Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Join the Team

Live Tag Cloud
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » Virtumonde - I am being hijacked !

[Fixed] Hijackthis! Logs - Virtumonde - I am being hijacked ! posted in the Security & Safety forums; A few days ago, my computer started acting very strange, almost as if it was possessed. When I am surfing the internet, I am magically taken to various websites (offers ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 1 of 3 1 2 3 >
  #1  
Old 05-19-2008
Bronze Member
  
Join Date: May 2008
Posts: 10
PC Experience: Experienced
jamoosee2 - See this Members User comments on their Profile page
Default Virtumonde - I am being hijacked !
A few days ago, my computer started acting very strange, almost as if it was possessed. When I am surfing the internet, I am magically taken to various websites (offers for medications, travel, porn etc. etc.) Sometimes it is difficult to even close the popups, let alone the new screen I am taken to.

I am running SPYBOT and Ad-Aware religiously (3 times per week with updates) and run a full AVG antivirus scan twice weekly. I have never had this happen before. I have done the "Pre-work" procedure and when I went to post this thread, the craziness immediately started up again. HELP !!!

Thanks in advance for your help.

Here is the AVG Antispyware log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:19:40 AM 5/19/2008

+ Scan result:



C:\LIMEWIRE DOWNLOAD\01 Track 1.wma -> Trojan.Wimad.a : Cleaned with backup (quarantined).


::Report end

Here is the Super Antispyware log:

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!

Generated 05/19/2008 at 09:25 AM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 00:25:21

Memory items scanned : 249
Memory threats detected : 1
Registry items scanned : 8232
Registry threats detected : 0
File items scanned : 19301
File threats detected : 1

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\WVUMMJYS.DLL
C:\WINDOWS\SYSTEM32\WVUMMJYS.DLL

Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38, on 2008-05-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Virtumonde\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Windsor Star
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = Dell Start Page
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: {128a3f67-f5aa-d13b-8f34-ee9bd2ed2ef0} - {0fe2de2d-b9ee-43f8-b31d-aa5f76f3a821} - C:\WINDOWS\system32\hoadbjlm.dll
O2 - BHO: (no name) - {124BC741-D01F-4D8E-8CE2-CB8CE86AD0BE} - C:\WINDOWS\system32\wvUmmJYS.dll (file missing)
O2 - BHO: (no name) - {223A52CC-BDFB-4101-A83E-00BE5CE1C25A} - C:\WINDOWS\system32\cbXNDtuu.dll (file missing)
O2 - BHO: (no name) - {36D9CB8D-B8CA-4A85-A879-06A71109F11E} - C:\WINDOWS\system32\urqQhIyW.dll
O2 - BHO: (no name) - {5312BCA3-6369-4FA5-8A77-8E85EC307FE0} - C:\WINDOWS\system32\khfGvuUo.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C3742C64-2E4D-4D6B-A09D-9B4496B3969B} - C:\WINDOWS\system32\ddcAtqRJ.dll (file missing)
O2 - BHO: (no name) - {DEE0D059-7C54-4477-9EE4-A103186DE549} - C:\WINDOWS\system32\awtrRkli.dll (file missing)
O2 - BHO: (no name) - {E6583A20-537B-4FD8-A6A4-0B8CDBD6BEE5} - C:\WINDOWS\system32\khfFYqND.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [BM47b67875] Rundll32.exe "C:\WINDOWS\system32\mjrqqyqr.dll",s
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.ca/downloads/***/***_WIN_IE_2/axofupld.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ljjjifd - ljjjifd.dll (file missing)
O20 - Winlogon Notify: urqQhIyW - C:\WINDOWS\SYSTEM32\urqQhIyW.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\DAD\LOCALS~1\Temp\DX9\SessionLauncher. exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 12536 bytes
  #2  
Old 05-20-2008
chiaz's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Singapore
Posts: 2,588
PC Experience: PC Guru
chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page
Default Re: Virtumonde - I am being hijacked !
Hello, and welcome to PCHF.


