Virtumonde Trojan

Unknown · March 2008

Hi and thank you for any and all help you can be. I'm a bit new to fixing these errors so I didn't want to do much without asking for some expert advice.

A few days ago I managed to get the virtumonde demon on my laptop. I have scanned with spybot, my Mcaffee stinger, McAffee virus scan, Adaware, and Vundofix and it still seems to linger.

I did the spybot scan in safe mode w/ the internet off and I have my restore turned off.

If anyone can help me to get this fixed I will be in your debt.

Here is my latest hijackthis log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:24:05 PM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Lesley\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {6f15ff54-0000-af0a-5324-de597bc19ae2} - {2ea91cb7-95ed-4235-a0fa-000045ff51f6} - C:\WINDOWS\system32\kidrhgcy.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {75A469FF-0681-4EC3-8CEC-95DB40C9A285} - C:\WINDOWS\system32\opnlllm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {ABAC034B-52A7-4578-8BD0-A09320BE031E} - C:\WINDOWS\system32\jkhff.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {D44E2AF5-8DF3-4592-B6D8-B628282481B0} - C:\WINDOWS\system32\gebyy.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [689b13c8] rundll32.exe "C:\WINDOWS\system32\dmmaetoa.dll",b
O4 - HKLM\..\Run: [BM6ba82054] Rundll32.exe "C:\WINDOWS\system32\wppouiad.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcStd7_0_8 -reboot 1
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203897433593
O20 - Winlogon Notify: opnlllm - C:\WINDOWS\SYSTEM32\opnlllm.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14023 bytes

Veka · March 2008

Hello autitania,

Yea, that looks the Virtumonde infection. A sort of epidemic, I think, because many are complaining same. I just don't have any idea how people get infected. My wild guess is that it have something do to with P2P softwares, cracks, torrents etc.

Please do the following...

Step 1:

Please download Malwarebytes' Anti-Malware from here or here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

Step 2:

Close ALL open programs/windows.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Step 3:

In your next reply, please include the contents of MBAM log, CombFix log and a fresh HijackThis log.

autitania · March 2008

Thanks again for all of the help.

One thing, this did not happen when I rebooted after my final combofix but it happened at the restart prior (after I did the malware reboot).

At restart the error box popped up with a "Dlll c:\windows\system32\dfugbptl.dll error it said %1 is not a valid win32 ap.

Here are my logs:

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:54 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Lesley\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {D44E2AF5-8DF3-4592-B6D8-B628282481B0} - C:\WINDOWS\system32\gebyy.dll (file missing)
O2 - BHO: {59809ff8-3ad0-3c28-6384-96db48ff3a4f} - {f4a3ff84-bd69-4836-82c3-0da38ff90895} - C:\WINDOWS\system32\yxfjskue.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [689b13c8] rundll32.exe "C:\WINDOWS\system32\dfugbptl.dll",b
O4 - HKLM\..\Run: [BM6ba82054] Rundll32.exe "C:\WINDOWS\system32\klfuohrx.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcStd7_0_8 -reboot 1
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203897433593
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13430 bytes

ComboFix

ComboFix 08-03-14.4 - Lesley 2008-03-17 12:57:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.529 [GMT -4:00]
Running from: C:\Documents and Settings\Lesley\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM6ba82054.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ckypfpgg.dll
C:\WINDOWS\system32\dfugbptl.dll
C:\WINDOWS\system32\ffhkj.ini
C:\WINDOWS\system32\ffhkj.ini2
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\kidrhgcy.dll
C:\WINDOWS\system32\klfuohrx.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nbgqhwnr.dll
C:\WINDOWS\system32\opnlllm.dll
C:\WINDOWS\system32\qccvaoxh.dll
C:\WINDOWS\system32\twqkixsr.dll
C:\WINDOWS\system32\uwagqdef.dll
C:\WINDOWS\system32\wppouiad.dll
C:\WINDOWS\system32\yxfjskue.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))
.

