Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

VirtuMundoBegone - Doesn't work, (log file here) [CLOSED]

Started by ctarsis , May 27 2008 07:37 AM

  • This topic is locked This topic is locked

#1
ctarsis
Posted 27 May 2008 - 07:37 AM

ctarsis

    New Member

  • Member
  • Pip
  • 2 posts
i believe my computer has a virus, which leads to a buffer overrun errors regarding windows, and frequently poppups appear asking me to download antivirus software which don't work.

i tried Vundofix.exe but more than 4000 files popped up and some look like system files which I don't wish to tamper with, (my computer might be an asian version)

I tried virtumundobegone, but it doesn't seem to have fixed the problem.

Any help is greatly appreciated.

The Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:53 PM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxext.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\digtizer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
D:\Documents and Settings\Administrator\My Documents\My Videos\HijackThis.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [FjDspMon] C:\Program Files\Fujitsu\Utils\FjDspMon.exe
O4 - HKLM\..\Run: [FjEvents] C:\Program Files\Fujitsu\Utils\fjevents.exe
O4 - HKLM\..\Run: [Fujitsu Menu] C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [6869f56c] rundll32.exe "C:\WINDOWS\system32\ywccqupl.dll",b
O4 - HKLM\..\Run: [strpmon] "C:\Program Files\Common Files\SystemErrorFixer\strpmon.exe" dm=http://systemerrorfixer.com ad=http://systemerrorfixer.com sd=http://inspaid.systemerrorfixer.com
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BM6b5ac6f0] Rundll32.exe "C:\WINDOWS\system32\cnjoxhtj.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TabletWizard] %windir%\help\wizard.hta
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [27168636112188945979311126362771] C:\Program Files\XP Antivirus\xpa.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206180140328
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1206181642500
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Digitizer Service (Digitizer) - WACOM - C:\WINDOWS\System32\digtizer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

