:\users\mike\appdata\roaming\HandBrake
2008-11-25 00:18 <DIR> --d----- c:\program files\iPod
2008-11-25 00:18 <DIR> --d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 00:18 <DIR> --d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-24 23:38 120,832 a------- c:\windows\system32\seegnj.dll
2008-11-24 23:37 120,832 a------- c:\windows\system32\amdtglcq.dll
2008-11-24 17:37 120,832 a------- c:\windows\system32\wqxevw.dll
2008-11-24 17:37 120,832 a------- c:\windows\system32\htefyjwm.dll
2008-11-24 17:29 34,816 a------- c:\windows\system32\xxyywvVP.dll
2008-11-24 12:26 <DIR> --d----- c:\programdata\FlashFXP
2008-11-24 12:26 <DIR> --d----- c:\progra~2\FlashFXP
2008-11-24 00:14 120,320 a------- c:\windows\system32\cjiowy.dll
2008-11-24 00:14 120,320 a------- c:\windows\system32\jsoaeopc.dll
2008-11-23 23:14 120,320 a------- c:\windows\system32\icsvdl.dll
2008-11-23 23:14 120,320 a------- c:\windows\system32\pxvvorao.dll
2008-11-23 12:06 <DIR> --d----- C:\Poker
2008-11-18 20:00 120,832 -------- c:\windows\system32\rliujy.dll
2008-11-18 19:52 <DIR> --d----- c:\windows\system32\dPI02
2008-11-18 19:52 <DIR> --d----- c:\temp\FT62
2008-11-18 19:52 59,904 a------- c:\windows\system32\nnnljjGW.dll
2008-11-18 19:52 32,768 a------- c:\windows\system32\nnnkJCTL.dll
2008-11-18 19:51 65 a------- c:\users\mike\ff.bat
2008-11-17 16:08 120,320 a------- c:\windows\system32\lnqpdw.dll
2008-11-17 16:08 120,320 a------- c:\windows\system32\oapaqblh.dll
2008-11-17 09:29 120,320 a------- c:\windows\system32\pxjzik.dll
2008-11-17 09:29 120,320 a------- c:\windows\system32\ayxxssnu.dll
2008-11-17 01:39 33,832 a------- c:\windows\system32\marmanhr.exe
2008-11-16 01:36 33,832 a------- c:\windows\system32\jspowxge.exe
2008-11-15 22:43 120,832 a------- c:\windows\system32\plvuygdy.dll
2008-11-15 22:43 120,832 a------- c:\windows\system32\cmgmgf.dll
2008-11-15 01:35 33,832 a------- c:\windows\system32\coxppasp.exe
2008-11-14 01:39 33,832 a------- c:\windows\system32\fcyvpcug.exe
2008-11-13 19:07 120,832 a------- c:\windows\system32\smdnhf.dll
2008-11-13 19:07 120,832 a------- c:\windows\system32\ycyotwha.dll
2008-11-10 23:34 <DIR> --d----- c:\program files\ImageMagick-6.4.5-Q16
2008-11-10 18:16 <DIR> --d----- C:\VueScan
2008-11-10 01:40 33,832 a------- c:\windows\system32\inchtent.exe
2008-11-09 21:37 <DIR> --d----- c:\windows\system32\sX3i02
2008-11-09 21:37 <DIR> --d----- c:\temp\PRE45

==================== Find3M ====================

2008-12-06 17:09 87,608 a------- c:\users\mike\appdata\roaming\inst.exe
2008-12-06 17:09 47,360 a------- c:\users\mike\appdata\roaming\pcouffin.sys
2008-12-06 04:59 93,238 -------- c:\windows\system32\seviruwa.dll
2008-12-05 16:59 87,094 a--sh--- c:\windows\system32\pokihuyi.dll
2008-11-13 18:56 68 a------- c:\users\mike\c.bat
2008-11-13 18:56 62,464 a------- c:\users\mike\index.exe
2008-11-07 15:17 410,976 a------- c:\windows\system32\deploytk.dll
2008-10-22 16:10 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 16:10 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-10-15 09:25 644,976 a------- c:\program files\autoruns.exe
2008-10-15 09:25 538,480 a------- c:\program files\autorunsc.exe
2008-10-07 15:31 86,016 a------- c:\windows\inf\infstrng.dat
2008-10-07 15:31 86,016 a------- c:\windows\inf\infstor.dat
2008-10-07 15:31 51,200 a------- c:\windows\inf\infpub.dat
2008-10-01 22:49 826,368 a------- c:\windows\system32\wininet.dll
2008-10-01 22:49 56,320 a------- c:\windows\system32\iesetup.dll
2008-10-01 22:49 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-10-01 22:48 26,624 a------- c:\windows\system32\ieUnatt.exe
2008-09-19 16:55 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-09-19 16:55 200,704 a------- c:\windows\system32\ssldivx.dll
2008-09-17 23:35 3,470,904 a------- c:\windows\system32\ntoskrnl.exe
2008-09-17 23:35 3,505,208 a------- c:\windows\system32\ntkrnlpa.exe
2008-09-17 21:03 2,027,520 a------- c:\windows\system32\win32k.sys
2008-08-20 14:18 48,986 a------- c:\program files\autoruns.chm
2008-07-10 07:27 174 a--sh--- c:\program files\desktop.ini
2008-06-11 02:11 665,600 a------- c:\windows\inf\drvindex.dat
2008-04-24 11:54 0 a------- c:\programdata\PKP_DLdy.DAT
2008-04-24 11:54 0 a------- c:\progra~2\PKP_DLdy.DAT
2008-04-24 11:39 0 a------- c:\programdata\PKP_DLbz.DAT
2008-04-24 11:39 0 a------- c:\progra~2\PKP_DLbz.DAT
2008-03-07 11:15 4,581,415 a------- c:\users\mike\allok_flvconverter-trial.exe
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2006-07-28 08:32 7,005 -------- c:\program files\Eula.txt
2008-04-26 16:20 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-04-26 16:20 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-04-26 16:20 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-08-30 08:00 61,957 a--sh--- c:\windows\system32\vusotibu.dll
2005-07-29 16:24 472 a--shr-- c:\windows\twlrzq\nq5Otk.vbs

============= FINISH: 17:32:28.23 ===============
Attached Files
File Type: zip Attach.zip (22.8 KB, 3 views)
Last edited by mikejl29; 12-06-2008 at 04:40 PM. Reason: Added VundoFix
mikejl29 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 12-06-2008, 08:01 PM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,485
OS: N/A


Re: This Virtumonde just won't die!!
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-06-2008, 09:28 PM   #3 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 15
OS: Vista


Re: This Virtumonde just won't die!!
Thanks for getting back so quick sUBs. Here is the combofix log:

ComboFix 08-12-06.04 - Mike 2008-12-06 23:04:36.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1181 [GMT -5:00]
Running from: c:\users\Mike\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\recycled\Recycled
c:\recycled\Recycled\ctfmon.exe
c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\temp\FT62
c:\temp\FT62\teTU.log
c:\users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\fbk.sts
c:\users\Mike\AppData\Roaming\inst.exe
c:\windows\system32\adulokup.ini
c:\windows\system32\amdtglcq.dll
c:\windows\system32\ayxxssnu.dll
c:\windows\system32\bkwrqahs.ini
c:\windows\system32\cjiowy.dll
c:\windows\system32\cmgmgf.dll
c:\windows\system32\exesudbc.dll
c:\windows\system32\htefyjwm.dll
c:\windows\system32\icsvdl.dll
c:\windows\system32\jsoaeopc.dll
c:\windows\system32\kjdndoai.dll
c:\windows\system32\llgoxwch.dll
c:\windows\system32\lnqpdw.dll
c:\windows\system32\nmbianfh.dll
c:\windows\system32\nnnkJCTL.dll
c:\windows\system32\nnnljjGW.dll
c:\windows\system32\oapaqblh.dll
c:\windows\system32\plvuygdy.dll
c:\windows\system32\pokihuyi.dll
c:\windows\system32\pxjzik.dll
c:\windows\system32\pxvvorao.dll
c:\windows\system32\rchkaajo.dll
c:\windows\system32\rliujy.dll
c:\windows\system32\seegnj.dll
c:\windows\system32\smdnhf.dll
c:\windows\system32\tasgmuft.dll
c:\windows\system32\vudikrlw.ini
c:\windows\system32\vusotibu.dll
c:\windows\system32\wqxevw.dll
c:\windows\system32\wtavuodu.dll
c:\windows\system32\xxyywvVP.dll
c:\windows\system32\ycyotwha.dll
c:\windows\Tasks\qjsqptca.job
D:\Autorun.inf
F:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 16:36 . 2008-12-06 16:36 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 17:02 . 2008-12-05 17:02 <DIR> d-------- c:\windows\System32\vos
2008-12-05 17:02 . 2008-12-05 17:02 <DIR> d-------- c:\windows\System32\uXPi02
2008-12-05 17:02 . 2008-12-05 17:03 <DIR> d-------- c:\windows\System32\op4
2008-12-05 17:02 . 2008-12-05 17:02 <DIR> d-------- c:\windows\System32\ecs1
2008-12-05 17:02 . 2008-12-05 17:02 278,301 --a------ c:\temp\St8REV2.exe
2008-12-05 17:02 . 2008-12-05 17:02 36,864 --a------ c:\windows\System32\opnkljki.dll
2008-12-02 19:50 . 2008-12-02 19:50 36,864 --a------ c:\windows\System32\awtqrspN.dll
2008-12-02 13:08 . 2008-12-02 13:12 <DIR> d-------- c:\program files\wamp
2008-12-01 22:01 . 2008-12-01 22:01 37,376 --a------ c:\windows\System32\qoMdDvVN.dll
2008-11-30 13:06 . 2008-12-06 17:37 250 --a------ c:\windows\gmer.ini
2008-11-28 01:04 . 2008-11-28 10:53 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2008-11-28 01:04 . 2008-11-28 10:53 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2008-11-28 01:04 . 2008-11-28 01:13 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-26 12:19 . 2008-11-26 12:19 307,200 --------- c:\windows\System32\yATJbxXr.dll
2008-11-25 14:38 . 2008-12-02 19:50 64 --a------ c:\users\Mike\w.bat
2008-11-25 12:40 . 2008-11-25 12:40 <DIR> d-------- c:\users\Mike\AppData\Roaming\HandBrake
2008-11-25 00:18 . 2008-11-25 00:20 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 00:18 . 2008-11-25 00:20 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 00:18 . 2008-11-25 00:18 <DIR> d-------- c:\program files\iPod
2008-11-24 12:26 . 2008-11-24 12:26 <DIR> d-------- c:\users\All Users\FlashFXP
2008-11-24 12:26 . 2008-11-24 12:26 <DIR> d-------- c:\programdata\FlashFXP
2008-11-23 12:06 . 2008-12-06 17:12 <DIR> d-------- C:\Poker
2008-11-18 19:52 . 2008-11-18 19:52 <DIR> d-------- c:\windows\System32\dPI02
2008-11-18 19:51 . 2008-11-24 17:29 65 --a------ c:\users\Mike\ff.bat
2008-11-17 01:39 . 2008-11-17 01:39 33,832 --a------ c:\windows\System32\marmanhr.exe
2008-11-16 01:36 . 2008-11-16 01:36 33,832 --a------ c:\windows\System32\jspowxge.exe
2008-11-15 01:35 . 2008-11-15 01:35 33,832 --a------ c:\windows\System32\coxppasp.exe
2008-11-14 01:39 . 2008-11-14 01:39 33,832 --a------ c:\windows\System32\fcyvpcug.exe
2008-11-10 23:34 . 2008-11-10 23:35 <DIR> d-------- c:\program files\ImageMagick-6.4.5-Q16
2008-11-10 18:16 . 2008-11-10 18:32 <DIR> d-------- C:\VueScan
2008-11-10 01:40 . 2008-11-10 01:40 33,832 --a------ c:\windows\System32\inchtent.exe
2008-11-09 21:37 . 2008-11-09 21:37 <DIR> d-------- c:\windows\System32\sX3i02
2008-11-09 21:37 . 2008-11-13 14:44 <DIR> d-------- c:\temp\PRE45