Please download VundoFix.exe
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please attach C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.
  #3  
Old 05-20-2008
Bronze Member
  
Join Date: May 2008
Posts: 10
PC Experience: Experienced
jamoosee2 - See this Members User comments on their Profile page
Default Re: Virtumonde - I am being hijacked !
Thanks for the quick response. I ran VUNDOFIX as requested and no errors / problems were found. Hence no text file to post. I then ran HiJackThis and the log is shown below.

Just so you know, what triggered my first suspicion to a problem was an alert on my system tray from Windows Security Center that Automatic Updates was turned off. I could not turn it back on for some time. It was as if it was turned off from somewhere else. However, from control panel under Automatic Updates, it was showing that Auto Updates was on. I cannot do a Windows Update from Internet Explorer because it says that Auto Updates is off. Quite weird.

---------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:53, on 2008-05-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ltmsg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\FirstClass\fcc32.exe
C:\WINDOWS\explorer.exe
C:\Virtumonde\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Windsor Star
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = Dell Start Page
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BM47b67875] Rundll32.exe "C:\WINDOWS\system32\nuxafbja.dll",s
O4 - HKLM\..\Run: [44854be9] rundll32.exe "C:\WINDOWS\system32\wrudnlqy.dll",b
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.ca/downloads/***/***_WIN_IE_2/axofupld.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\DAD\LOCALS~1\Temp\DX9\SessionLauncher. exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10463 bytes
  #4  
Old 05-20-2008
chiaz's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Singapore
Posts: 2,588
PC Experience: PC Guru
chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page
Default Re: Virtumonde - I am being hijacked !
Please download Combofix from any of these locations:
Here or Here

Save ComboFix to the desktop and please ensure that you disable real-time security/virus programs that monitors your PC while CF is running.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Caution...Never run and remove files using ComboFix without being supervised by a security analyst.
  #5  
Old 05-20-2008
Bronze Member
  
Join Date: May 2008
Posts: 10
PC Experience: Experienced
jamoosee2 - See this Members User comments on their Profile page
Default Re: Virtumonde - I am being hijacked !
Not sure if I mentioned it before, but search engines such as Google and Yahoo are unusable in my system. If I type in a word to search and the machine just sits there.

-----------------------------------
Combofix Log
-----------------------------------