2008-03-17 09:54 . 2008-03-17 09:54 <DIR> d

C:\Program Files\Malwarebytes' Anti-Malware
2008-03-17 09:54 . 2008-03-17 09:54 <DIR> d

C:\Documents and Settings\Lesley\Application Data\Malwarebytes
2008-03-17 09:54 . 2008-03-17 09:54 <DIR> d

C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-16 19:32 . 2008-03-16 19:32 <DIR> d

C:\Program Files\Lavasoft
2008-03-16 19:30 . 2008-03-16 19:30 <DIR> d

C:\Program Files\Common Files\Wise Installation Wizard
2008-03-15 22:33 . 2008-03-16 19:53 1,367,403 ---hs---- C:\WINDOWS\system32\aoteammd.ini
2008-03-15 13:10 . 2008-03-15 21:46 <DIR> d

C:\Program Files\Enigma Software Group
2008-03-15 10:32 . 2008-03-15 10:31 102,664 --a

C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-15 10:30 . 2008-03-15 10:34 <DIR> d

C:\Documents and Settings\Lesley\.housecall6.6
2008-03-15 00:49 . 2008-03-15 00:55 4,672 --a

C:\WINDOWS\system32\tmp.reg
2008-03-15 00:48 . 2007-09-05 23:22 289,144 --a

C:\WINDOWS\system32\VCCLSID.exe
2008-03-15 00:48 . 2006-04-27 16:49 288,417 --a

C:\WINDOWS\system32\SrchSTS.exe
2008-03-15 00:48 . 2008-03-14 09:09 86,528 --a

C:\WINDOWS\system32\VACFix.exe
2008-03-15 00:48 . 2008-03-05 22:29 82,432 --a

C:\WINDOWS\system32\IEDFix.exe
2008-03-15 00:48 . 2004-07-31 17:50 51,200 --a

C:\WINDOWS\system32\dumphive.exe
2008-03-15 00:48 . 2007-10-03 23:36 25,600 --a

C:\WINDOWS\system32\WS2Fix.exe
2008-03-14 23:37 . 2008-03-17 13:03 39 --a

C:\XP_TV.ini
2008-03-14 20:43 . 2008-03-15 17:03 <DIR> d

C:\WINDOWS\BDOSCAN8
2008-03-14 18:41 . 2008-03-14 18:41 63 --a

C:\WINDOWS\system32\689b0146
2008-03-14 18:39 . 2008-03-14 18:39 147,456 --a

C:\WINDOWS\system32\vbzip10.dll
2008-03-14 18:09 . 2008-03-14 18:09 <DIR> d

C:\Program Files\DVDFab Platinum 4
2008-03-10 04:04 . 2008-03-11 13:33 870,128 --a

C:\WINDOWS\system32\mcs.rma
2008-03-10 04:04 . 2008-03-11 13:33 4 --a

C:\WINDOWS\system32\61F982
2008-03-10 04:02 . 2008-03-10 04:02 8,413 --a

C:\WINDOWS\system32\drivers\mcstrm.sys
2008-03-10 03:59 . 2008-03-10 04:02 <DIR> d

C:\Program Files\Rhapsody
2008-03-09 23:33 . 2008-03-09 23:33 <DIR> d

C:\Program Files\JimbobSoft
2008-03-09 23:33 . 2008-03-09 23:42 <DIR> d

C:\Documents and Settings\Lesley\Application Data\JimbobSoft
2008-03-09 22:56 . 2008-03-09 22:56 <DIR> d

C:\Program Files\piPOol
2008-03-09 22:55 . 2008-03-09 22:55 <DIR> d

C:\Program Files\iTunes
2008-03-09 22:55 . 2008-03-09 22:55 <DIR> d

C:\Program Files\iPod
2008-03-09 22:10 . 2008-03-09 22:19 23,392 --a

C:\WINDOWS\system32\nscompat.tlb
2008-03-09 22:10 . 2008-03-09 22:19 16,832 --a

C:\WINDOWS\system32\amcompat.tlb
2008-03-09 16:32 . 2008-03-17 13:04 54,156 --ah

C:\WINDOWS\QTFont.qfn
2008-03-09 16:32 . 2008-03-09 22:56 1,409 --a

C:\WINDOWS\QTFont.for
2008-03-09 14:28 . 2008-03-09 14:28 0 --a

C:\WINDOWS\Infob.dat
2008-03-09 14:28 . 2008-03-09 14:28 0 --a

C:\WINDOWS\Infoa.dat
2008-03-07 17:13 . 2008-03-07 17:13 <DIR> d

C:\Documents and Settings\LocalService\Application Data\McAfee
2008-03-07 16:12 . 2008-03-07 16:12 <DIR> d

C:\Program Files\ETS
2008-03-07 16:11 . 2008-03-07 16:11 <DIR> d

C:\Documents and Settings\Lesley\WINDOWS
2008-03-07 09:24 . 2008-03-07 09:24 97,216 --a

C:\WINDOWS\system32\drivers\AnyDVD.sys
2008-03-06 15:10 . 2004-08-10 03:00 811,064 --a