--
End of file - 7622 bytes


____________________________________________________


The VBG.txt

[05/27/2008, 21:13:09] - VirtumundoBeGone v1.5 ( "D:\Documents and Settings\Administrator\Desktop\New Folder\VirtumundoBeGone.exe" )
[05/27/2008, 21:13:16] - Detected System Information:
[05/27/2008, 21:13:16] - Windows Version: 5.1.2600, Service Pack 2
[05/27/2008, 21:13:16] - Current Username: Administrator (Admin)
[05/27/2008, 21:13:16] - Windows is in NORMAL mode.
[05/27/2008, 21:13:16] - Searching for Browser Helper Objects:
[05/27/2008, 21:13:16] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/27/2008, 21:13:16] - BHO 2: {1E978FE6-D79B-4B3E-80CE-F8EF7C7FCF86} ()
[05/27/2008, 21:13:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 21:13:16] - Checking for HKLM\...\Winlogon\Notify\tuvUOHwV
[05/27/2008, 21:13:16] - Key not found: HKLM\...\Winlogon\Notify\tuvUOHwV, continuing.
[05/27/2008, 21:13:16] - BHO 3: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/27/2008, 21:13:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 21:13:16] - No filename found. Continuing.
[05/27/2008, 21:13:16] - BHO 4: {87862E26-BDA0-4A78-B94C-86BCB9428A6F} ()
[05/27/2008, 21:13:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 21:13:16] - Checking for HKLM\...\Winlogon\Notify\qoMfdBrS
[05/27/2008, 21:13:16] - Found: HKLM\...\Winlogon\Notify\qoMfdBrS - This is probably Virtumundo.
[05/27/2008, 21:13:16] - Assigning {87862E26-BDA0-4A78-B94C-86BCB9428A6F} MSEvents Object
[05/27/2008, 21:13:16] - BHO list has been changed! Starting over...
[05/27/2008, 21:13:16] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/27/2008, 21:13:16] - BHO 2: {1E978FE6-D79B-4B3E-80CE-F8EF7C7FCF86} ()
[05/27/2008, 21:13:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 21:13:16] - Checking for HKLM\...\Winlogon\Notify\tuvUOHwV
[05/27/2008, 21:13:16] - Key not found: HKLM\...\Winlogon\Notify\tuvUOHwV, continuing.
[05/27/2008, 21:13:16] - BHO 3: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/27/2008, 21:13:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 21:13:16] - No filename found. Continuing.
[05/27/2008, 21:13:16] - BHO 4: {87862E26-BDA0-4A78-B94C-86BCB9428A6F} (MSEvents Object)
[05/27/2008, 21:13:16] - ALERT: Found MSEvents Object!
[05/27/2008, 21:13:16] - BHO 5: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/27/2008, 21:13:16] - Finished Searching Browser Helper Objects
[05/27/2008, 21:13:16] - *** Detected MSEvents Object
[05/27/2008, 21:13:16] - Trying to remove MSEvents Object...
[05/27/2008, 21:13:17] - Terminating Process: IEXPLORE.EXE
[05/27/2008, 21:13:19] - Terminating Process: RUNDLL32.EXE
[05/27/2008, 21:13:19] - Disabling Automatic Shell Restart
[05/27/2008, 21:13:19] - Terminating Process: EXPLORER.EXE
[05/27/2008, 21:13:20] - Suspending the NT Session Manager System Service
[05/27/2008, 21:13:20] - Terminating Windows NT Logon/Logoff Manager
[05/27/2008, 21:13:21] - Re-enabling Automatic Shell Restart
[05/27/2008, 21:13:21] - File to disable: C:\WINDOWS\system32\qoMfdBrS.dll
[05/27/2008, 21:13:21] - Renaming C:\WINDOWS\system32\qoMfdBrS.dll -> C:\WINDOWS\system32\qoMfdBrS.dll.vir
[05/27/2008, 21:13:21] - File successfully renamed!
[05/27/2008, 21:13:21] - Removing HKLM\...\Browser Helper Objects\{87862E26-BDA0-4A78-B94C-86BCB9428A6F}
[05/27/2008, 21:13:21] - Removing HKCR\CLSID\{87862E26-BDA0-4A78-B94C-86BCB9428A6F}
[05/27/2008, 21:13:21] - Adding Kill Bit for ActiveX for GUID: {87862E26-BDA0-4A78-B94C-86BCB9428A6F}
[05/27/2008, 21:13:21] - Deleting ATLEvents/MSEvents Registry entries
[05/27/2008, 21:13:21] - Removing HKLM\...\Winlogon\Notify\qoMfdBrS
[05/27/2008, 21:13:21] - Searching for Browser Helper Objects:
[05/27/2008, 21:13:21] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/27/2008, 21:13:21] - BHO 2: {1E978FE6-D79B-4B3E-80CE-F8EF7C7FCF86} ()
[05/27/2008, 21:13:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 21:13:21] - Checking for HKLM\...\Winlogon\Notify\tuvUOHwV
[05/27/2008, 21:13:21] - Key not found: HKLM\...\Winlogon\Notify\tuvUOHwV, continuing.
[05/27/2008, 21:13:21] - BHO 3: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/27/2008, 21:13:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2008, 21:13:21] - No filename found. Continuing.
[05/27/2008, 21:13:21] - BHO 4: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/27/2008, 21:13:21] - Finished Searching Browser Helper Objects
[05/27/2008, 21:13:21] - Finishing up...
[05/27/2008, 21:13:21] - A restart is needed.
[05/27/2008, 21:13:31] - Attempting to Restart via STOP error (Blue Screen!)
  • 0

Advertisements

#2
Rorschach112
Posted 27 May 2008 - 08:35 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#3
ctarsis
Posted 28 May 2008 - 05:22 AM

ctarsis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
the new hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:19:54 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\digtizer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Documents and Settings\Administrator\My Documents\My Videos\HijackThis.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [FjDspMon] C:\Program Files\Fujitsu\Utils\FjDspMon.exe
O4 - HKLM\..\Run: [FjEvents] C:\Program Files\Fujitsu\Utils\fjevents.exe
O4 - HKLM\..\Run: [Fujitsu Menu] C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [strpmon] "C:\Program Files\Common Files\SystemErrorFixer\strpmon.exe" dm=http://systemerrorfixer.com ad=http://systemerrorfixer.com sd=http://inspaid.systemerrorfixer.com
O4 - HKLM\..\Run: [BM6b5ac6f0] Rundll32.exe "C:\WINDOWS\system32\blbqecwn.dll",s
O4 - HKLM\..\Run: [6869f56c] rundll32.exe "C:\WINDOWS\system32\ocsyrrcg.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TabletWizard] %windir%\help\wizard.hta
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206180140328
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1206181642500
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Digitizer Service (Digitizer) - WACOM - C:\WINDOWS\System32\digtizer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