ComboFix 08-05-19.4 - DAD 2008-05-20 6:29:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1372 [GMT -4:00]
Running from: C:\Virtumonde\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bddtyjmv.ini
C:\WINDOWS\system32\GjiPoUtv.ini
C:\WINDOWS\system32\GjiPoUtv.ini2
C:\WINDOWS\system32\hmungwiw.ini
C:\WINDOWS\system32\hunygwta.ini
C:\WINDOWS\system32\ilkRrtwa.ini
C:\WINDOWS\system32\ilkRrtwa.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\oUuvGfhk.ini
C:\WINDOWS\system32\oUuvGfhk.ini2
C:\WINDOWS\system32\SYJmmUvw.ini
C:\WINDOWS\system32\SYJmmUvw.ini2
C:\WINDOWS\system32\TBdKknnn.ini
C:\WINDOWS\system32\TBdKknnn.ini2
C:\WINDOWS\system32\toucyjjt.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-09-07 17:32 . 2008-02-27 18:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-07 16:59 . 2008-09-07 16:57 691,545 --a------ C:\WINDOWS\unins000.exe
2008-09-07 16:59 . 2008-09-07 16:59 3,403 --a------ C:\WINDOWS\unins000.dat
2008-09-05 19:55 . 2008-09-06 19:24 <DIR> d-------- C:\YoutubeGet
2008-09-05 19:55 . 2008-02-21 20:45 <DIR> d-------- C:\tmpDownload
2008-09-05 19:55 . 2008-09-05 19:55 6 --a------ C:\WINDOWS\youtubex.dll
2008-09-05 19:53 . 2008-09-05 19:53 <DIR> d-------- C:\WINDOWS\YoutubeEXE
2008-09-05 07:38 . 2008-09-05 07:38 <DIR> d-------- C:\QUEST for GOLD
2008-05-19 21:47 . 2008-05-19 21:47 <DIR> d-------- C:\VundoFix Backups
2008-05-19 20:23 . 2008-05-20 06:27 <DIR> d-------- C:\DOWNLOADS
2008-05-19 20:22 . 2008-05-19 20:22 <DIR> d-------- C:\Myfiles
2008-05-19 19:55 . 2008-05-19 19:55 114,688 --a------ C:\WINDOWS\system32\wrudnlqy.dll
2008-05-19 19:55 . 2008-05-19 19:55 2,560 --a------ C:\WINDOWS\system32\nnfevedb.exe
2008-05-19 19:55 . 2008-05-19 19:56 834 ---hs---- C:\WINDOWS\system32\yqlndurw.ini
2008-05-19 19:52 . 2008-05-19 19:52 134,656 --a------ C:\WINDOWS\system32\kxmbdmci.dll
2008-05-19 19:50 . 2008-05-19 19:50 124,928 --a------ C:\WINDOWS\system32\nuxafbja.dll
2008-05-19 19:49 . 2008-05-19 19:49 371,712 --a------ C:\WINDOWS\system32\nnnkKdBT.dll
2008-05-19 10:53 . 2008-05-19 10:53 134,656 --a------ C:\WINDOWS\system32\vegkyoyv.dll
2008-05-19 10:39 . 2008-05-19 10:39 124,928 --a------ C:\WINDOWS\system32\ytwgjwet.dll
2008-05-19 09:34 . 2008-05-19 09:34 <DIR> d-------- C:\Documents and Settings\DAD\Application Data\Grisoft
2008-05-19 08:59 . 2008-05-19 08:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-05-19 08:18 . 2008-05-19 08:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-05-19 07:32 . 2008-05-19 07:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-05-19 07:27 . 2008-05-19 07:27 <DIR> d-------- C:\Program Files\CCleaner
2008-05-19 07:25 . 2008-05-19 10:37 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-19 07:25 . 2008-05-19 07:25 <DIR> d-------- C:\Documents and Settings\DAD\Application Data\SUPERAntiSpyware.com
2008-05-19 07:25 . 2008-05-19 07:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-19 07:25 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-05-19 07:13 . 2008-05-19 07:13 132,608 --a------ C:\WINDOWS\system32\hoadbjlm.dll
2008-05-19 07:13 . 2008-05-19 07:13 114,688 --a------ C:\WINDOWS\system32\atwgynuh.dll
2008-05-19 07:08 . 2008-05-20 06:27 <DIR> d-------- C:\Virtumonde
2008-05-19 07:04 . 2008-05-19 07:04 124,928 --a------ C:\WINDOWS\system32\mjrqqyqr.dll
2008-05-18 23:08 . 2008-05-18 23:08 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-18 23:03 . 2008-05-18 23:27 <DIR> d-------- C:\SDFix
2008-05-18 12:29 . 2008-05-18 12:29 124,928 --a------ C:\WINDOWS\system32\xqsqxvma.dll
2008-05-18 07:43 . 2008-05-18 07:43 117,248 --a------ C:\WINDOWS\system32\wiwgnumh.dll
2008-05-18 07:39 . 2008-05-18 07:39 124,928 --a------ C:\WINDOWS\system32\yaxgsctm.dll
2008-05-17 17:15 . 2008-05-17 17:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 15:18 . 2008-05-17 15:18 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-17 15:18 . 2008-05-19 07:25 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 10:41 . 2008-05-17 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-05-17 10:39 . 2008-05-17 10:39 <DIR> d-------- C:\Program Files\Citrix
2008-05-17 10:34 . 2008-05-17 10:34 134,144 --a------ C:\WINDOWS\system32\fajjjjbm.dll
2008-05-17 10:29 . 2008-05-17 10:29 125,952 --a------ C:\WINDOWS\system32\nnwvbqsm.dll
2008-05-17 09:19 . 2008-05-17 09:19 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-17 08:15 . 2008-05-17 08:15 134,144 --a------ C:\WINDOWS\system32\gprdivds.dll
2008-05-17 08:04 . 2008-05-17 08:04 125,952 --a------ C:\WINDOWS\system32\kypnxpmg.dll
2008-05-16 20:13 . 2008-05-16 20:13 125,952 --a------ C:\WINDOWS\system32\eynioxxn.dll
2008-05-16 20:13 . 2008-05-20 06:27 109,890 --a------ C:\WINDOWS\BM47b67875.xml
2008-05-16 20:08 . 2008-05-16 20:08 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2008-05-16 20:07 . 2008-05-16 20:07 <DIR> d-------- C:\winavi
2008-05-16 20:07 . 2008-05-16 20:07 59,392 --a------ C:\WINDOWS\system32\urqQhIyW.dll
2008-05-12 21:53 . 2008-05-12 21:53 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-12 21:53 . 2008-05-12 21:53 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-05-12 21:53 . 2008-05-12 21:53 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-05-12 21:51 . 2008-05-12 21:51 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-12 21:51 . 2008-05-12 21:51 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-12 21:49 . 2008-05-12 21:49 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-05-12 21:49 . 2008-05-12 21:49 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-05-12 21:49 . 2008-05-12 21:49 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-12 21:49 . 2008-05-12 21:49 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-04-25 19:38 . 2008-05-19 18:47 <DIR> dr-h----- C:\$VAULT$.AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-09-07 21:01 --------- d-----w C:\Documents and Settings\DAD\Application Data\Lavasoft
2008-09-06 00:38 3,766 ----a-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-09-06 00:38 --------- d-----w C:\Documents and Settings\DAD\Application Data\Corel