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 22:12 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 22:10 --------- d-----w c:\program files\Common Files\DVDVideoSoft
2008-12-06 22:09 47,360 ----a-w c:\users\Mike\AppData\Roaming\pcouffin.sys
2008-12-06 22:09 --------- d-----w c:\users\Mike\AppData\Roaming\Vso
2008-12-06 22:08 --------- d-----w c:\program files\SlySoft
2008-12-06 22:08 --------- d-----w c:\program files\CamStudio
2008-12-06 22:08 --------- d-----w c:\program files\Bibble Labs
2008-12-06 09:59 93,238 ------w c:\windows\System32\seviruwa.dll
2008-12-01 05:57 --------- d-----w c:\program files\LimeWire
2008-11-26 22:36 --------- d-----w c:\program files\dl_Cats
2008-11-26 03:51 --------- d-----w c:\users\Mike\AppData\Roaming\uTorrent
2008-11-25 05:19 --------- d-----w c:\program files\iTunes
2008-11-25 05:18 --------- d-----w c:\program files\Common Files\Apple
2008-11-25 05:12 --------- d-----w c:\program files\QuickTime
2008-11-24 02:48 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-20 16:52 --------- d-----w c:\programdata\FLEXnet
2008-11-16 02:42 --------- d-----w c:\program files\RocketDock
2008-11-13 23:56 68 ----a-w c:\users\Mike\c.bat
2008-11-13 23:56 62,464 ----a-w c:\users\Mike\index.exe
2008-11-07 20:17 410,976 ----a-w c:\windows\System32\deploytk.dll
2008-11-07 20:17 --------- d-----w c:\program files\Java
2008-11-04 20:40 --------- d-----w c:\users\Mike\AppData\Roaming\Malwarebytes
2008-11-04 20:40 --------- d-----w c:\programdata\Malwarebytes
2008-11-04 20:40 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-04 19:06 --------- d-----w c:\programdata\Lavasoft
2008-10-27 18:11 --------- d-----w c:\program files\DivX
2008-10-25 07:06 --------- d-----w c:\users\Mike\AppData\Roaming\dvdcss
2008-10-22 21:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 21:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-21 16:23 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-16 07:11 --------- d-----w c:\program files\Windows Mail
2008-10-15 14:25 644,976 ----a-w c:\program files\autoruns.exe
2008-10-15 14:25 538,480 ----a-w c:\program files\autorunsc.exe
2008-10-02 03:49 826,368 ----a-w c:\windows\System32\wininet.dll
2008-10-02 03:49 56,320 ----a-w c:\windows\System32\iesetup.dll
2008-10-02 03:49 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-10-02 03:48 26,624 ----a-w c:\windows\System32\ieUnatt.exe
2008-09-19 21:55 200,704 ----a-w c:\windows\System32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\System32\libdivx.dll
2008-09-18 04:35 3,505,208 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 04:35 3,470,904 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 02:03 2,027,520 ----a-w c:\windows\System32\win32k.sys
2008-08-20 19:18 48,986 ----a-w c:\program files\autoruns.chm
2008-07-10 12:27 174 --sha-w c:\program files\desktop.ini
2008-04-24 16:54 0 ----a-w c:\users\All Users\PKP_DLdy.DAT
2008-04-24 16:54 0 ----a-w c:\programdata\PKP_DLdy.DAT
2008-04-24 16:39 0 ----a-w c:\users\All Users\PKP_DLbz.DAT
2008-04-24 16:39 0 ----a-w c:\programdata\PKP_DLbz.DAT
2008-03-07 16:15 4,581,415 ----a-w c:\users\Mike\allok_flvconverter-trial.exe
2006-07-28 13:32 7,005 ------w c:\program files\Eula.txt
2008-04-26 21:20 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-04-26 21:20 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-04-26 21:20 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2005-07-29 21:24 472 --sha-r c:\windows\TWlrZQ\nq5Otk.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-10 417792]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 34352]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-22 438272]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-12 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-12 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-12 133912]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"DLBTCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2007-02-22 73728]
"FinePrint Dispatcher v5"="c:\windows\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-11-07 507904]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-07 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 c:\windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-02-11 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
--a------ 2007-01-17 15:46 534648 c:\program files\TOSHIBA\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-07-01 09:10 1006264 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-713068253-2880954056-535546135-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D868D79A-2799-420B-881F-7A9D5911A04D}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{ECA6F099-DC1F-4C29-B4D1-7F7031789DDF}c:\\program files\\bitlord2\\bitlord.exe"= UDP:c:\program files\bitlord2\bitlord.exe:
"UDP Query User{AC253127-CE7B-4330-9A60-3C0D9C360CA8}c:\\program files\\bitlord2\\bitlord.exe"= TCP:c:\program files\bitlord2\bitlord.exe:
"{48FE10F8-E3D8-4F23-866E-8A3A590F15A6}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"TCP Query User{A396BE82-56D6-402B-A73D-C29F63B31143}c:\\program files\\macromedia\\dreamweaver mx 2004\\dreamweaver mx 2004\\dreamweaver.exe"= UDP:c:\program files\macromedia\dreamweaver mx 2004\dreamweaver mx 2004\dreamweaver.exe:Dreamweaver MX 2004
"UDP Query User{6CD7DD59-08E6-4B33-86EE-2E5BA4A868FC}c:\\program files\\macromedia\\dreamweaver mx 2004\\dreamweaver mx 2004\\dreamweaver.exe"= TCP:c:\program files\macromedia\dreamweaver mx 2004\dreamweaver mx 2004\dreamweaver.exe:Dreamweaver MX 2004
"TCP Query User{659DEA12-26F1-430C-BBEE-59E6BF59B94E}c:\\program files\\fotoquote\\fotoquote pro\\fotoquote pro.exe"= UDP:c:\program files\fotoquote\fotoquote pro\fotoquote pro.exe:FileMaker Pro Runtime
"UDP Query User{DF98034A-B57B-4179-836D-D59FD11B5772}c:\\program files\\fotoquote\\fotoquote pro\\fotoquote pro.exe"= TCP:c:\program files\fotoquote\fotoquote pro\fotoquote pro.exe:FileMaker Pro Runtime
"{28AF9551-69B6-42B8-9C2C-101D45E9B417}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{9259AC9A-3461-4A47-BF0D-29F3A312E11F}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3D6CA827-F09E-45A8-8676-FBC6229CEA98}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{00558A25-E5CC-4E77-9A78-DE0497A3EE93}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E92A1B70-4F16-4157-8291-E8754577EADB}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{0B37E93C-6A35-4BE2-ADBC-57142A2050C6}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{F81B5148-A4DA-4E15-B8B7-A3EEE1EF2E95}c:\\program files\\bitlord2\\bitlord.exe"= UDP:c:\program files\bitlord2\bitlord.exe:
"UDP Query User{7DE1ACB1-C08C-41C8-9640-711B9CD41219}c:\\program files\\bitlord2\\bitlord.exe"= TCP:c:\program files\bitlord2\bitlord.exe:
"{40577BC0-CE02-4B0D-8BB2-AE471A98C48E}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{2CCF14CD-0DD6-4BB0-AA6F-707EDB3FDA57}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{ABA45C8D-AC39-403B-A24F-B04A1BC5DAB5}"= UDP:c:\windows\System32\dlbtcoms.exe:Photo AIO Printer 922 Server
"{4595E466-06B2-4BC8-BAA2-4A4689E0C8A9}"= TCP:c:\windows\System32\dlbtcoms.exe:Photo AIO Printer 922 Server
"TCP Query User{2DB2DD63-250C-4AA6-A4E4-F40961018C78}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{79C25918-2BBE-4659-BACA-348942E583DE}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{BCEAB332-3A28-4FC0-A993-CDBC89B26910}c:\\program files\\macromedia\\dreamweaver mx 2004\\dreamweaver mx 2004\\dreamweaver.exe"= UDP:c:\program files\macromedia\dreamweaver mx 2004\dreamweaver mx 2004\dreamweaver.exe:Dreamweaver MX 2004
"UDP Query User{82189C37-163D-4208-B987-076490082B2D}c:\\program files\\macromedia\\dreamweaver mx 2004\\dreamweaver mx 2004\\dreamweaver.exe"= TCP:c:\program files\macromedia\dreamweaver mx 2004\dreamweaver mx 2004\dreamweaver.exe:Dreamweaver MX 2004
"TCP Query User{87163A53-F01E-46EE-9B46-3261C502E3A3}c:\\program files\\transcode360\\transcode360tray.exe"= UDP:c:\program files\transcode360\transcode360tray.exe:
"UDP Query User{3F1F06A5-DB49-4E24-A986-99BD3217C656}c:\\program files\\transcode360\\transcode360tray.exe"= TCP:c:\program files\transcode360\transcode360tray.exe:
"TCP Query User{7C404DEC-AB1C-4571-9C4F-3193B22DA2A7}c:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= UDP:c:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home
"UDP Query User{9BBCE5FF-37BF-45A6-8A8C-C74ADAA38CE5}c:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= TCP:c:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home
"TCP Query User{2237D760-3F17-4FD4-8963-C97A094B19C0}c:\\program files\\fotoquote\\fotoquote pro\\fotoquote pro.exe"= UDP:c:\program files\fotoquote\fotoquote pro\fotoquote pro.exe:FileMaker Pro Runtime
"UDP Query User{433BFB33-6BAB-43AA-ADE4-3A4EAEAB2623}c:\\program files\\fotoquote\\fotoquote pro\\fotoquote pro.exe"= TCP:c:\program files\fotoquote\fotoquote pro\fotoquote pro.exe:FileMaker Pro Runtime
"TCP Query User{280737EA-3D1D-4220-9A65-D0C5C093FF76}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{60C03FB8-E264-43F9-9423-CD9A933CEC8D}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{88291642-476F-429A-836A-EF87E40DE6C2}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{7653581D-222F-4D0B-849B-87EB18D6106E}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{3E8C9407-4374-4BD6-9BA4-1409D187D36D}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{F83CB695-F924-4B50-B87D-692A9A187F6C}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{3A3CB1A9-BC8A-48DF-88A0-4E2AB01E6B68}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{1DA0F47C-4729-4FBA-A154-6C87DF0C0393}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{4B3F7B4C-3DDD-4B6F-B43B-80E7A2BC22A5}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{4A7E8834-D377-4112-AA51-70A059A5157D}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"{E592D19E-284A-4B2C-986F-86EEC3416D5F}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{867E1F21-AE06-45FF-AE2A-779C00001CC9}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{1BC5F1AA-78E0-40E7-B819-35288AA18753}c:\\program files\\outlook messenger\\outlookmessenger.exe"= UDP:c:\program files\outlook messenger\outlookmessenger.exe:Outlook LAN Messenger
"UDP Query User{950807EF-E9F1-4A74-AA28-F548248FD2A8}c:\\program files\\outlook messenger\\outlookmessenger.exe"= TCP:c:\program files\outlook messenger\outlookmessenger.exe:Outlook LAN Messenger
"TCP Query User{97CAE664-67C3-4FF9-AC65-FB92EADBEE71}c:\\program files\\outlook messenger\\outlookmessenger.exe"= UDP:c:\program files\outlook messenger\outlookmessenger.exe:Outlook LAN Messenger
"UDP Query User{2EEB2B0A-1B74-495B-897B-3C96C2DB3265}c:\\program files\\outlook messenger\\outlookmessenger.exe"= TCP:c:\program files\outlook messenger\outlookmessenger.exe:Outlook LAN Messenger
"TCP Query User{DFCDB5F6-A8C7-4D2B-9905-2EAA97DBF24A}c:\\program files\\mozilla thunderbird\\thunderbird.exe"= UDP:c:\program files\mozilla thunderbird\thunderbird.exe:Mozilla Thunderbird
"UDP Query User{118BB044-5676-45B6-A125-85C13A33683D}c:\\program files\\mozilla thunderbird\\thunderbird.exe"= TCP:c:\program files\mozilla thunderbird\thunderbird.exe:Mozilla Thunderbird
"TCP Query User{47757E8B-FDDB-4581-BABC-8E79B81E5F36}c:\\program files\\mozilla thunderbird\\thunderbird.exe"= UDP:c:\program files\mozilla thunderbird\thunderbird.exe:Mozilla Thunderbird
"UDP Query User{6C4B0862-E8B3-4D12-A695-A5B2DEAA8DC3}c:\\program files\\mozilla thunderbird\\thunderbird.exe"= TCP:c:\program files\mozilla thunderbird\thunderbird.exe:Mozilla Thunderbird
"{29B187EB-119A-4AFA-9E31-3C355E7F336B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{7481372D-CF0B-4BE6-B6BF-610780767722}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{8E0DAC45-703E-434A-94F7-226AB15467C5}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C563FB10-D72F-4257-BBD9-C6C638298842}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{CA9ED64C-6ECD-4055-9196-32757CE3ED06}c:\\users\\mike\\desktop\\charon\\charon.exe"= UDP:c:\users\mike\desktop\charon\charon.exe:charon.exe
"UDP Query User{2CF9F9EA-52AC-4081-B1CD-7788219CB14C}c:\\users\\mike\\desktop\\charon\\charon.exe"= TCP:c:\users\mike\desktop\charon\charon.exe:charon.exe
"TCP Query User{2B12A064-BCCC-4EFF-BF11-31786BF1D656}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{42DE9974-2D4C-4533-9447-50ED6164550E}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
"{7441EC15-29D3-4807-8EC9-A412EAA8BE0A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{40D2CA80-AE70-44CE-B8CE-484189747EB6}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{1A808E8B-337C-47C7-87E8-57A59CE7E91A}"= UDP:c:\windows\explorer.exe:Explorer
"{A8DAC98B-CD8D-4477-AC9E-4D9CF307190D}"= UDP:c:\windows\explorer.exe:Explorer
"{D966A1A0-B502-4C09-84D0-94208B49E85A}"= TCP:c:\windows\explorer.exe:Explorer
"{ACE6C5DA-A586-475F-8128-88839D709909}"= TCP:c:\windows\explorer.exe:Explorer
"{4D5BF6F7-437C-451B-A8FB-B26035CD1C4B}"= UDP:c:\windows\System32\LogonUI.exe:LogonUI
"{7076C642-F9B4-4E07-B2E6-9F1F37AFF668}"= TCP:c:\windows\System32\LogonUI.exe:LogonUI
"{96D0BFFC-F2A0-4C70-954B-308922DC56A0}"= UDP:c:\windows\System32\wininit.exe:wininit
"{1C405B4E-668E-4DF7-970F-1238716DE187}"= TCP:c:\windows\System32\wininit.exe:wininit
"{56F8530C-3575-4FB0-A6E2-A4CC8B2D37D2}"= UDP:c:\windows\System32\wininit.exe:wininit
"{F5E43B1F-8618-4DF9-855A-ECAD456D0B77}"= TCP:c:\windows\System32\wininit.exe:wininit
"{D971915A-CE83-4555-B241-F4C8AE439115}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{98C236B6-2F6A-4BE9-A0E0-692BDFADC1A2}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{D8B242A3-7C28-4831-9F2B-9CF7B5F4FECD}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{1B587A3A-5DD5-4FA7-A4AC-0EF7615CFD58}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"{7F902B26-E37D-4D23-B961-F3A0F50003D8}"= UDP:c:\windows\System32\lsass.exe:lsass
"{60AD91D3-7365-4531-A546-38CB3CD35EDF}"= TCP:c:\windows\System32\lsass.exe:lsass
"{619FE623-C76E-40D2-85F7-DBB72493EEEB}"= UDP:c:\windows\System32\lsass.exe:lsass
"{3C3525D4-B63C-460B-AA2D-32529A198D13}"= TCP:c:\windows\System32\lsass.exe:lsass