C:\WINDOWS\system32\imjp81k.dll
2008-03-06 14:58 . 2008-03-06 14:58 <DIR> d

C:\Documents and Settings\Lesley\dwhelper
2008-03-06 13:59 . 2008-03-06 13:59 <DIR> d

C:\Documents and Settings\Lesley\Application Data\Viewpoint
2008-03-05 02:05 . 2008-03-05 02:03 691,545 --a

C:\WINDOWS\unins000.exe
2008-03-05 02:05 . 2008-03-05 02:05 2,550 --a

C:\WINDOWS\unins000.dat
2008-03-05 01:56 . 2008-03-05 02:03 <DIR> d

C:\Program Files\Spybot - Search & Destroy
2008-03-05 01:56 . 2008-03-05 02:10 <DIR> d

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-04 12:41 . 2008-03-15 12:46 <DIR> d

C:\Quarantine
2008-03-03 14:58 . 2008-03-11 13:34 1,700 --a

C:\WINDOWS\cdplayer.ini
2008-03-03 14:52 . 2008-03-03 14:52 <DIR> d

C:\Program Files\Common Files\xing shared
2008-03-03 14:34 . 2008-03-03 14:52 <DIR> d

C:\Program Files\Real
2008-03-03 14:34 . 2008-03-03 14:51 <DIR> d

C:\Program Files\Common Files\Real
2008-03-01 01:53 . 2008-03-01 01:53 <DIR> d

C:\Documents and Settings\Lesley\Application Data\Otto
2008-03-01 01:53 . 2008-03-01 01:53 <DIR> d

C:\Documents and Settings\All Users\Application Data\Otto
2008-03-01 01:32 . 2008-03-01 01:32 <DIR> d

C:\Documents and Settings\Lesley\Application Data\CyberLink
2008-02-29 20:44 . 2008-02-29 20:44 <DIR> d

C:\Documents and Settings\All Users\Application Data\SlySoft
2008-02-29 20:40 . 2008-02-29 20:44 24 ---hs---- C:\WINDOWS\SE26A48A1.tmp
2008-02-29 20:39 . 2008-03-14 17:26 <DIR> d

C:\Program Files\SlySoft
2008-02-29 19:27 . 2004-08-04 00:01 25,856 --a

C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-29 19:27 . 2004-08-04 00:01 25,856 --a

C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-29 19:26 . 2004-06-10 15:00 105,984 --a

C:\WINDOWS\system32\CNMLM5c.DLL
2008-02-29 19:26 . 2004-06-09 20:33 86,016 --a

C:\WINDOWS\system32\CNMCP5c.exe
2008-02-29 19:26 . 2004-06-10 15:00 6,656 --a

C:\WINDOWS\system32\CNMVS5c.DLL
2008-02-29 14:34 . 2008-03-03 14:37 1,328 --a

C:\WINDOWS\mozver.dat
2008-02-28 01:30 . 2008-02-28 01:30 <DIR> d

C:\Program Files\Windows Installer Clean Up
2008-02-28 01:29 . 2008-02-28 01:29 <DIR> d

C:\Program Files\MSECACHE
2008-02-27 23:22 . 2008-03-16 19:47 <DIR> d

C:\Documents and Settings\Lesley\Application Data\McAfee
2008-02-27 23:20 . 2008-03-17 13:01 11,680 --a

C:\WINDOWS\system32\Config.MPF
2008-02-27 23:18 . 2007-03-02 15:16 109,608 --a

C:\WINDOWS\system32\drivers\Mpfp.sys
2008-02-27 23:17 . 2008-02-27 23:18 <DIR> d

C:\Program Files\McAfee.com
2008-02-27 22:23 . 2008-02-27 22:23 0 --a

C:\WINDOWS\nsreg.dat
2008-02-27 21:35 . 2008-02-27 23:18 <DIR> d

C:\Program Files\Common Files\McAfee
2008-02-27 21:35 . 2007-10-16 21:50 171,272 --a

C:\WINDOWS\system32\drivers\mfehidk.sys
2008-02-27 21:35 . 2007-10-16 21:50 72,680 --a

C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-02-27 21:35 . 2007-10-16 21:50 64,168 --a

C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-02-27 21:35 . 2007-10-16 21:50 51,944 --a

C:\WINDOWS\system32\drivers\mfetdik.sys
2008-02-27 21:35 . 2007-10-16 21:50 33,960 --a

C:\WINDOWS\system32\drivers\mfebopk.sys
2008-02-27 21:33 . 2008-03-16 19:50 <DIR> d