--
End of file - 7655 bytes


the combofix log

ComboFix 08-05-27.4 - Administrator 2008-05-28 19:02:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.191 [GMT 8:00]
Running from: D:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM6b5ac6f0.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\VwHOUvut.ini
C:\WINDOWS\system32\VwHOUvut.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-28 15:42 . 2008-05-28 16:00 1,506,271 ---hs---- C:\WINDOWS\system32\fxqhiayh.ini
2008-05-28 15:42 . 2008-05-28 15:42 91,136 --a------ C:\WINDOWS\system32\vxffjdtt.dll
2008-05-28 15:42 . 2008-05-28 15:42 81,920 --a------ C:\WINDOWS\system32\hyaihqxf.dll
2008-05-28 14:15 . 2008-05-28 14:15 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-28 14:15 . 2008-05-28 14:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-28 11:50 . 2008-05-28 18:23 <DIR> dr-h----- C:\$VAULT$.AVG
2008-05-27 20:47 . 2008-05-27 20:47 <DIR> d-------- C:\VundoFix Backups
2008-05-27 19:23 . 2008-05-27 19:24 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-27 19:23 . 2008-05-27 19:23 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-27 19:22 . 2008-05-27 19:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 19:12 . 2008-05-27 19:12 <DIR> dr------- D:\Documents and Settings\All Users\Application Data\systemerrorfixer
2008-05-27 19:11 . 2008-05-27 19:11 <DIR> dr------- D:\Documents and Settings\All Users\Application Data\SalesMon
2008-05-27 19:11 . 2008-05-28 11:50 <DIR> d-------- C:\Program Files\Common Files\SystemErrorFixer
2008-05-27 15:46 . 2008-05-28 15:41 1,428,858 ---hs---- C:\WINDOWS\system32\lpuqccwy.ini
2008-05-27 15:41 . 2008-05-27 15:41 90,624 --a------ C:\WINDOWS\system32\cnjoxhtj.dll
2008-05-26 13:26 . 2008-05-27 13:27 1,416,624 ---hs---- C:\WINDOWS\system32\axidumex.ini
2008-05-26 13:26 . 2008-05-26 13:26 91,136 --a------ C:\WINDOWS\system32\klndftgp.dll
2008-05-26 13:26 . 2008-05-26 13:26 80,896 --a------ C:\WINDOWS\system32\xemudixa.dll
2008-05-25 13:30 . 2008-05-26 10:59 1,416,281 ---hs---- C:\WINDOWS\system32\nsnmvnmo.ini
2008-05-25 13:25 . 2008-05-25 13:25 91,136 --a------ C:\WINDOWS\system32\hhhjehdr.dll
2008-05-24 12:42 . 2008-05-25 13:25 1,416,092 ---hs---- C:\WINDOWS\system32\insgcfrx.ini
2008-05-24 12:39 . 2008-05-24 12:39 280,576 --a------ C:\WINDOWS\system32\tuvUOHwV.dll
2008-05-24 12:37 . 2008-05-24 12:37 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-24 12:34 . 2008-05-24 12:34 30,208 --a------ C:\WINDOWS\system32\qoMfdBrS.dll.vir
2008-05-24 12:12 . 2008-05-24 12:12 145 --a------ C:\WINDOWS\system32\winver.bat
2008-05-23 11:44 . 2008-05-26 14:58 94,208 --a------ C:\WINDOWS\ScUnin.exe
2008-05-23 11:44 . 2008-05-26 14:58 40,421 --a------ C:\WINDOWS\scunin.dat
2008-05-23 11:44 . 2008-05-26 14:58 967 --a------ C:\WINDOWS\ScUnin.pif
2008-05-23 00:12 . 2008-05-23 00:20 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-10 14:26 . 2008-05-10 14:26 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-05-02 17:02 . 2008-05-22 15:56 14 --a------ C:\WINDOWS\popcinfo.dat
2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\WINDOWS\system32\drivers\Awrtpd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 11:40 --------- d-----w D:\Documents and Settings\Administrator\Application Data\Azureus
2008-05-24 11:07 --------- d-----w D:\Documents and Settings\All Users\Application Data\avg7
2008-05-02 09:03 --------- d-----w C:\Program Files\PopCap Games