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2eb8defb-5be3-11dd-baad-001b380fce33}]
\shell\Auto\command - H:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL H:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53192392-51c0-11dd-bfed-001b380fce33}]
\shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97220d00-a588-11dd-9f13-001b380fce33}]
\shell\Auto\command - G:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3377eca-956f-11dd-aa60-001b380fce33}]
\shell\Auto\command - G:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2de67ff-ceec-11dc-a4d7-001b380fce33}]
\shell\Auto\command - F:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\Start.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\User_Feed_Synchronization-{BD5D702C-63D3-4FB3-BDBC-448A5B11037E}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 04:45]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2D74EFDC-7D66-7FF8-98B8-5B0B9A406BF1} - c:\windows\system32\amqneozkhpjfe.dll
BHO-{4FD130AE-D8D2-4137-A680-C5CF233BE545} - c:\windows\system32\iifcYSJA.dll
BHO-{6524E433-B7BE-480E-A146-2D764D6D7849} - c:\windows\system32\iIBuuVMF.dll
BHO-{8513278c-2b39-4f12-9a52-2ffcd904cb8e} - c:\windows\system32\nusijavu.dll
BHO-{C81B3B86-175D-4659-AB67-1C59DC63AFE3} - c:\windows\system32\khfeCVom.dll
HKLM-Run-CPMb72c8c12 - c:\windows\system32\yamomenu.dll
HKLM-Run-wilofobuze - c:\windows\system32\yejubano.dll
ShellExecuteHooks-{C31C05B4-0A01-4DC2-8E5E-0315459F508E} - c:\windows\system32\mLecAqrQ.dll
ShellExecuteHooks-{B58C9513-8896-4A6A-9BA8-0FBA3423F821} - c:\windows\system32\jkKeeBsS.dll
ShellExecuteHooks-{C81B3B86-175D-4659-AB67-1C59DC63AFE3} - c:\windows\system32\khfeCVom.dll
ShellExecuteHooks-{4FD130AE-D8D2-4137-A680-C5CF233BE545} - c:\windows\system32\iifcYSJA.dll
ShellExecuteHooks-{ADA12CEB-64E9-494A-B404-D0ECF3065519} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.shoptoshiba.ca/welcome
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
FireFox -: Profile - c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\v8c74e89.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.ca/
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\users\Mike\AppData\Roaming\Mozilla\plugins\npPxPlay.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 23:13:04
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(440)
c:\program files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\audiodg.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\System32\igfxsrvc.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\System32\dlbtcoms.exe
c:\program files\Photodex\ProShowGold\scsiaccess.exe
c:\windows\System32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\conime.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Windows Media Player\wmpnscfg.exe
.
**************************************************************************
.
Completion time: 2008-12-06 23:24:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 04:23:11

Pre-Run: 35,239,215,104 bytes free
Post-Run: 35,000,733,696 bytes free

392 --- E O F --- 2008-10-31 06:16:30
mikejl29 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-06-2008, 09:41 PM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,485
OS: N/A


Re: This Virtumonde just won't die!!
Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/320903-virtumonde-just-won-t-die.html
Folder::
c:\windows\System32\vos
c:\windows\System32\uXPi02
c:\windows\System32\op4
c:\windows\System32\ecs1
c:\windows\System32\dPI02
c:\windows\System32\sX3i02
c:\temp\PRE45
c:\windows\TWlrZQ
Collect::
c:\temp\St8REV2.exe
c:\windows\System32\opnkljki.dll
c:\windows\System32\awtqrspN.dll
c:\windows\System32\qoMdDvVN.dll
c:\windows\System32\yATJbxXr.dll
c:\users\Mike\w.bat
c:\users\Mike\ff.bat
c:\windows\System32\marmanhr.exe
c:\windows\System32\jspowxge.exe
c:\windows\System32\coxppasp.exe
c:\windows\System32\fcyvpcug.exe
c:\windows\System32\inchtent.exe
c:\windows\System32\seviruwa.dll
c:\users\Mike\c.bat
c:\users\Mike\index.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{1A808E8B-337C-47C7-87E8-57A59CE7E91A}"=-
"{A8DAC98B-CD8D-4477-AC9E-4D9CF307190D}"=-
"{D966A1A0-B502-4C09-84D0-94208B49E85A}"=-
"{ACE6C5DA-A586-475F-8128-88839D709909}"=-
"{4D5BF6F7-437C-451B-A8FB-B26035CD1C4B}"=-
"{7076C642-F9B4-4E07-B2E6-9F1F37AFF668}"=-
"{96D0BFFC-F2A0-4C70-954B-308922DC56A0}"=-
"{1C405B4E-668E-4DF7-970F-1238716DE187}"=-
"{56F8530C-3575-4FB0-A6E2-A4CC8B2D37D2}"=-
"{F5E43B1F-8618-4DF9-855A-ECAD456D0B77}"=-
"{D971915A-CE83-4555-B241-F4C8AE439115}"=-
"{98C236B6-2F6A-4BE9-A0E0-692BDFADC1A2}"=-
"{D8B242A3-7C28-4831-9F2B-9CF7B5F4FECD}"=-
"{1B587A3A-5DD5-4FA7-A4AC-0EF7615CFD58}"=-
"{7F902B26-E37D-4D23-B961-F3A0F50003D8}"=-
"{60AD91D3-7365-4531-A546-38CB3CD35EDF}"=-
"{619FE623-C76E-40D2-85F7-DBB72493EEEB}"=-
"{3C3525D4-B63C-460B-AA2D-32529A198D13}"=-
Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip
Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/subm....php?channel=4


---------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


---------------


In your next post, please include fresh logs from:
  1. Online scan
  2. ComboFix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-07-2008, 07:23 PM   #5 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 15
OS: Vista


Re: This Virtumonde just won't die!!
Uploaded the zip file to the "Bleeping Computer" website. Here is the updated ComboFix log... and the Kapersky log follows it... mind you I couldn't complete the entire Kapersky scan... it was through most of my C: drive (Where the infections reside) and I was 4 and a half hours through the scan... I appreciate all the help but my thread would be closed here before the entire scan was complete. Knock on wood no re-occurances of the virus since ComboFix was run. Everything seems OK... just need to delete the ComboFix program now? If I could get the instructions on that it would be much appreciated.... and if I could get the link for donating some money to this site...

ComboFix 08-12-06.04 - Mike 2008-12-07 0:03:35.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1073 [GMT -5:00]
Running from: c:\users\Mike\Desktop\ComboFix.exe
Command switches used :: c:\users\Mike\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\PRE45
c:\temp\PRE45\pG8.log
c:\temp\St8REV2.exe
c:\users\Mike\c.bat
c:\users\Mike\ff.bat
c:\users\Mike\index.exe
c:\users\Mike\w.bat
c:\windows\System32\awtqrspN.dll
c:\windows\System32\coxppasp.exe
c:\windows\System32\dPI02
c:\windows\System32\dPI02\dPI022328.exe
c:\windows\System32\ecs1
c:\windows\System32\ecs1\HXEdv47.exe
c:\windows\System32\fcyvpcug.exe
c:\windows\System32\inchtent.exe
c:\windows\System32\jspowxge.exe
c:\windows\System32\marmanhr.exe
c:\windows\System32\op4
c:\windows\System32\opnkljki.dll
c:\windows\System32\qoMdDvVN.dll
c:\windows\System32\seviruwa.dll
c:\windows\System32\sX3i02
c:\windows\System32\sX3i02\sX3i022328.exe
c:\windows\System32\uXPi02
c:\windows\System32\uXPi02\uXPi022328.exe
c:\windows\System32\vos
c:\windows\System32\vos\MTK63G.exe
c:\windows\System32\yATJbxXr.dll
c:\windows\TWlrZQ
c:\windows\TWlrZQ\nq5Otk.vbs