C:\Program Files\McAfee
2008-02-27 21:33 . 2008-02-27 21:33 <DIR> d

C:\Program Files\Common Files\Cisco Systems
2008-02-27 21:33 . 2008-02-27 21:33 <DIR> d

C:\Program Files\AVDistribution
2008-02-27 21:33 . 2008-02-27 21:35 <DIR> d

C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-27 21:33 . 2006-11-17 04:06 1,495,552 --a

C:\WINDOWS\system32\epoPGPsdk.dll
2008-02-27 21:33 . 2006-11-17 04:06 280 --a

C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-02-27 02:43 . 2008-02-27 02:43 <DIR> d

C:\Documents and Settings\Lesley\Application Data\Uniblue
2008-02-27 02:36 . 2008-03-16 19:32 <DIR> d

C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-26 06:41 . 2008-02-26 06:41 <DIR> d--h

C:\WINDOWS\PIF
2008-02-25 18:15 . 2008-02-25 18:15 <DIR> d

C:\Documents and Settings\Lesley\Application Data\HP
2008-02-25 17:38 . 2004-02-22 11:11 719,872 --a

C:\WINDOWS\system32\devil.dll
2008-02-25 17:38 . 2007-11-13 10:31 399,360 --a

C:\WINDOWS\system32\Smab.dll
2008-02-25 17:37 . 2008-02-25 17:37 <DIR> d

C:\Program Files\AviSynth 2.5
2008-02-25 15:43 . 2008-03-14 18:23 <DIR> d

C:\Documents and Settings\Lesley\Application Data\Vso
2008-02-25 15:43 . 2008-03-14 18:09 87,608 --a

C:\Documents and Settings\Lesley\Application Data\inst.exe
2008-02-25 15:43 . 2008-03-14 18:09 47,360 --a

C:\WINDOWS\system32\drivers\pcouffin.sys
2008-02-25 15:43 . 2008-03-14 18:09 47,360 --a

C:\Documents and Settings\Lesley\Application Data\pcouffin.sys
2008-02-25 15:32 . 2008-02-25 15:32 <DIR> d

C:\Documents and Settings\Lesley\Application Data\Ahead
2008-02-25 14:41 . 2008-03-09 14:35 <DIR> d

C:\Program Files\Total Video Converter
2008-02-25 14:23 . 2008-02-25 14:23 <DIR> d

C:\Documents and Settings\Lesley\Application Data\Yahoo!
2008-02-25 14:23 . 2008-02-25 14:23 <DIR> d

C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-02-25 14:22 . 2008-02-25 14:22 <DIR> d

C:\Program Files\Yahoo!
2008-02-25 14:21 . 2008-02-25 14:21 <DIR> d

C:\Program Files\Veoh Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-28 01:32

d

w C:\Program Files\HPQ
2008-02-28 01:32

d

w C:\Program Files\Common Files\Symantec Shared
2008-02-28 01:19

d

w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-25 18:23

d--h--w C:\Program Files\InstallShield Installation Information
2008-02-25 03:33

d

w C:\Program Files\RGB
2008-02-24 13:59

d

w C:\Program Files\Windows Plus
2008-02-24 13:56

d

w C:\Program Files\WildTangent
2008-02-24 13:56

d

w C:\Program Files\Synaptics
2008-02-24 13:56

d

w C:\Program Files\Sonic
2008-02-24 13:55

d

w C:\Program Files\Quickensetup
2008-02-24 13:55

d

w C:\Program Files\Quicken
2008-02-24 13:54

d

w C:\Program Files\Netscape
2008-02-24 13:54

d

w C:\Program Files\muvee Technologies
2008-02-24 13:54

d

w C:\Program Files\music_now
2008-02-24 13:54

d

w C:\Program Files\MSN Encarta Plus
2008-02-24 13:54

d

w C:\Program Files\Microsoft Works
2008-02-24 13:53

d

w C:\Program Files\Microsoft Office Trial Wizard
2008-02-24 13:53

d

w C:\Program Files\Microsoft Money 2006
2008-02-24 13:53

d

w C:\Program Files\microsoft frontpage
2008-02-24 13:53

d

w C:\Program Files\Java
2008-02-24 13:52

d

w C:\Program Files\HP
2008-02-24 13:52

d

w C:\Program Files\Hewlett-Packard
2008-02-24 13:50

d

w C:\Program Files\ATI Technologies
2008-02-24 13:50

d

w C:\Program Files\AMD
2008-02-24 13:45

d

w C:\Documents and Settings\All Users\Application Data\Sonic
2008-02-24 13:45

d

w C:\Documents and Settings\All Users\Application Data\SBSI
2008-02-24 13:45

d

w C:\Documents and Settings\All Users\Application Data\muvee Technologies
2008-02-24 13:45