2008-04-22 12:23 --------- d-----w D:\Documents and Settings\Administrator\Application Data\Sonic
2008-04-18 06:55 --------- d-----w D:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-17 11:05 --------- d-----w C:\Program Files\Azureus
2008-04-15 23:04 --------- d-----w D:\Documents and Settings\All Users\Application Data\Azureus
2008-04-15 08:03 --------- d-----w C:\Program Files\Ahead
2008-04-15 08:02 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-11 13:29 --------- d-----w C:\Program Files\TryMedia
2008-04-11 12:37 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP
2008-04-11 11:45 --------- d-----w C:\Program Files\Glest_v1.1.0
2008-04-11 10:59 0 ----a-r C:\logwmemory.bin
2008-04-11 10:57 --------- d-----w D:\Documents and Settings\Administrator\Application Data\Soldat
2008-04-11 10:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-11 10:11 --------- d-----w C:\Program Files\directx
2008-04-11 00:46 --------- d-----w D:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-11 00:46 --------- d-----w D:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-07 11:46 --------- d-----w C:\Program Files\Xvid
2008-04-06 09:15 --------- d--h--w D:\Documents and Settings\All Users\Application Data\{8886169A-FE81-40A1-ABEC-74CE0C807E74}
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ADF8B171-6237-4E02-BFAC-6628D9F36437}]
2008-05-24 12:39 280576 --a------ C:\WINDOWS\system32\tuvUOHwV.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"TabletWizard"="%windir%\help\wizard.hta" [ ]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-22 09:34 126976]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"AGRSMMSG"="AGRSMMSG.exe" [2005-06-10 06:00 88203 C:\WINDOWS\AGRSMMSG.exe]
"IndicatorUtility"="C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-02-28 10:20 81920]
"FjDspMon"="C:\Program Files\Fujitsu\Utils\FjDspMon.exe" [2004-10-14 15:56 20480]
"FjEvents"="C:\Program Files\Fujitsu\Utils\fjevents.exe" [2004-12-16 16:08 20480]
"Fujitsu Menu"="C:\Program Files\Fujitsu\Utils\FjMnuIco.exe" [2004-12-16 16:10 32768]
"LoadFujitsuQuickTouch"="C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe" [2004-08-10 17:48 242688]
"LoadBtnHnd"="C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe" [2004-08-10 17:47 61440]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-16 14:19 159744]
"Snippet"="C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-25 13:20 68296]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 05:22 3739648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-21 08:38 155648]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 16:26 579584]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"strpmon"="C:\Program Files\Common Files\SystemErrorFixer\strpmon.exe" [ ]
"6869f56c"="C:\WINDOWS\system32\hyaihqxf.dll" [2008-05-28 15:42 81920]
"BM6b5ac6f0"="C:\WINDOWS\system32\vxffjdtt.dll" [2008-05-28 15:42 91136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]
"TabletWizard"="%windir%\help\wizard.hta" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-11 08:46 219136]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll 2004-08-04 20:00 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
TabBtnWL.dll 2002-08-29 03:41 11776 C:\WINDOWS\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
tpgwlnot.dll 2004-08-04 20:00 30208 C:\WINDOWS\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\tuvUOHwV