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 23:24 . 2008-10-16 16:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-12-06 23:24 . 2008-10-16 15:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-12-06 23:24 . 2008-10-16 16:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-12-06 23:24 . 2008-10-16 16:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-12-06 23:23 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-12-06 23:23 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-12-06 16:36 . 2008-12-06 16:36 <DIR> d-------- c:\program files\Trend Micro
2008-12-02 13:08 . 2008-12-02 13:12 <DIR> d-------- c:\program files\wamp
2008-11-30 13:06 . 2008-12-06 17:37 250 --a------ c:\windows\gmer.ini
2008-11-28 01:04 . 2008-11-28 10:53 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2008-11-28 01:04 . 2008-11-28 10:53 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2008-11-28 01:04 . 2008-11-28 01:13 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-25 12:40 . 2008-11-25 12:40 <DIR> d-------- c:\users\Mike\AppData\Roaming\HandBrake
2008-11-25 00:18 . 2008-11-25 00:20 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 00:18 . 2008-11-25 00:20 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 00:18 . 2008-11-25 00:18 <DIR> d-------- c:\program files\iPod
2008-11-24 12:26 . 2008-11-24 12:26 <DIR> d-------- c:\users\All Users\FlashFXP
2008-11-24 12:26 . 2008-11-24 12:26 <DIR> d-------- c:\programdata\FlashFXP
2008-11-23 12:06 . 2008-12-06 17:12 <DIR> d-------- C:\Poker
2008-11-10 23:34 . 2008-11-10 23:35 <DIR> d-------- c:\program files\ImageMagick-6.4.5-Q16
2008-11-10 18:16 . 2008-11-10 18:32 <DIR> d-------- C:\VueScan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 22:12 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 22:10 --------- d-----w c:\program files\Common Files\DVDVideoSoft
2008-12-06 22:09 47,360 ----a-w c:\users\Mike\AppData\Roaming\pcouffin.sys
2008-12-06 22:09 --------- d-----w c:\users\Mike\AppData\Roaming\Vso
2008-12-06 22:08 --------- d-----w c:\program files\SlySoft
2008-12-06 22:08 --------- d-----w c:\program files\CamStudio
2008-12-06 22:08 --------- d-----w c:\program files\Bibble Labs
2008-12-01 05:57 --------- d-----w c:\program files\LimeWire
2008-11-26 22:36 --------- d-----w c:\program files\dl_Cats
2008-11-26 03:51 --------- d-----w c:\users\Mike\AppData\Roaming\uTorrent
2008-11-25 05:19 --------- d-----w c:\program files\iTunes
2008-11-25 05:18 --------- d-----w c:\program files\Common Files\Apple
2008-11-25 05:12 --------- d-----w c:\program files\QuickTime
2008-11-24 02:48 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-20 16:52 --------- d-----w c:\programdata\FLEXnet
2008-11-16 02:42 --------- d-----w c:\program files\RocketDock
2008-11-07 20:17 410,976 ----a-w c:\windows\System32\deploytk.dll
2008-11-07 20:17 --------- d-----w c:\program files\Java
2008-11-04 20:40 --------- d-----w c:\users\Mike\AppData\Roaming\Malwarebytes
2008-11-04 20:40 --------- d-----w c:\programdata\Malwarebytes
2008-11-04 20:40 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-04 19:06 --------- d-----w c:\programdata\Lavasoft
2008-10-27 18:11 --------- d-----w c:\program files\DivX
2008-10-25 07:06 --------- d-----w c:\users\Mike\AppData\Roaming\dvdcss
2008-10-22 21:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 21:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-21 16:23 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-16 07:11 --------- d-----w c:\program files\Windows Mail
2008-10-15 14:25 644,976 ----a-w c:\program files\autoruns.exe
2008-10-15 14:25 538,480 ----a-w c:\program files\autorunsc.exe
2008-10-02 03:49 826,368 ----a-w c:\windows\System32\wininet.dll
2008-10-02 03:49 56,320 ----a-w c:\windows\System32\iesetup.dll
2008-10-02 03:49 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-10-02 03:48 26,624 ----a-w c:\windows\System32\ieUnatt.exe
2008-09-19 21:55 200,704 ----a-w c:\windows\System32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\System32\libdivx.dll
2008-09-18 04:35 3,505,208 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 04:35 3,470,904 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 02:03 2,027,520 ----a-w c:\windows\System32\win32k.sys
2008-08-20 19:18 48,986 ----a-w c:\program files\autoruns.chm
2008-07-10 12:27 174 --sha-w c:\program files\desktop.ini
2008-04-24 16:54 0 ----a-w c:\users\All Users\PKP_DLdy.DAT
2008-04-24 16:54 0 ----a-w c:\programdata\PKP_DLdy.DAT
2008-04-24 16:39 0 ----a-w c:\users\All Users\PKP_DLbz.DAT
2008-04-24 16:39 0 ----a-w c:\programdata\PKP_DLbz.DAT
2008-03-07 16:15 4,581,415 ----a-w c:\users\Mike\allok_flvconverter-trial.exe
2006-07-28 13:32 7,005 ------w c:\program files\Eula.txt
2008-04-26 21:20 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-04-26 21:20 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-04-26 21:20 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_23.20.45.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-07 05:02:41 6,160,384 ----a-w c:\windows\ERDNT\Hiv-backup\schema.dat
+ 2008-12-07 04:12:18 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-07 04:12:18 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-12-07 04:12:49 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-07 0534 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-07-19 02:08:20 72,256 ------w c:\windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe
+ 2008-10-16 19:08:00 70,416 ------w c:\windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe
- 2008-12-06 22:00:07 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-12-07 04:25:14 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-12-06 22:00:07 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-07 04:25:14 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-06 22:00:07 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-07 04:25:14 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-12-01 06:00:02 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2008-12-07 04:25:24 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\schema.dat
- 2008-12-06 22:24:27 10,984 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-713068253-2880954056-535546135-1000_UserData.bin
+ 2008-12-07 04:14:54 11,140 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-713068253-2880954056-535546135-1000_UserData.bin
- 2008-12-06 22:24:27 77,194 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-07 04:14:54 77,334 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-11-23 17:50:53 144,898,477 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-12-07 04:30:39 149,818,448 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2006-11-02 09:41:09 2,048 ----a-w c:\windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.0.6001.18136_none_8853d47896e90b40\msxml3r.dll
+ 2006-11-02 09:41:09 2,048 ----a-w c:\windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.0.6001.18138_none_885590b496e78ad1\msxml6r.dll
+ 2008-09-15 22:27:41 2,413,072 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16764_none_f064ff046e80cc5f\OESpamFilter.dat
+ 2008-09-15 22:27:41 2,413,072 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.20937_none_f1120e5787836182\OESpamFilter.dat
+ 2008-09-15 22:27:41 2,413,072 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18157_none_f2590e746b9c8d64\OESpamFilter.dat
+ 2008-09-15 22:27:41 2,413,072 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22288_none_f2c33bc584d19a58\OESpamFilter.dat
+ 2008-10-16 21:12:19 561,688 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.2.6001.788_none_107673f57a433d77\wuapi.dll
+ 2008-10-16 20:55:59 83,456 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.2.6001.788_none_107673f57a433d77\wudriver.dll
+ 2008-10-16 21:08:57 34,328 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.2.6001.788_none_107673f57a433d77\wups.dll
+ 2008-10-16 18:56:04 31,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.2.6001.788_none_ba8134361ffa6f73\wuapp.exe
+ 2008-10-16 19:08:00 162,064 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.2.6001.788_none_ba8134361ffa6f73\wuwebv.dll
+ 2008-10-16 21:09:43 51,224 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.2.6001.788_none_2a6539a96682e474\wuauclt.exe
+ 2008-10-16 21:13:38 1,809,944 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.2.6001.788_none_2a6539a96682e474\wuaueng.dll
+ 2008-10-16 21:09:43 43,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.2.6001.788_none_2a6539a96682e474\wups2.dll
+ 2008-10-16 20:56:28 1,524,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-windowsupdateclient-ui_31bf3856ad364e35_7.2.6001.788_none_a8125d5406872725\wucltux.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-10 417792]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 34352]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-22 438272]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-12 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-12 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-12 133912]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"DLBTCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2007-02-22 73728]
"FinePrint Dispatcher v5"="c:\windows\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-11-07 507904]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-07 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 c:\windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-02-11 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
--a------ 2007-01-17 15:46 534648 c:\program files\TOSHIBA\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-07-01 09:10 1006264 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-713068253-2880954056-535546135-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D868D79A-2799-420B-881F-7A9D5911A04D}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{ECA6F099-DC1F-4C29-B4D1-7F7031789DDF}c:\\program files\\bitlord2\\bitlord.exe"= UDP:c:\program files\bitlord2\bitlord.exe:
"UDP Query User{AC253127-CE7B-4330-9A60-3C0D9C360CA8}c:\\program files\\bitlord2\\bitlord.exe"= TCP:c:\program files\bitlord2\bitlord.exe:
"{48FE10F8-E3D8-4F23-866E-8A3A590F15A6}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"TCP Query User{A396BE82-56D6-402B-A73D-C29F63B31143}c:\\program files\\macromedia\\dreamweaver mx 2004\\dreamweaver mx 2004\\dreamweaver.exe"= UDP:c:\program files\macromedia\dreamweaver mx 2004\dreamweaver mx 2004\dreamweaver.exe:Dreamweaver MX 2004
"UDP Query User{6CD7DD59-08E6-4B33-86EE-2E5BA4A868FC}c:\\program files\\macromedia\\dreamweaver mx 2004\\dreamweaver mx 2004\\dreamweaver.exe"= TCP:c:\program files\macromedia\dreamweaver mx 2004\dreamweaver mx 2004\dreamweaver.exe:Dreamweaver MX 2004
"TCP Query User{659DEA12-26F1-430C-BBEE-59E6BF59B94E}c:\\program files\\fotoquote\\fotoquote pro\\fotoquote pro.exe"= UDP:c:\program files\fotoquote\fotoquote pro\fotoquote pro.exe:FileMaker Pro Runtime
"UDP Query User{DF98034A-B57B-4179-836D-D59FD11B5772}c:\\program files\\fotoquote\\fotoquote pro\\fotoquote pro.exe"= TCP:c:\program files\fotoquote\fotoquote pro\fotoquote pro.exe:FileMaker Pro Runtime
"{28AF9551-69B6-42B8-9C2C-101D45E9B417}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{9259AC9A-3461-4A47-BF0D-29F3A312E11F}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3D6CA827-F09E-45A8-8676-FBC6229CEA98}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{00558A25-E5CC-4E77-9A78-DE0497A3EE93}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E92A1B70-4F16-4157-8291-E8754577EADB}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{0B37E93C-6A35-4BE2-ADBC-57142A2050C6}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{F81B5148-A4DA-4E15-B8B7-A3EEE1EF2E95}c:\\program files\\bitlord2\\bitlord.exe"= UDP:c:\program files\bitlord2\bitlord.exe:
"UDP Query User{7DE1ACB1-C08C-41C8-9640-711B9CD41219}c:\\program files\\bitlord2\\bitlord.exe"= TCP:c:\program files\bitlord2\bitlord.exe:
"{40577BC0-CE02-4B0D-8BB2-AE471A98C48E}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{2CCF14CD-0DD6-4BB0-AA6F-707EDB3FDA57}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{ABA45C8D-AC39-403B-A24F-B04A1BC5DAB5}"= UDP:c:\windows\System32\dlbtcoms.exe:Photo AIO Printer 922 Server
"{4595E466-06B2-4BC8-BAA2-4A4689E0C8A9}"= TCP:c:\windows\System32\dlbtcoms.exe:Photo AIO Printer 922 Server
"TCP Query User{2DB2DD63-250C-4AA6-A4E4-F40961018C78}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{79C25918-2BBE-4659-BACA-348942E583DE}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{BCEAB332-3A28-4FC0-A993-CDBC89B26910}c:\\program files\\macromedia\\dreamweaver mx 2004\\dreamweaver mx 2004\\dreamweaver.exe"= UDP:c:\program files\macromedia\dreamweaver mx 2004\dreamweaver mx 2004\dreamweaver.exe:Dreamweaver MX 2004
"UDP Query User{82189C37-163D-4208-B987-076490082B2D}c:\\program files\\macromedia\\dreamweaver mx 2004\\dreamweaver mx 2004\\dreamweaver.exe"= TCP:c:\program files\macromedia\dreamweaver mx 2004\dreamweaver mx 2004\dreamweaver.exe:Dreamweaver MX 2004
"TCP Query User{87163A53-F01E-46EE-9B46-3261C502E3A3}c:\\program files\\transcode360\\transcode360tray.exe"= UDP:c:\program files\transcode360\transcode360tray.exe:
"UDP Query User{3F1F06A5-DB49-4E24-A986-99BD3217C656}c:\\program files\\transcode360\\transcode360tray.exe"= TCP:c:\program files\transcode360\transcode360tray.exe:
"TCP Query User{7C404DEC-AB1C-4571-9C4F-3193B22DA2A7}c:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= UDP:c:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home
"UDP Query User{9BBCE5FF-37BF-45A6-8A8C-C74ADAA38CE5}c:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= TCP:c:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home
"TCP Query User{2237D760-3F17-4FD4-8963-C97A094B19C0}c:\\program files\\fotoquote\\fotoquote pro\\fotoquote pro.exe"= UDP:c:\program files\fotoquote\fotoquote pro\fotoquote pro.exe:FileMaker Pro Runtime
"UDP Query User{433BFB33-6BAB-43AA-ADE4-3A4EAEAB2623}c:\\program files\\fotoquote\\fotoquote pro\\fotoquote pro.exe"= TCP:c:\program files\fotoquote\fotoquote pro\fotoquote pro.exe:FileMaker Pro Runtime
"TCP Query User{280737EA-3D1D-4220-9A65-D0C5C093FF76}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{60C03FB8-E264-43F9-9423-CD9A933CEC8D}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{88291642-476F-429A-836A-EF87E40DE6C2}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{7653581D-222F-4D0B-849B-87EB18D6106E}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{3E8C9407-4374-4BD6-9BA4-1409D187D36D}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{F83CB695-F924-4B50-B87D-692A9A187F6C}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{3A3CB1A9-BC8A-48DF-88A0-4E2AB01E6B68}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{1DA0F47C-4729-4FBA-A154-6C87DF0C0393}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{4B3F7B4C-3DDD-4B6F-B43B-80E7A2BC22A5}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{4A7E8834-D377-4112-AA51-70A059A5157D}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"{E592D19E-284A-4B2C-986F-86EEC3416D5F}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{867E1F21-AE06-45FF-AE2A-779C00001CC9}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{1BC5F1AA-78E0-40E7-B819-35288AA18753}c:\\program files\\outlook messenger\\outlookmessenger.exe"= UDP:c:\program files\outlook messenger\outlookmessenger.exe:Outlook LAN Messenger
"UDP Query User{950807EF-E9F1-4A74-AA28-F548248FD2A8}c:\\program files\\outlook messenger\\outlookmessenger.exe"= TCP:c:\program files\outlook messenger\outlookmessenger.exe:Outlook LAN Messenger
"TCP Query User{97CAE664-67C3-4FF9-AC65-FB92EADBEE71}c:\\program files\\outlook messenger\\outlookmessenger.exe"= UDP:c:\program files\outlook messenger\outlookmessenger.exe:Outlook LAN Messenger
"UDP Query User{2EEB2B0A-1B74-495B-897B-3C96C2DB3265}c:\\program files\\outlook messenger\\outlookmessenger.exe"= TCP:c:\program files\outlook messenger\outlookmessenger.exe:Outlook LAN Messenger
"TCP Query User{DFCDB5F6-A8C7-4D2B-9905-2EAA97DBF24A}c:\\program files\\mozilla thunderbird\\thunderbird.exe"= UDP:c:\program files\mozilla thunderbird\thunderbird.exe:Mozilla Thunderbird
"UDP Query User{118BB044-5676-45B6-A125-85C13A33683D}c:\\program files\\mozilla thunderbird\\thunderbird.exe"= TCP:c:\program files\mozilla thunderbird\thunderbird.exe:Mozilla Thunderbird
"TCP Query User{47757E8B-FDDB-4581-BABC-8E79B81E5F36}c:\\program files\\mozilla thunderbird\\thunderbird.exe"= UDP:c:\program files\mozilla thunderbird\thunderbird.exe:Mozilla Thunderbird
"UDP Query User{6C4B0862-E8B3-4D12-A695-A5B2DEAA8DC3}c:\\program files\\mozilla thunderbird\\thunderbird.exe"= TCP:c:\program files\mozilla thunderbird\thunderbird.exe:Mozilla Thunderbird
"{29B187EB-119A-4AFA-9E31-3C355E7F336B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{7481372D-CF0B-4BE6-B6BF-610780767722}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{8E0DAC45-703E-434A-94F7-226AB15467C5}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C563FB10-D72F-4257-BBD9-C6C638298842}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{CA9ED64C-6ECD-4055-9196-32757CE3ED06}c:\\users\\mike\\desktop\\charon\\charon.exe"= UDP:c:\users\mike\desktop\charon\charon.exe:charon.exe
"UDP Query User{2CF9F9EA-52AC-4081-B1CD-7788219CB14C}c:\\users\\mike\\desktop\\charon\\charon.exe"= TCP:c:\users\mike\desktop\charon\charon.exe:charon.exe
"TCP Query User{2B12A064-BCCC-4EFF-BF11-31786BF1D656}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{42DE9974-2D4C-4533-9447-50ED6164550E}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
"{7441EC15-29D3-4807-8EC9-A412EAA8BE0A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{40D2CA80-AE70-44CE-B8CE-484189747EB6}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2eb8defb-5be3-11dd-baad-001b380fce33}]
\shell\Auto\command - H:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL H:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53192392-51c0-11dd-bfed-001b380fce33}]
\shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97220d00-a588-11dd-9f13-001b380fce33}]
\shell\Auto\command - G:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3377eca-956f-11dd-aa60-001b380fce33}]
\shell\Auto\command - G:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2de67ff-ceec-11dc-a4d7-001b380fce33}]
\shell\Auto\command - F:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\Start.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\User_Feed_Synchronization-{BD5D702C-63D3-4FB3-BDBC-448A5B11037E}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 04:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.shoptoshiba.ca/welcome
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
FireFox -: Profile - c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\v8c74e89.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.ca/
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\users\Mike\AppData\Roaming\Mozilla\plugins\npPxPlay.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 0050
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-07 0:09:23
ComboFix-quarantined-files.txt 2008-12-07 05:09:07
ComboFix2.txt 2008-12-07 04:24:55