2008-05-20 00:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-20 00:06 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-05-19 21:37 --------- d-----w C:\Documents and Settings\DAD\Application Data\AVG7
2008-05-17 19:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-17 18:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 18:19 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-17 15:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-17 15:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-17 15:28 --------- d-----w C:\Program Files\LimeWire
2008-05-17 00:45 --------- d-----w C:\Documents and Settings\DAD\Application Data\uTorrent
2008-05-16 21:43 --------- d-----w C:\Program Files\DivX
2008-05-16 00:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-04-09 01:24 --------- d-----w C:\Program Files\QuickTax 2007
2008-04-07 01:42 --------- d-----w C:\Documents and Settings\DAD\Application Data\DivX
2008-04-03 01:04 --------- d-----w C:\Program Files\UFile 2007
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-22 19:17 --------- d-----w C:\Documents and Settings\DAD\Application Data\Intuit Canada
2008-03-22 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit Canada
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 22:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2007-02-10 03:11 87,608 ----a-w C:\Documents and Settings\DAD\Application Data\ezpinst.exe
2007-02-10 03:11 47,360 ----a-w C:\Documents and Settings\DAD\Application Data\pcouffin.sys
2007-12-07 11:02 259 ----a-w C:\Program Files\internet explorer\plugins\IEImageRR.dll
2008-01-21 00:17 88 --sha-r C:\WINDOWS\system32\99C184490C.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-17_18.12.32.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 22:00:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 10:33:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-17 06:22:37 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-19 03:08:41 618,496 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-19 03:08:41 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\usrclass.dat
+ 2008-05-17 06:22:37 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-05-19 03:08:39 618,496 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-05-19 03:08:39 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\usrclass.dat
+ 2008-05-19 11:25:43 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-05-19 11:25:43 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2007-10-11 19:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 22:06:36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-05-20 10:34:52 16,384 --sha-w C:\WINDOWS\TEMP\Cookies\index.dat
+ 2008-05-20 10:34:52 16,384 --sha-w C:\WINDOWS\TEMP\History\History.IE5\index.dat
+ 2008-05-20 10:34:52 32,768 --sha-w C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{124BC741-D01F-4D8E-8CE2-CB8CE86AD0BE}]
C:\WINDOWS\system32\wvUmmJYS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{223A52CC-BDFB-4101-A83E-00BE5CE1C25A}]
C:\WINDOWS\system32\cbXNDtuu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36D9CB8D-B8CA-4A85-A879-06A71109F11E}]
2008-05-16 20:07 59392 --a------ C:\WINDOWS\system32\urqQhIyW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5312BCA3-6369-4FA5-8A77-8E85EC307FE0}]
C:\WINDOWS\system32\khfGvuUo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B642315-FD5F-44B7-811D-50C32A3F6B8E}]
2008-05-19 19:49 371712 --a------ C:\WINDOWS\system32\nnnkKdBT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75006336-1FA5-48BA-A76A-0DB914F071E5}]
C:\WINDOWS\system32\vtUoPijG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{804aac88-8b51-41d4-b808-6804e0562c88}]
2008-05-19 19:52 134656 --a------ C:\WINDOWS\system32\kxmbdmci.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3742C64-2E4D-4D6B-A09D-9B4496B3969B}]
C:\WINDOWS\system32\ddcAtqRJ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEE0D059-7C54-4477-9EE4-A103186DE549}]
C:\WINDOWS\system32\awtrRkli.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6583A20-537B-4FD8-A6A4-0B8CDBD6BEE5}]
C:\WINDOWS\system32\khfFYqND.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2006-11-24 17:04 3321856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-05-17 16:21 579584]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [ ]
"UpdReg"="C:\WINDOWS\Updreg.exe" [2000-05-11 02:00 90112]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 12:20 282624 C:\WINDOWS\stsystra.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray. dll" [2007-12-05 02:41 81920]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 11:50 155648]
"LTWinModem1"="ltmsg.exe" [2001-04-03 10:38 38912 C:\WINDOWS\system32\ltmsg.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-23 00:25 28160 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 09:15 151552]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86 \3\hpztsb10.exe" [2004-06-21 13:40 172032]
"DMXLauncher"="C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 04:44 113136]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"AHQInit"="C:\Program Files\Creative\SBLive\Program\AHQInit.exe" [2001-03-27 21:00 102400]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"44854be9"="C:\WINDOWS\system32\wrudnlqy.dll" [2008-05-19 19:55 114688]
"BM47b67875"="C:\WINDOWS\system32\nuxafbja.dll " [2008-05-19 19:50 124928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices]
"csr"="csrrs.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-12 19:42 219136]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1 \DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-09-20 06:12:11 49254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{36D9CB8D-B8CA-4A85-A879-06A71109F11E}"= C:\WINDOWS\system32\urqQhIyW.dll [2008-05-16 20:07 59392]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjifd]
ljjjifd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqQhIyW]
urqQhIyW.dll 2008-05-16 20:07 59392 C:\WINDOWS\system32\urqQhIyW.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~ 1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JPEG"= JPEGCODE.DLL
"VIDC.MPEG"= JPEGCODE.DLL
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aswUpdSv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=