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-10-18 11:58 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-12-21 08:38 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TabletTip]
--a------ 2005-04-26 11:10 271872 C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TabletWizard]
--a------ 2004-08-04 20:00 16384 C:\WINDOWS\help\SplshWrp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-12-21 08:34 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2005-03-16 06:47]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2005-03-16 06:47]
R3 DX02;DX02;C:\WINDOWS\system32\drivers\dx02.sys [2004-07-29 13:27]
R3 Fjbtndrv;Fujitsu LIFEBOOK T3000 Button Driver;C:\WINDOWS\system32\DRIVERS\Fjbtndrv.sys [2003-06-20 14:30]
R3 hidpen;Wacom Serial Pen HID MiniDriver;C:\WINDOWS\system32\DRIVERS\hidpen.sys [2004-08-03 01:35]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-04-21 21:58]
S3 WacomPen;Wacom Serial Pen HID Driver;C:\WINDOWS\system32\DRIVERS\wacompen.sys [2004-08-04 07:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cfc93ccc-f7f6-11dc-9ed2-0013ceb63817}]
\Shell\AutoRun\command - F:\pa39xth.cmd
\Shell\explore\Command - F:\pa39xth.cmd
\Shell\open\Command - F:\pa39xth.cmd

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 19:06:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\BM6b5ac6f0.xml
C:\WINDOWS\system32\VwHOUvut.ini 272178 bytes
C:\WINDOWS\system32\VwHOUvut.ini2 344 bytes
C:\WINDOWS\system32\blbqecwn.dll 90624 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\ocsyrrcg.dll
-> C:\WINDOWS\system32\blbqecwn.dll
-> C:\WINDOWS\system32\tuvUOHwV.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\system32\tabbtnu.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\digtizer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\tcserver.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Apoint2K\Hidfind.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-28 19:12:51 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-05-28 11:12:36

Pre-Run: 14,810,615,808 bytes free
Post-Run: 14,819,586,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

228 --- E O F --- 2008-05-17 10:30:34


the online scanner log - i deleted the mentioned (nonlocked) infected files

KASPERSKY ONLINE SCANNER REPORTKASPERSKY ONLINE SCANNER REPORT
Wednesday, May 28, 2008 4:01:06 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build
2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/05/2008
Kaspersky Anti-Virus database records: 807975


Scan Settings
Scan using the following antivirus databaseextended
Scan Archivestrue
Scan Mail Basestrue

Scan TargetMy Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects48082
Number of viruses found4
Number of infected objects6
Number of suspicious objects0
Duration of the scan process01:14:10

Infected Object NameVirus NameLast Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped

C:\System Volume
Information\_restore{02CC0520-B46E-4DFF-8D41-A9A2E60F9DC9}\RP82\A0022018.cpl
Infected: not-a-virus:FraudTool.Win32.XPAntivirus.ho skipped

C:\System Volume
Information\_restore{02CC0520-B46E-4DFF-8D41-A9A2E60F9DC9}\RP82\A0022040.dll
Infected: Trojan.Win32.Pakes.cyw skipped

C:\System Volume
Information\_restore{02CC0520-B46E-4DFF-8D41-A9A2E60F9DC9}\RP85\A0024330.exe/file3
Infected: not-a-virus:FraudTool.Win32.ErrClean.a skipped

C:\System Volume
Information\_restore{02CC0520-B46E-4DFF-8D41-A9A2E60F9DC9}\RP85\A0024330.exe
Inno: infected - 1 skipped

C:\System Volume
Information\_restore{02CC0520-B46E-4DFF-8D41-A9A2E60F9DC9}\RP85\A0024333.dll
Infected: not-a-virus:FraudTool.Win32.ErrClean.a skipped

C:\System Volume
Information\_restore{02CC0520-B46E-4DFF-8D41-A9A2E60F9DC9}\RP85\A0024339.exe
Infected: not-a-virus:FraudTool.Win32.ErrClean.f skipped

C:\System Volume
Information\_restore{02CC0520-B46E-4DFF-8D41-A9A2E60F9DC9}\RP85\A0025141.exe
Object is locked skipped

C:\System Volume
Information\_restore{02CC0520-B46E-4DFF-8D41-A9A2E60F9DC9}\RP85\change.log
Object is locked skipped

C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\jgrrkgft.exe Object is locked skipped

C:\WINDOWS\system32\kijyktqk.exe Object is locked skipped

C:\WINDOWS\system32\oaqelxar.exe Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked
skipped

C:\WINDOWS\system32\winemx32.dll Object is locked skipped

C:\WINDOWS\system32\winopn32.dll Object is locked skipped

C:\WINDOWS\system32\winpsa32.dll Object is locked skipped

C:\WINDOWS\system32\winzlo32.dll Object is locked skipped

D:\Documents and Settings\Administrator\Application
Data\Microsoft\Templates\Normal.dot Object is locked skipped