Pre-Run: 34,945,343,488 bytes free
Post-Run: 34,909,745,152 bytes free

336 --- E O F --- 2008-12-07 04:31:26

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 7, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 07, 2008 18:38:47
Records in database: 1442673
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
Z:\

Scan statistics:
Files scanned: 118846
Threat name: 17
Infected objects: 30
Suspicious objects: 0
Duration of the scan: 04:21:35


File name / Threat name / Threats count
C:\Program Files\Adobe\Adobe Photoshop CS3\Plug-Ins\NoiseNinjaPlugin\fff-n2021.exe Infected: Trojan-Downloader.Win32.INService.bl 1
C:\Qoobox\Quarantine\C\Recycled\Recycled\ctfmon.exe.vir Infected: Trojan.Win32.VB.aqt 1
C:\Qoobox\Quarantine\C\Windows\System32\amdtglcq.dll.vir Infected: Trojan-PSW.Win32.QQPass.efx 1
C:\Qoobox\Quarantine\C\Windows\System32\ayxxssnu.dll.vir Infected: Packed.Win32.PolyCrypt.d 1
C:\Qoobox\Quarantine\C\Windows\System32\cmgmgf.dll.vir Infected: Trojan-Downloader.Win32.Zlob.acft 1
C:\Qoobox\Quarantine\C\Windows\System32\dPI02\dPI022328.exe.vir Infected: Trojan-Downloader.Win32.VB.fen 1
C:\Qoobox\Quarantine\C\Windows\System32\ecs1\HXEdv47.exe.vir Infected: Trojan.Win32.Agent.asjk 1
C:\Qoobox\Quarantine\C\Windows\System32\htefyjwm.dll.vir Infected: Trojan-PSW.Win32.QQPass.efx 1
C:\Qoobox\Quarantine\C\Windows\System32\kjdndoai.dll.vir Infected: Trojan.Win32.Monder.aaxp 1
C:\Qoobox\Quarantine\C\Windows\System32\llgoxwch.dll.vir Infected: Trojan.Win32.Monder.aaxp 1
C:\Qoobox\Quarantine\C\Windows\System32\lnqpdw.dll.vir Infected: Packed.Win32.PolyCrypt.d 1
C:\Qoobox\Quarantine\C\Windows\System32\nnnkJCTL.dll.vir Infected: Trojan.Win32.Monder.ywp 1
C:\Qoobox\Quarantine\C\Windows\System32\nnnljjGW.dll.vir Infected: Trojan.Win32.Monder.zfd 1
C:\Qoobox\Quarantine\C\Windows\System32\oapaqblh.dll.vir Infected: Packed.Win32.PolyCrypt.d 1
C:\Qoobox\Quarantine\C\Windows\System32\plvuygdy.dll.vir Infected: Trojan-Downloader.Win32.Zlob.acft 1
C:\Qoobox\Quarantine\C\Windows\System32\pxjzik.dll.vir Infected: Packed.Win32.PolyCrypt.d 1
C:\Qoobox\Quarantine\C\Windows\System32\rchkaajo.dll.vir Infected: Trojan.Win32.Monder.aaxp 1
C:\Qoobox\Quarantine\C\Windows\System32\seegnj.dll.vir Infected: Trojan-PSW.Win32.QQPass.efx 1
C:\Qoobox\Quarantine\C\Windows\System32\smdnhf.dll.vir Infected: not-a-virus:FraudTool.Win32.AntiVermins.v 1
C:\Qoobox\Quarantine\C\Windows\System32\sX3i02\sX3i022328.exe.vir Infected: Trojan-Downloader.Win32.VB.itq 1
C:\Qoobox\Quarantine\C\Windows\System32\uXPi02\uXPi022328.exe.vir Infected: Trojan-Downloader.Win32.VB.jci 1
C:\Qoobox\Quarantine\C\Windows\System32\vos\MTK63G.exe.vir Infected: Trojan-Downloader.Win32.Small.buy 1
C:\Qoobox\Quarantine\C\Windows\System32\wqxevw.dll.vir Infected: Trojan-PSW.Win32.QQPass.efx 1
C:\Qoobox\Quarantine\C\Windows\System32\ycyotwha.dll.vir Infected: not-a-virus:FraudTool.Win32.AntiVermins.v 1
C:\Qoobox\Quarantine\[4]-Submit_2008-12-07@0.02.zip Infected: Trojan-Downloader.Win32.Small.buy 1
C:\Qoobox\Quarantine\[4]-Submit_2008-12-07@0.02.zip Infected: Trojan-Downloader.Win32.Agent.atbu 1
C:\Qoobox\Quarantine\[4]-Submit_2008-12-07@0.02.zip Infected: Trojan.Win32.Agent.asjk 1
C:\Qoobox\Quarantine\[4]-Submit_2008-12-07@0.02.zip Infected: Trojan.Win32.Monder.aaqk 1
C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FB00PT65\_freescan[3].htm Infected: Trojan-Downloader.JS.Agent.czp 1
C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FB00PT65\_freescan[4].htm Infected: Trojan-Downloader.JS.Agent.czp 1

The scan was stopped by the user.
mikejl29 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-07-2008, 10:02 PM   #6 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,485
OS: N/A


Re: This Virtumonde just won't die!!
Quote:
C:\Program Files\Adobe\Adobe Photoshop CS3\Plug-Ins\NoiseNinjaPlugin\fff-n2021.exe --> Trojan-Downloader.Win32.INService.bl 1
I'm not too certain about this detection. It may be a false positive. Please visit this website -http://virusscan.jotti.org
Submit the file for a comprehensive scan & then post the results back here.


--------


For the other files Kaspersky detected, do this ....


Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
"C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FB00PT65\_freescan[3].htm"
"C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FB00PT65\_freescan[4].htm"
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"%systemdrive%\VundoFix Backups"
%systemdrive%\Deckard
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
nircmd wait 7000
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Right click on fix.bat & select "Run As Administrator"

Post back to tell me what it says
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-07-2008, 10:14 PM   #7 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 15
OS: Vista


Re: This Virtumonde just won't die!!
That one file fff-n2021.exe was full of trojans and such... but I shift-deleted that straight off the hard drive.

Ran fix.bat and got "Deleted Successfully !!"
mikejl29 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-07-2008, 10:25 PM   #8 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,485
OS: N/A


Re: This Virtumonde just won't die!!
Quote:
I shift-deleted that straight off the hard drive
Good work. Your system is now clean. Kindly follow these simple steps in order to keep your computer clean and secure:

  1. Uninstall ComboFix ... do not skip this step
    This process will perform some post cleanup measures.
    Do this by going to to Start > Run & typing in ComboFix /u


  2. ANTIVIRUS SOFTWARE
    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  3. Microsoft Windows Update ? http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  4. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-07-2008, 10:33 PM   #9 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 15
OS: Vista


Re: This Virtumonde just won't die!!
AMAZING HELP. All fixed up!! Where do we donate some money that would have gone to Advil for the headaches of formatting?
mikejl29 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-07-2008, 10:50 PM   #10 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,485
OS: N/A


Re: This Virtumonde just won't die!!
http://www.techsupportforum.com/secu...m-com-you.html

I thank you on behalf on the children
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-08-2008, 10:41 PM   #11 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 15
OS: Vista


Re: This Virtumonde just won't die!!
****, not out of the woodwork yet! Pop up came back today.. wasn't visiting any site out of the ordinary... and I had SpywareBlaster installed. Must have been something left over from before when I didn't let Kaspersky get all the way through.

Malwarebytes came up with 58 entries which I tried to fix... a few had to be done on restart... Spybot S&D is running now... so far I'm looking at: Virtumonde, Command Service, Smitfraud-C, Win32-Small.buy, Win32.Agent.amwr and 2 MediaPlex browser entries... apparently Spybot S&D fixed them all... Don't believe it... going to post up the logs in a couple minutes...
mikejl29 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-08-2008, 10:55 PM   #12 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,485
OS: N/A


Re: This Virtumonde just won't die!!
Stop all those scans. Just run ComboFix & show me the logs.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-08-2008, 11:59 PM   #13 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 15
OS: Vista


Re: This Virtumonde just won't die!!
Alright here is the ComboFix log:

ComboFix 08-12-07.04 - Mike 2008-12-09 1:47:06.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1290 [GMT -5:00]
Running from: c:\users\Mike\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\bestwiner.stt
c:\users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\CPV.stt
c:\users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\fbk.sts
c:\windows\system32\op4
c:\windows\system32\uXPi02
c:\windows\system32\uXPi02\uXPi022328.exe
c:\windows\system32\vos
c:\windows\system32\vos\MTK63G.exe
c:\windows\TWlrZQ
c:\windows\TWlrZQ\nq5Otk.vbs