d

w C:\Documents and Settings\All Users\Application Data\Intuit
2008-02-24 13:45

d

w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-02-24 13:45

d

w C:\Documents and Settings\All Users\Application Data\HP
2008-02-24 13:45

d

w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-02-24 13:45

d

w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-24 13:45

d

w C:\Documents and Settings\Administrator\Application Data\Intuit
2008-02-24 13:30

d

w C:\Program Files\Google
2008-02-21 02:05 43,528

w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-02-21 02:05 120,056

w C:\WINDOWS\system32\pxcpyi64.exe
2008-02-21 02:05 118,520

w C:\WINDOWS\system32\pxinsi64.exe
2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-02-21 02:04 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-02-21 02:04 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-02-21 02:04 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-02-21 02:04 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-02-21 02:04 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-02-21 02:04 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-02-21 02:04 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-02-21 02:04 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-11 05:53 44,544

w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-09 19:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-12-19 23:01 347,136

w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584

w C:\WINDOWS\system32\dllcache\mrxdav.sys
2006-10-03 07:43 2,402,550 ----a-w C:\WINDOWS\inf\SET5CC.tmp
2005-09-24 07:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2004-08-10 15:00 1,431,144 ----a-w C:\WINDOWS\inf\SET63F.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D44E2AF5-8DF3-4592-B6D8-B628282481B0}]
C:\WINDOWS\system32\gebyy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-29 14:14 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 11:00 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56 64512]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 00:05 344064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 16:03 36975]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 02:11 49152]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 16:50 729178]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 14:39 94208]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 11:57 405504]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-08-01 17:26 233534]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 13:23 1187840]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 17:45 507904]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52 483328]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2008-01-11 13:06 136512]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-10-16 21:50 111952]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-03 14:51 185896]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-100000000002}\SC_Acrobat.exe [2008-02-24 21:10:43 25214]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 04:39:30 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12301:TCP"= 12301:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12301:UDP"= 12301:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeServer
"12302:TCP"= 12302:TCP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate
"12302:UDP"= 12302:UDP:160.36.178.188/255.255.255.255:Enabled:McAfeeUpdate

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 05:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-02-28 03:18:19 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-03-01 06:00:40 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 13:03:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????w????|?P???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

Other Running Processes

.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2008-03-17 13:09:52 - machine was rebooted [Lesley]
ComboFix-quarantined-files.txt 2008-03-17 17:09:48
.
2008-03-11 23:41:36 --- E O F ---

Anti-Malware:

Malwarebytes' Anti-Malware 1.08
Database version: 499

Scan type: Quick Scan
Objects scanned: 32464
Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 18
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\dfugbptl.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\jkhff.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\uwagqdef.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\opnlllm.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ab00bf1-fcb7-4902-ae3d-63c067c22373} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{2ab00bf1-fcb7-4902-ae3d-63c067c22373} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{75a469ff-0681-4ec3-8cec-95db40c9a285} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75a469ff-0681-4ec3-8cec-95db40c9a285} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnlllm (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Host Process (Worm.IRCBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{75a469ff-0681-4ec3-8cec-95db40c9a285} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkhff.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkhff.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dfugbptl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ltpbgufd.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkhff.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ffhkj.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ffhkj.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uwagqdef.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fedqgawu.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xggqkyjc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cjykqggx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ywxfsrhr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rhrsfxwy.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\a.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\Setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnlllm.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awtqooo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Veka · March 2008

Hi autitania,

Please do the followings...

Step 1:

Go to VirusTotal
Copy and paste the following file path into the Search Box in the middle of the page:

C:\WINDOWS\system32\vbzip10.dll
Now, click on the Send File button
Save a copy of the Anti-Virus results. Post the results in your next reply.

Do the same with

C:\Documents and Settings\Lesley\Application Data\inst.exe

Step 2:

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\aoteammd.ini
C:\WINDOWS\SE26A48A1.tmp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D44E2AF5-8DF3-4592-B6D8-B628282481B0}]
[-HKEY_CLASSES_ROOT\CLSID\{D44E2AF5-8DF3-4592-B6D8-B628282481B0}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

Veka · March 2008

This topic is now closed due to inactivity.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

If you are not the user who started this thread, you must start your own Thread instead.

Virtumonde Trojan

Comments