R1 c2scsi;c2scsi;C:\WINDOWS\system32\drivers\c2scsi.s ys [2007-01-10 08:00]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;"C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe" [2007-08-24 16:53]
S2 RoxLiveShare10;LiveShare P2P Server 10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" [2007-08-24 16:52]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe" [2007-08-24 16:52]
S2 SessionLauncher;SessionLauncher;C:\DOCUME~1\DAD\LO CALS~1\Temp\DX9\SessionLauncher.exe []
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe" Start=service []
S3 MSCLSSTs;MSCLSSTs;C:\WINDOWS\system32\DRIVERS\MSCL SSTs.sys [2003-04-16 15:39]
S3 MSCLSSTu;Solid State MP3 Player Control Driver;C:\WINDOWS\system32\Drivers\MSCLSSTu.sys [2003-04-16 15:39]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 05:39]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;"C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe" [2007-08-24 16:53]
S3 RoxMediaDB10;RoxMediaDB10;"C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe" [2007-08-24 16:52]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7C800000-ECBD-15CF-3B95-00AA005B3383}]
C:\Program Files\Internet Explorer\PLUGINS\cxsrrs.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 10:36:38 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 06:34:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\urqQhIyW.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\imapi.exe
.
************************************************** ************************
.
Completion time: 2008-05-20 6:45:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-20 10:44:00
ComboFix2.txt 2008-05-17 22:12:48

Pre-Run: 171,477,934,080 bytes free
Post-Run: 171,467,628,544 bytes free

308 --- E O F --- 2008-05-14 09:45:30

---------------------------------------------
HiJackThis log
---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:06, on 2008-05-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Virtumonde\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Windsor Star
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = Dell Start Page
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [44854be9] rundll32.exe "C:\WINDOWS\system32\wrudnlqy.dll",b
O4 - HKLM\..\Run: [BM47b67875] Rundll32.exe "C:\WINDOWS\system32\nuxafbja.dll",s
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.ca/downloads/***/***_WIN_IE_2/axofupld.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23