.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-08 23:21 . 2008-12-08 23:21 316 --a------ c:\windows\System32\477.bat
2008-12-08 00:29 . 2008-12-08 00:29 <DIR> d-------- c:\users\All Users\TEMP
2008-12-08 00:29 . 2008-12-08 00:29 <DIR> d-------- c:\programdata\TEMP
2008-12-08 00:29 . 2008-12-08 00:29 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-06 23:31 . 2008-09-04 23:48 1,194,496 --a------ c:\windows\System32\msxml3.dll
2008-12-06 23:31 . 2008-10-21 22:43 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-12-06 23:31 . 2008-08-25 20:11 211,456 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-12-06 23:31 . 2008-10-21 22:43 160,768 --a------ c:\windows\System32\PortableDeviceTypes.dll
2008-12-06 23:31 . 2008-10-21 22:43 95,232 --a------ c:\windows\System32\PortableDeviceClassExtension.dll
2008-12-06 23:31 . 2008-09-04 23:45 2,048 --a------ c:\windows\System32\msxml3r.dll
2008-12-06 23:30 . 2008-10-21 00:16 1,645,568 --a------ c:\windows\System32\connect.dll
2008-12-06 23:30 . 2008-08-27 22:24 712,192 --a------ c:\windows\System32\WindowsCodecs.dll
2008-12-06 23:30 . 2008-08-27 22:24 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-12-06 23:30 . 2008-08-27 22:24 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-12-06 23:29 . 2008-09-09 22:25 1,341,440 --a------ c:\windows\System32\msxml6.dll
2008-12-06 23:29 . 2008-09-09 22:21 2,048 --a------ c:\windows\System32\msxml6r.dll
2008-12-06 23:24 . 2008-10-16 16:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-12-06 23:24 . 2008-10-16 15:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-12-06 23:24 . 2008-08-05 22:27 1,244,672 --a------ c:\windows\System32\mcmde.dll
2008-12-06 23:24 . 2008-08-05 22:27 428,032 --a------ c:\windows\System32\EncDec.dll
2008-12-06 23:24 . 2008-08-05 22:27 292,352 --a------ c:\windows\System32\psisdecd.dll
2008-12-06 23:24 . 2008-08-05 22:26 217,088 --a------ c:\windows\System32\psisrndr.ax
2008-12-06 23:24 . 2008-08-05 22:26 177,152 --a------ c:\windows\System32\mpg2splt.ax
2008-12-06 23:24 . 2008-08-05 22:26 80,896 --a------ c:\windows\System32\MSNP.ax
2008-12-06 23:24 . 2008-08-05 22:26 68,608 --a------ c:\windows\System32\Mpeg2Data.ax
2008-12-06 23:24 . 2008-08-05 22:26 57,856 --a------ c:\windows\System32\MSDvbNP.ax
2008-12-06 23:24 . 2008-10-16 16:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-12-06 23:24 . 2008-10-16 16:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-12-06 23:23 . 2008-10-16 16:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-12-06 23:23 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-12-06 23:23 . 2008-10-16 15:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-12-06 23:23 . 2008-10-16 16:08 34,328 --a------ c:\windows\System32\wups.dll
2008-12-06 23:23 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-12-06 16:36 . 2008-12-06 16:36 <DIR> d-------- c:\program files\Trend Micro
2008-12-02 13:08 . 2008-12-02 13:12 <DIR> d-------- c:\program files\wamp
2008-11-30 13:06 . 2008-12-09 00:49 250 --a------ c:\windows\gmer.ini
2008-11-28 01:04 . 2008-11-28 10:53 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2008-11-28 01:04 . 2008-11-28 10:53 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2008-11-28 01:04 . 2008-11-28 01:13 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-25 12:40 . 2008-11-25 12:40 <DIR> d-------- c:\users\Mike\AppData\Roaming\HandBrake
2008-11-25 00:18 . 2008-11-25 00:20 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 00:18 . 2008-11-25 00:20 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 00:18 . 2008-11-25 00:18 <DIR> d-------- c:\program files\iPod
2008-11-24 12:26 . 2008-11-24 12:26 <DIR> d-------- c:\users\All Users\FlashFXP
2008-11-24 12:26 . 2008-11-24 12:26 <DIR> d-------- c:\programdata\FlashFXP
2008-11-10 23:34 . 2008-11-10 23:35 <DIR> d-------- c:\program files\ImageMagick-6.4.5-Q16
2008-11-10 18:16 . 2008-11-10 18:32 <DIR> d-------- C:\VueScan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 05:34 --------- d-----w c:\program files\Java
2008-12-07 21:22 --------- d-----w c:\program files\dl_Cats
2008-12-06 22:12 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 22:10 --------- d-----w c:\program files\Common Files\DVDVideoSoft
2008-12-06 22:09 47,360 ----a-w c:\users\Mike\AppData\Roaming\pcouffin.sys
2008-12-06 22:09 --------- d-----w c:\users\Mike\AppData\Roaming\Vso
2008-12-06 22:08 --------- d-----w c:\program files\SlySoft
2008-12-06 22:08 --------- d-----w c:\program files\CamStudio
2008-11-26 03:51 --------- d-----w c:\users\Mike\AppData\Roaming\uTorrent
2008-11-25 05:19 --------- d-----w c:\program files\iTunes
2008-11-25 05:18 --------- d-----w c:\program files\Common Files\Apple
2008-11-25 05:12 --------- d-----w c:\program files\QuickTime
2008-11-24 02:48 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-20 16:52 --------- d-----w c:\programdata\FLEXnet
2008-11-16 02:42 --------- d-----w c:\program files\RocketDock
2008-11-10 10:43 410,984 ----a-w c:\windows\System32\deploytk.dll
2008-11-04 20:40 --------- d-----w c:\users\Mike\AppData\Roaming\Malwarebytes
2008-11-04 20:40 --------- d-----w c:\programdata\Malwarebytes
2008-11-04 20:40 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-04 19:06 --------- d-----w c:\programdata\Lavasoft
2008-10-27 18:11 --------- d-----w c:\program files\DivX
2008-10-25 07:06 --------- d-----w c:\users\Mike\AppData\Roaming\dvdcss
2008-10-22 21:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 21:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-21 16:23 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-16 07:11 --------- d-----w c:\program files\Windows Mail
2008-10-15 14:25 644,976 ----a-w c:\program files\autoruns.exe
2008-10-15 14:25 538,480 ----a-w c:\program files\autorunsc.exe
2008-10-02 03:49 826,368 ----a-w c:\windows\System32\wininet.dll
2008-10-02 03:49 56,320 ----a-w c:\windows\System32\iesetup.dll
2008-10-02 03:49 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-10-02 03:48 26,624 ----a-w c:\windows\System32\ieUnatt.exe
2008-09-30 21:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\System32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\System32\libdivx.dll
2008-09-18 04:35 3,505,208 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 04:35 3,470,904 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 02:03 2,027,520 ----a-w c:\windows\System32\win32k.sys
2008-08-20 19:18 48,986 ----a-w c:\program files\autoruns.chm
2008-07-10 12:27 174 --sha-w c:\program files\desktop.ini
2008-04-24 16:54 0 ----a-w c:\users\All Users\PKP_DLdy.DAT
2008-04-24 16:54 0 ----a-w c:\programdata\PKP_DLdy.DAT
2008-04-24 16:39 0 ----a-w c:\users\All Users\PKP_DLbz.DAT
2008-04-24 16:39 0 ----a-w c:\programdata\PKP_DLbz.DAT
2008-03-07 16:15 4,581,415 ----a-w c:\users\Mike\allok_flvconverter-trial.exe
2006-07-28 13:32 7,005 ------w c:\program files\Eula.txt
2008-04-26 21:20 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-04-26 21:20 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-04-26 21:20 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-10 417792]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 34352]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-22 438272]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-12 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-12 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-12 133912]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"DLBTCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2007-02-22 73728]
"FinePrint Dispatcher v5"="c:\windows\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-11-07 507904]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 c:\windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-02-11 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
--a------ 2007-01-17 15:46 534648 c:\program files\TOSHIBA\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-07-01 09:10 1006264 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-713068253-2880954056-535546135-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D868D79A-2799-420B-881F-7A9D5911A04D}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{ECA6F099-DC1F-4C29-B4D1-7F7031789DDF}c:\\program files\\bitlord2\\bitlord.exe"= UDP:c:\program files\bitlord2\bitlord.exe:
"UDP Query User{AC253127-CE7B-4330-9A60-3C0D9C360CA8}c:\\program files\\bitlord2\\bitlord.exe"= TCP:c:\program files\bitlord2\bitlord.exe:
"{48FE10F8-E3D8-4F23-866E-8A3A590F15A6}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"TCP Query User{A396BE82-56D6-402B-A73D-C29F63B31143}c:\\program files\\macromedia\\dreamweaver mx 2004\\dreamweaver mx 2004\\dreamweaver.exe"= UDP:c:\program files\macromedia\dreamweaver mx 2004\dreamweaver mx 2004\dreamweaver.exe:Dreamweaver MX 2004
"UDP Query User{6CD7DD59-08E6-4B33-86EE-2E5BA4A868FC}c:\\program files\\macromedia\\dreamweaver mx 2004\\dreamweaver mx 2004\\dreamweaver.exe"= TCP:c:\program files\macromedia\dreamweaver mx 2004\dreamweaver mx 2004\dreamweaver.exe:Dreamweaver MX 2004
"TCP Query User{659DEA12-26F1-430C-BBEE-59E6BF59B94E}c:\\program files\\fotoquote\\fotoquote pro\\fotoquote pro.exe"= UDP:c:\program files\fotoquote\fotoquote pro\fotoquote pro.exe:FileMaker Pro Runtime
"UDP Query User{DF98034A-B57B-4179-836D-D59FD11B5772}c:\\program files\\fotoquote\\fotoquote pro\\fotoquote pro.exe"= TCP:c:\program files\fotoquote\fotoquote pro\fotoquote pro.exe:FileMaker Pro Runtime
"{28AF9551-69B6-42B8-9C2C-101D45E9B417}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{9259AC9A-3461-4A47-BF0D-29F3A312E11F}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3D6CA827-F09E-45A8-8676-FBC6229CEA98}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{00558A25-E5CC-4E77-9A78-DE0497A3EE93}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E92A1B70-4F16-4157-8291-E8754577EADB}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{0B37E93C-6A35-4BE2-ADBC-57142A2050C6}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{F81B5148-A4DA-4E15-B8B7-A3EEE1EF2E95}c:\\program files\\bitlord2\\bitlord.exe"= UDP:c:\program files\bitlord2\bitlord.exe:
"UDP Query User{7DE1ACB1-C08C-41C8-9640-711B9CD41219}c:\\program files\\bitlord2\\bitlord.exe"= TCP:c:\program files\bitlord2\bitlord.exe:
"{40577BC0-CE02-4B0D-8BB2-AE471A98C48E}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{2CCF14CD-0DD6-4BB0-AA6F-707EDB3FDA57}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{ABA45C8D-AC39-403B-A24F-B04A1BC5DAB5}"= UDP:c:\windows\System32\dlbtcoms.exe:Photo AIO Printer 922 Server
"{4595E466-06B2-4BC8-BAA2-4A4689E0C8A9}"= TCP:c:\windows\System32\dlbtcoms.exe:Photo AIO Printer 922 Server
"TCP Query User{2DB2DD63-250C-4AA6-A4E4-F40961018C78}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{79C25918-2BBE-4659-BACA-348942E583DE}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{BCEAB332-3A28-4FC0-A993-CDBC89B26910}c:\\program files\\macromedia\\dreamweaver mx 2004\\dreamweaver mx 2004\\dreamweaver.exe"= UDP:c:\program files\macromedia\dreamweaver mx 2004\dreamweaver mx 2004\dreamweaver.exe:Dreamweaver MX 2004
"UDP Query User{82189C37-163D-4208-B987-076490082B2D}c:\\program files\\macromedia\\dreamweaver mx 2004\\dreamweaver mx 2004\\dreamweaver.exe"= TCP:c:\program files\macromedia\dreamweaver mx 2004\dreamweaver mx 2004\dreamweaver.exe:Dreamweaver MX 2004
"TCP Query User{87163A53-F01E-46EE-9B46-3261C502E3A3}c:\\program files\\transcode360\\transcode360tray.exe"= UDP:c:\program files\transcode360\transcode360tray.exe:
"UDP Query User{3F1F06A5-DB49-4E24-A986-99BD3217C656}c:\\program files\\transcode360\\transcode360tray.exe"= TCP:c:\program files\transcode360\transcode360tray.exe:
"TCP Query User{7C404DEC-AB1C-4571-9C4F-3193B22DA2A7}c:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= UDP:c:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home
"UDP Query User{9BBCE5FF-37BF-45A6-8A8C-C74ADAA38CE5}c:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= TCP:c:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home
"TCP Query User{2237D760-3F17-4FD4-8963-C97A094B19C0}c:\\program files\\fotoquote\\fotoquote pro\\fotoquote pro.exe"= UDP:c:\program files\fotoquote\fotoquote pro\fotoquote pro.exe:FileMaker Pro Runtime
"UDP Query User{433BFB33-6BAB-43AA-ADE4-3A4EAEAB2623}c:\\program files\\fotoquote\\fotoquote pro\\fotoquote pro.exe"= TCP:c:\program files\fotoquote\fotoquote pro\fotoquote pro.exe:FileMaker Pro Runtime
"TCP Query User{280737EA-3D1D-4220-9A65-D0C5C093FF76}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{60C03FB8-E264-43F9-9423-CD9A933CEC8D}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{88291642-476F-429A-836A-EF87E40DE6C2}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{7653581D-222F-4D0B-849B-87EB18D6106E}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{3E8C9407-4374-4BD6-9BA4-1409D187D36D}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{F83CB695-F924-4B50-B87D-692A9A187F6C}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{3A3CB1A9-BC8A-48DF-88A0-4E2AB01E6B68}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{1DA0F47C-4729-4FBA-A154-6C87DF0C0393}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{4B3F7B4C-3DDD-4B6F-B43B-80E7A2BC22A5}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{4A7E8834-D377-4112-AA51-70A059A5157D}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"{E592D19E-284A-4B2C-986F-86EEC3416D5F}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{867E1F21-AE06-45FF-AE2A-779C00001CC9}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{1BC5F1AA-78E0-40E7-B819-35288AA18753}c:\\program files\\outlook messenger\\outlookmessenger.exe"= UDP:c:\program files\outlook messenger\outlookmessenger.exe:Outlook LAN Messenger
"UDP Query User{950807EF-E9F1-4A74-AA28-F548248FD2A8}c:\\program files\\outlook messenger\\outlookmessenger.exe"= TCP:c:\program files\outlook messenger\outlookmessenger.exe:Outlook LAN Messenger
"TCP Query User{97CAE664-67C3-4FF9-AC65-FB92EADBEE71}c:\\program files\\outlook messenger\\outlookmessenger.exe"= UDP:c:\program files\outlook messenger\outlookmessenger.exe:Outlook LAN Messenger
"UDP Query User{2EEB2B0A-1B74-495B-897B-3C96C2DB3265}c:\\program files\\outlook messenger\\outlookmessenger.exe"= TCP:c:\program files\outlook messenger\outlookmessenger.exe:Outlook LAN Messenger
"TCP Query User{DFCDB5F6-A8C7-4D2B-9905-2EAA97DBF24A}c:\\program files\\mozilla thunderbird\\thunderbird.exe"= UDP:c:\program files\mozilla thunderbird\thunderbird.exe:Mozilla Thunderbird
"UDP Query User{118BB044-5676-45B6-A125-85C13A33683D}c:\\program files\\mozilla thunderbird\\thunderbird.exe"= TCP:c:\program files\mozilla thunderbird\thunderbird.exe:Mozilla Thunderbird
"TCP Query User{47757E8B-FDDB-4581-BABC-8E79B81E5F36}c:\\program files\\mozilla thunderbird\\thunderbird.exe"= UDP:c:\program files\mozilla thunderbird\thunderbird.exe:Mozilla Thunderbird
"UDP Query User{6C4B0862-E8B3-4D12-A695-A5B2DEAA8DC3}c:\\program files\\mozilla thunderbird\\thunderbird.exe"= TCP:c:\program files\mozilla thunderbird\thunderbird.exe:Mozilla Thunderbird
"{29B187EB-119A-4AFA-9E31-3C355E7F336B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{7481372D-CF0B-4BE6-B6BF-610780767722}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{8E0DAC45-703E-434A-94F7-226AB15467C5}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C563FB10-D72F-4257-BBD9-C6C638298842}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{CA9ED64C-6ECD-4055-9196-32757CE3ED06}c:\\users\\mike\\desktop\\charon\\charon.exe"= UDP:c:\users\mike\desktop\charon\charon.exe:charon.exe
"UDP Query User{2CF9F9EA-52AC-4081-B1CD-7788219CB14C}c:\\users\\mike\\desktop\\charon\\charon.exe"= TCP:c:\users\mike\desktop\charon\charon.exe:charon.exe
"TCP Query User{2B12A064-BCCC-4EFF-BF11-31786BF1D656}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{42DE9974-2D4C-4533-9447-50ED6164550E}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
"{7441EC15-29D3-4807-8EC9-A412EAA8BE0A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{40D2CA80-AE70-44CE-B8CE-484189747EB6}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2eb8defb-5be3-11dd-baad-001b380fce33}]
\shell\Auto\command - H:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL H:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53192392-51c0-11dd-bfed-001b380fce33}]
\shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97220d00-a588-11dd-9f13-001b380fce33}]
\shell\Auto\command - G:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3377eca-956f-11dd-aa60-001b380fce33}]
\shell\Auto\command - G:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2de67ff-ceec-11dc-a4d7-001b380fce33}]
\shell\Auto\command - F:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\Start.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-09 c:\windows\Tasks\User_Feed_Synchronization-{BD5D702C-63D3-4FB3-BDBC-448A5B11037E}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 04:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.shoptoshiba.ca/welcome
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
FireFox -: Profile - c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\v8c74e89.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.ca/
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\users\Mike\AppData\Roaming\Mozilla\plugins\npPxPlay.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 01:53:51
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-12-09 1:57:58
ComboFix-quarantined-files.txt 2008-12-09 06:56:38
ComboFix2.txt 2008-12-07 05:09:24

Pre-Run: 43,096,416,256 bytes free
Post-Run: 42,860,548,096 bytes free

299 --- E O F --- 2008-12-08 16:53:14
mikejl29 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-09-2008, 01:22 PM   #14 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,485
OS: N/A


Re: This Virtumonde just won't die!!
You shouldn't be getting any pop-ups after the ComboFix run. Let me know if that isn't true.

Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:
File::
c:\windows\System32\477.bat
DIRLOOK::
c:\users\All Users\TEMP
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2eb8defb-5be3-11dd-baad-001b380fce33}]
Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-09-2008, 02:39 PM   #15 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 15
OS: Vista


Re: This Virtumonde just won't die!!
Small problem off the start with CFix.
"The system can't find message text for message number 0x8 in message file for system"

And the result of the report...

ComboFix 08-12-07.04 - Mike 2008-12-09 16:27:02.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1225 [GMT -5:00]
Running from: c:\users\Mike\Desktop\ComboFix.exe
Command switches used :: c:\users\Mike\Desktop\CFScript.txt

FILE ::
c:\windows\System32\477.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\477.bat

.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 05:34 --------- d-----w c:\program files\Java
2008-12-08 05:29 --------- d-----w c:\programdata\TEMP
2008-12-08 05:29 --------- d-----w c:\program files\SpywareBlaster
2008-12-07 21:22 --------- d-----w c:\program files\dl_Cats
2008-12-06 22:12 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 22:10 --------- d-----w c:\program files\Common Files\DVDVideoSoft
2008-12-06 22:09 47,360 ----a-w c:\users\Mike\AppData\Roaming\pcouffin.sys
2008-12-06 22:09 --------- d-----w c:\users\Mike\AppData\Roaming\Vso
2008-12-06 22:08 --------- d-----w c:\program files\SlySoft
2008-12-06 22:08 --------- d-----w c:\program files\CamStudio
2008-12-06 21:36 --------- d-----w c:\program files\Trend Micro
2008-12-02 18:12 --------- d-----w c:\program files\wamp
2008-11-28 15:53 --------- d-----w c:\programdata\Spybot - Search & Destroy
2008-11-28 06:13 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-26 03:51 --------- d-----w c:\users\Mike\AppData\Roaming\uTorrent
2008-11-25 17:40 --------- d-----w c:\users\Mike\AppData\Roaming\HandBrake
2008-11-25 05:20 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 05:19 --------- d-----w c:\program files\iTunes
2008-11-25 05:18 --------- d-----w c:\program files\iPod
2008-11-25 05:18 --------- d-----w c:\program files\Common Files\Apple
2008-11-25 05:12 --------- d-----w c:\program files\QuickTime
2008-11-24 17:26 --------- d-----w c:\programdata\FlashFXP
2008-11-24 02:48 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-20 16:52 --------- d-----w c:\programdata\FLEXnet
2008-11-16 02:42 --------- d-----w c:\program files\RocketDock
2008-11-11 04:35 --------- d-----w c:\program files\ImageMagick-6.4.5-Q16
2008-11-10 10:43 410,984 ----a-w c:\windows\System32\deploytk.dll
2008-11-04 20:40 --------- d-----w c:\users\Mike\AppData\Roaming\Malwarebytes
2008-11-04 20:40 --------- d-----w c:\programdata\Malwarebytes
2008-11-04 20:40 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-04 19:06 --------- d-----w c:\programdata\Lavasoft
2008-10-27 18:11 --------- d-----w c:\program files\DivX
2008-10-25 07:06 --------- d-----w c:\users\Mike\AppData\Roaming\dvdcss
2008-10-22 21:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 21:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-22 03:43 95,232 ----a-w c:\windows\System32\PortableDeviceClassExtension.dll
2008-10-22 03:43 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-22 03:43 160,768 ----a-w c:\windows\System32\PortableDeviceTypes.dll
2008-10-21 16:23 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-21 05:16 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-16 19:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
2008-10-16 18:56 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-10-16 07:11 --------- d-----w c:\program files\Windows Mail
2008-10-15 14:25 644,976 ----a-w c:\program files\autoruns.exe
2008-10-15 14:25 538,480 ----a-w c:\program files\autorunsc.exe
2008-10-02 03:49 826,368 ----a-w c:\windows\System32\wininet.dll
2008-10-02 03:49 56,320 ----a-w c:\windows\System32\iesetup.dll
2008-10-02 03:49 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-10-02 03:48 26,624 ----a-w c:\windows\System32\ieUnatt.exe
2008-09-30 21:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\System32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\System32\libdivx.dll
2008-09-18 04:35 3,505,208 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 04:35 3,470,904 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 02:03 2,027,520 ----a-w c:\windows\System32\win32k.sys
2008-09-10 03:25 1,341,440 ----a-w c:\windows\System32\msxml6.dll
2008-09-10 03:21 2,048 ----a-w c:\windows\System32\msxml6r.dll
2008-08-20 19:18 48,986 ----a-w c:\program files\autoruns.chm
2008-07-10 12:27 174 --sha-w c:\program files\desktop.ini
2008-04-24 16:54 0 ----a-w c:\users\All Users\PKP_DLdy.DAT
2008-04-24 16:54 0 ----a-w c:\programdata\PKP_DLdy.DAT
2008-04-24 16:39 0 ----a-w c:\users\All Users\PKP_DLbz.DAT
2008-04-24 16:39 0 ----a-w c:\programdata\PKP_DLbz.DAT
2008-03-07 16:15 4,581,415 ----a-w c:\users\Mike\allok_flvconverter-trial.exe
2006-07-28 13:32 7,005 ------w c:\program files\Eula.txt
2008-04-26 21:20 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-04-26 21:20 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-04-26 21:20 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\users\All Users\TEMP ----



((((((((((((((((((((((((((((( snapshot@2008-12-09_ 1.54.51.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-09 06:40:15 654,960 ----a-w c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2008-12-09 18:44:14 654,960 ----a-w c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2008-12-09 06:41:17 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-09 18:45:16 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-12-09 06:41:17 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-12-09 18:45:16 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-12-09 06:43:52 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-09 18:48:21 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-12-09 06:53:48 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-09 21:33:07 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-09 21:33:07 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-12-09 06:46:47 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2008-12-09 21:26:24 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2008-12-09 06:43:54 11,156 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-713068253-2880954056-535546135-1000_UserData.bin
+ 2008-12-09 18:47:56 11,156 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-713068253-2880954056-535546135-1000_UserData.bin
- 2008-12-09 06:43:54 77,636 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-09 18:47:56 77,706 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-12-09 06:43:48 57,152 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-12-09 18:47:46 57,160 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-10 417792]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 34352]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-22 438272]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-12 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-12 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-12 133912]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"DLBTCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2007-02-22 73728]
"FinePrint Dispatcher v5"="c:\windows\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-11-07 507904]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 c:\windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-02-11 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
--a------ 2007-01-17 15:46 534648 c:\program files\TOSHIBA\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-07-01 09:10 1006264 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-713068253-2880954056-535546135-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D868D79A-2799-420B-881F-7A9D5911A04D}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{ECA6F099-DC1F-4C29-B4D1-7F7031789DDF}c:\\program files\\bitlord2\\bitlord.exe"= UDP:c:\program files\bitlord2\bitlord.exe:
"UDP Query User{AC253127-CE7B-4330-9A60-3C0D9C360CA8}c:\\program files\\bitlord2\\bitlord.exe"= TCP:c:\program files\bitlord2\bitlord.exe:
"{48FE10F8-E3D8-4F23-866E-8A3A590F15A6}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"TCP Query User{A396BE82-56D6-402B-A73D-C29F63B31143}c:\\program files\\macromedia\\dreamweaver mx 2004\\dreamweaver mx 2004\\dreamweaver.exe"= UDP:c:\program files\macromedia\dreamweaver mx 2004\dreamweaver mx 2004\dreamweaver.exe:Dreamweaver MX 2004
"UDP Query User{6CD7DD59-08E6-4B33-86EE-2E5BA4A868FC}c:\\program files\\macromedia\\dreamweaver mx 2004\\dreamweaver mx 2004\\dreamweaver.exe"= TCP:c:\program files\macromedia\dreamweaver mx 2004\dreamweaver mx 2004\dreamweaver.exe:Dreamweaver MX 2004
"TCP Query User{659DEA12-26F1-430C-BBEE-59E6BF59B94E}c:\\program files\\fotoquote\\fotoquote pro\\fotoquote pro.exe"= UDP:c:\program files\fotoquote\fotoquote pro\fotoquote pro.exe:FileMaker Pro Runtime
"UDP Query User{DF98034A-B57B-4179-836D-D59FD11B5772}c:\\program files\\fotoquote\\fotoquote pro\\fotoquote pro.exe"= TCP:c:\program files\fotoquote\fotoquote pro\fotoquote pro.exe:FileMaker Pro Runtime
"{28AF9551-69B6-42B8-9C2C-101D45E9B417}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{9259AC9A-3461-4A47-BF0D-29F3A312E11F}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3D6CA827-F09E-45A8-8676-FBC6229CEA98}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{00558A25-E5CC-4E77-9A78-DE0497A3EE93}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E92A1B70-4F16-4157-8291-E8754577EADB}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{0B37E93C-6A35-4BE2-ADBC-57142A2050C6}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{F81B5148-A4DA-4E15-B8B7-A3EEE1EF2E95}c:\\program files\\bitlord2\\bitlord.exe"= UDP:c:\program files\bitlord2\bitlord.exe:
"UDP Query User{7DE1ACB1-C08C-41C8-9640-711B9CD41219}c:\\program files\\bitlord2\\bitlord.exe"= TCP:c:\program files\bitlord2\bitlord.exe:
"{40577BC0-CE02-4B0D-8BB2-AE471A98C48E}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{2CCF14CD-0DD6-4BB0-AA6F-707EDB3FDA57}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{ABA45C8D-AC39-403B-A24F-B04A1BC5DAB5}"= UDP:c:\windows\System32\dlbtcoms.exe:Photo AIO Printer 922 Server
"{4595E466-06B2-4BC8-BAA2-4A4689E0C8A9}"= TCP:c:\windows\System32\dlbtcoms.exe:Photo AIO Printer 922 Server
"TCP Query User{2DB2DD63-250C-4AA6-A4E4-F40961018C78}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{79C25918-2BBE-4659-BACA-348942E583DE}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{BCEAB332-3A28-4FC0-A993-CDBC89B26910}c:\\program files\\macromedia\\dreamweaver mx 2004\\dreamweaver mx 2004\\dreamweaver.exe"= UDP:c:\program files\macromedia\dreamweaver mx 2004\dreamweaver mx 2004\dreamweaver.exe:Dreamweaver MX 2004
"UDP Query User{82189C37-163D-4208-B987-076490082B2D}c:\\program files\\macromedia\\dreamweaver mx 2004\\dreamweaver mx 2004\\dreamweaver.exe"= TCP:c:\program files\macromedia\dreamweaver mx 2004\dreamweaver mx 2004\dreamweaver.exe:Dreamweaver MX 2004
"TCP Query User{87163A53-F01E-46EE-9B46-3261C502E3A3}c:\\program files\\transcode360\\transcode360tray.exe"= UDP:c:\program files\transcode360\transcode360tray.exe:
"UDP Query User{3F1F06A5-DB49-4E24-A986-99BD3217C656}c:\\program files\\transcode360\\transcode360tray.exe"= TCP:c:\program files\transcode360\transcode360tray.exe:
"TCP Query User{7C404DEC-AB1C-4571-9C4F-3193B22DA2A7}c:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= UDP:c:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home
"UDP Query User{9BBCE5FF-37BF-45A6-8A8C-C74ADAA38CE5}c:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= TCP:c:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home
"TCP Query User{2237D760-3F17-4FD4-8963-C97A094B19C0}c:\\program files\\fotoquote\\fotoquote pro\\fotoquote pro.exe"= UDP:c:\program files\fotoquote\fotoquote pro\fotoquote pro.exe:FileMaker Pro Runtime
"UDP Query User{433BFB33-6BAB-43AA-ADE4-3A4EAEAB2623}c:\\program files\\fotoquote\\fotoquote pro\\fotoquote pro.exe"= TCP:c:\program files\fotoquote\fotoquote pro\fotoquote pro.exe:FileMaker Pro Runtime
"TCP Query User{280737EA-3D1D-4220-9A65-D0C5C093FF76}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{60C03FB8-E264-43F9-9423-CD9A933CEC8D}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{88291642-476F-429A-836A-EF87E40DE6C2}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{7653581D-222F-4D0B-849B-87EB18D6106E}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{3E8C9407-4374-4BD6-9BA4-1409D187D36D}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{F83CB695-F924-4B50-B87D-692A9A187F6C}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{3A3CB1A9-BC8A-48DF-88A0-4E2AB01E6B68}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{1DA0F47C-4729-4FBA-A154-6C87DF0C0393}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{4B3F7B4C-3DDD-4B6F-B43B-80E7A2BC22A5}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{4A7E8834-D377-4112-AA51-70A059A5157D}c:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:c:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"{E592D19E-284A-4B2C-986F-86EEC3416D5F}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{867E1F21-AE06-45FF-AE2A-779C00001CC9}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{1BC5F1AA-78E0-40E7-B819-35288AA18753}c:\\program files\\outlook messenger\\outlookmessenger.exe"= UDP:c:\program files\outlook messenger\outlookmessenger.exe:Outlook LAN Messenger
"UDP Query User{950807EF-E9F1-4A74-AA28-F548248FD2A8}c:\\program files\\outlook messenger\\outlookmessenger.exe"= TCP:c:\program files\outlook messenger\outlookmessenger.exe:Outlook LAN Messenger
"TCP Query User{97CAE664-67C3-4FF9-AC65-FB92EADBEE71}c:\\program files\\outlook messenger\\outlookmessenger.exe"= UDP:c:\program files\outlook messenger\outlookmessenger.exe:Outlook LAN Messenger
"UDP Query User{2EEB2B0A-1B74-495B-897B-3C96C2DB3265}c:\\program files\\outlook messenger\\outlookmessenger.exe"= TCP:c:\program files\outlook messenger\outlookmessenger.exe:Outlook LAN Messenger
"TCP Query User{DFCDB5F6-A8C7-4D2B-9905-2EAA97DBF24A}c:\\program files\\mozilla thunderbird\\thunderbird.exe"= UDP:c:\program files\mozilla thunderbird\thunderbird.exe:Mozilla Thunderbird
"UDP Query User{118BB044-5676-45B6-A125-85C13A33683D}c:\\program files\\mozilla thunderbird\\thunderbird.exe"= TCP:c:\program files\mozilla thunderbird\thunderbird.exe:Mozilla Thunderbird
"TCP Query User{47757E8B-FDDB-4581-BABC-8E79B81E5F36}c:\\program files\\mozilla thunderbird\\thunderbird.exe"= UDP:c:\program files\mozilla thunderbird\thunderbird.exe:Mozilla Thunderbird
"UDP Query User{6C4B0862-E8B3-4D12-A695-A5B2DEAA8DC3}c:\\program files\\mozilla thunderbird\\thunderbird.exe"= TCP:c:\program files\mozilla thunderbird\thunderbird.exe:Mozilla Thunderbird
"{29B187EB-119A-4AFA-9E31-3C355E7F336B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{7481372D-CF0B-4BE6-B6BF-610780767722}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{8E0DAC45-703E-434A-94F7-226AB15467C5}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C563FB10-D72F-4257-BBD9-C6C638298842}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{CA9ED64C-6ECD-4055-9196-32757CE3ED06}c:\\users\\mike\\desktop\\charon\\charon.exe"= UDP:c:\users\mike\desktop\charon\charon.exe:charon.exe
"UDP Query User{2CF9F9EA-52AC-4081-B1CD-7788219CB14C}c:\\users\\mike\\desktop\\charon\\charon.exe"= TCP:c:\users\mike\desktop\charon\charon.exe:charon.exe
"TCP Query User{2B12A064-BCCC-4EFF-BF11-31786BF1D656}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{42DE9974-2D4C-4533-9447-50ED6164550E}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
"{7441EC15-29D3-4807-8EC9-A412EAA8BE0A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{40D2CA80-AE70-44CE-B8CE-484189747EB6}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53192392-51c0-11dd-bfed-001b380fce33}]
\shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97220d00-a588-11dd-9f13-001b380fce33}]
\shell\Auto\command - G:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3377eca-956f-11dd-aa60-001b380fce33}]
\shell\Auto\command - G:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2de67ff-ceec-11dc-a4d7-001b380fce33}]
\shell\Auto\command - F:\Start.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\Start.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-09 c:\windows\Tasks\User_Feed_Synchronization-{BD5D702C-63D3-4FB3-BDBC-448A5B11037E}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 04:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.shoptoshiba.ca/welcome
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
FireFox -: Profile - c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\v8c74e89.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.ca/
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\users\Mike\AppData\Roaming\Mozilla\plugins\npPxPlay.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 16:33:23
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-09 16:36:26
ComboFix-quarantined-files.txt 2008-12-09 21:35:52
ComboFix2.txt 2008-12-09 06:58:00
ComboFix3.txt 2008-12-07 05:09:24

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 42,250,928,128 bytes free

296 --- E O F --- 2008-12-08 16:53:14
mikejl29 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-09-2008, 02:50 PM   #16 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,485
OS: N/A


Re: This Virtumonde just won't die!!
Quote:
"The system can't find message text for message number 0x8 in message file for system"
No problem. It's one of the quirks from having to run in an OS as restrictive as Vista. Apart from some ugly error messages, they do not affect ComboFix's run.

How's the machine now? I'm in 2 minds as whether to ask for an online scan. These scans do take a long time. Are you keen on one? If so, then do this ...


ESET Online Scanner
  • Please go to the following link ESET Online Scanner Link
  • Tick the box YES, I accept the Terms Of Use
  • Click the Start button
  • Now click the Install button
  • Click Start

    The scanner engine will initialise and update
  • Do Not tick the box Remove found threats
  • Click the Scan button

    The scan will now run, please be patient
  • When the scan finishes click the Details tab
  • Copy and paste the contents of the C:\Program Files\EsetOnlineScanner\log.txt back here.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-10-2008, 03:26 PM   #17 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 15
OS: Vista


Re: This Virtumonde just won't die!!
Machine is running much better so far... no popups thus far. I decided the scan was worthwhile... and it took less time than Kaspersky's... only 4 hours or so. I think Adobe Lightroom is the culprit for that.. it creates all sorts of Subfolders and image preview files...

Here is the report from the ESET Scan. I've taken care of the infected MP3 file on the F drive myself. I'm slightly confused about the D and F drive ctfmon viruses... as there is no "Recycled" folder on those drives... also, F:\Start.exe doesn't appear in the Windows Explorer either... with "Show Hidden Files and Folders" turned on.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3682 (20081210)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=5b6700a5e46109489325902cf795aabd
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2008-12-10 09:36:44
# local_time=2008-12-10 04:36:44 (-0500, Eastern Standard Time)
# country="Canada"
# osver=6.0.6000 NT
# scanned=903387
# found=14
# scan_time=13698
C:\ProgramData\Spybot - Search & Destroy\Recovery\WinAgentamwr1.zip Win32/Bagle.gen.zip worm A1C33C1012F4B848ABDBD2BCE195CE1D
C:\Qoobox\Quarantine\C\Windows\System32\uXPi02\uXPi022328.exe.vir Win32/TrojanDownloader.VB.AWJ trojan 7BA1632DD1BACE4444C32BBBADD3A9FB
C:\Qoobox\Quarantine\C\Windows\System32\vos\MTK63G.exe.vir Win32/TrojanDownloader.Small.BUY trojan E391EC0DFDD558A2E85F7141B41E5176
C:\Qoobox\Quarantine\C\Windows\TWlrZQ\nq5Otk.vbs.vir Win32/Adware.ISearch application 387EDBB90A5275D1B464EB31F3162C40
C:\Users\All Users\Spybot - Search & Destroy\Recovery\WinAgentamwr1.zip Win32/Bagle.gen.zip worm A1C33C1012F4B848ABDBD2BCE195CE1D
C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\92D50L4U\_freescan[1].htm JS/TrojanDownloader.Agent.NIN trojan 624D426C867C40C344BE5EBA228FDFFB
C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AP3FXTH2\_freescan[1].htm JS/TrojanDownloader.Agent.NIN trojan 4696C3D9773D76DFDA2DF4C01B14EE6E
C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FB00PT65\_freescan[1].htm JS/TrojanDownloader.Agent.NIN trojan 9012BF36A4054CF9287EA941DEEA99AD
C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FB00PT65\_freescan[2].htm JS/TrojanDownloader.Agent.NIN trojan 7C8EB104367DAFCBA12E0EBBEB4E3DB4
C:\Windows\System32\QI02\QI022328.exe a variant of Win32/TrojanDownloader.VB.AWJ trojan BA98FAD9EE18598F684BDC24320BCCA5
D:\Recycled\ctfmon.exe Win32/VB.AQT trojan 74DBD545CF6DC5D006325CC3E4658A12
F:\Start.exe a variant of Win32/IRCBot.AFP trojan 4AAF6DA3DE88C1CFC3709AE368859DCA
F:\MP3s\N.E.R.D - Seeing Sounds\N.E.R.D. - Lazer Gun.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 927CB091EA2B713B5F289A413370CB63
F:\Recycled\ctfmon.exe Win32/VB.AQT trojan 74DBD545CF6DC5D006325CC3E4658A12
mikejl29 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-10-2008, 03:44 PM   #18 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,485
OS: N/A


Re: This Virtumonde just won't die!!
Quote:
I'm slightly confused about the D and F drive ctfmon viruses... as there is no "Recycled" folder on those drives... also, F:\Start.exe doesn't appear in the Windows Explorer either... with "Show Hidden Files and Folders" turned on.
Those are super hidden files. You need to enable the viewing of system files. That explains how you got reinfected.


Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"
Swreg delete "HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2"
for %%g in (
"C:\ProgramData\Spybot - Search & Destroy\Recovery\WinAgentamwr1.zip"
"C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\92D50L4U\_freescan[1].htm JS"
"C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AP3FXTH2\_freescan[1].htm JS"
"C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FB00PT65\_freescan[1].htm JS"
"C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FB00PT65\_freescan[2].htm JS"
"C:\Windows\System32\QI02\QI022328.exe"
"D:\Recycled\ctfmon.exe"
"F:\Recycled\ctfmon.exe"
"F:\Start.exe"
"C:\Start.exe"
"D:\Start.exe"
"F:\MP3s\N.E.R.D - Seeing Sounds\N.E.R.D. - Lazer Gun.mp3"
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"C:\Recycled"
"D:\Recycled"
"F:\Recycled"
C:\Windows\System32\QI02
"%systemdrive%\VundoFix Backups"
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
nircmd wait 7000
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Right click on fix.bat & select "Run as Administrator"

Post back to tell me what it says
__________________

Question - what have you done for the community today?
Last edited by sUBs; 12-10-2008 at 03:45 PM.
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-10-2008, 03:55 PM   #19 (permalink)
Registered User
 
Join Date: Dec 2008
Posts: 15
OS: Vista


Re: This Virtumonde just won't die!!
Popups have just returned..... unbelievable...

"Deleted Successfully!"

I just checked MSConfig and I'm seeing two items that definitely shouldnt be there.

Startup Item: Microsoft Windows Operating System
Manufacturer: Microsoft Corporation
Command: rundll32.exe C:\Windows\system32\rqBKBTJC.dll,#1
Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Startup Item: b41fbf8e
Manufacturer: Unknown
Command: rundll32.exe "C:\Windows\system32\wlwnqmky.dll",b
Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Another run of ComboFix?
mikejl29 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 12-10-2008, 03:59 PM   #20 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,485
OS: N/A


Re: This Virtumonde just won't die!!
Yes, please
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 10:27 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85