D:\Documents and Settings\Administrator\Application
Data\Microsoft\Word\AutoRecovery save of pbl1_2008 mars.asd Object is
locked skipped

D:\Documents and Settings\Administrator\Cookies\index.dat Object is locked
skipped

D:\Documents and Settings\Administrator\Desktop\pbl1_2008 mars.doc Object
is locked skipped

D:\Documents and Settings\Administrator\Desktop\~WRL0002.tmp Object is
locked skipped

D:\Documents and Settings\Administrator\Desktop\~WRL1387.tmp Object is
locked skipped

D:\Documents and Settings\Administrator\Local Settings\Application
Data\ApplicationHistory\TCServer.exe.7c11743d.ini.inuse Object is locked
skipped

D:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_9C18_D897_18D8_71AE\dfsr.db
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_9C18_D897_18D8_71AE\fsr.log
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_9C18_D897_18D8_71AE\fsrtmp.log
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_9C18_D897_18D8_71AE\tmp.edb
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Windows Live
Contacts\[email protected]\real\members.stg Object is locked
skipped

D:\Documents and Settings\Administrator\Local
Settings\History\History.IE5\index.dat Object is locked skipped

D:\Documents and Settings\Administrator\Local
Settings\History\History.IE5\MSHist012008052820080529\index.dat Object is
locked skipped

D:\Documents and Settings\Administrator\Local
Settings\Temp\Perflib_Perfdata_aa4.dat Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temp\~DF1C0C.tmp
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temp\~DF3EF4.tmp
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temp\~DF625E.tmp
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temp\~DFA896.tmp
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temp\~DFA8A3.tmp
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temp\~DFA8D8.tmp
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temp\~DFA90F.tmp
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temp\~DFB399.tmp
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temp\~DFFCE6.tmp
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temp\~DFFCFE.tmp
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temp\~WRD0003.doc
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temp\~WRF0000.tmp
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temp\~WRS0005.tmp
Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is
locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped

D:\Documents and Settings\Administrator\NTUSER.DAT Object is locked
skipped

D:\Documents and Settings\Administrator\NTUSER.DAT.LOG Object is locked
skipped

D:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log
Object is locked skipped

D:\Documents and Settings\All Users\Application
Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

D:\Documents and Settings\All Users\Application
Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

D:\Documents and Settings\All Users\Application
Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

D:\Documents and Settings\All Users\Application
Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked
skipped

D:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

D:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

D:\Documents and Settings\LocalService\Local
Settings\History\History.IE5\index.dat Object is locked skipped

D:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped

D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped


D:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked
skipped

D:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

D:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked
skipped

D:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked
skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped

D:\System Volume
Information\_restore{02CC0520-B46E-4DFF-8D41-A9A2E60F9DC9}\RP59\A0012627.exe
Object is locked skipped

D:\System Volume
Information\_restore{02CC0520-B46E-4DFF-8D41-A9A2E60F9DC9}\RP85\change.log
Object is locked skipped

Scan process completed.
  • 0

#4
Rorschach112
Posted 28 May 2008 - 09:38 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\fxqhiayh.ini
C:\WINDOWS\system32\vxffjdtt.dll
C:\WINDOWS\system32\hyaihqxf.dll
C:\WINDOWS\system32\lpuqccwy.ini
C:\WINDOWS\system32\cnjoxhtj.dll
C:\WINDOWS\system32\axidumex.ini
C:\WINDOWS\system32\klndftgp.dll
C:\WINDOWS\system32\xemudixa.dll
C:\WINDOWS\system32\nsnmvnmo.ini
C:\WINDOWS\system32\hhhjehdr.dll
C:\WINDOWS\system32\insgcfrx.ini
C:\WINDOWS\system32\tuvUOHwV.dll
C:\WINDOWS\system32\qoMfdBrS.dll.vir
C:\WINDOWS\system32\winver.bat
C:\WINDOWS\system32\jgrrkgft.exe
C:\WINDOWS\system32\kijyktqk.exe
C:\WINDOWS\system32\oaqelxar.exe
C:\WINDOWS\system32\winemx32.dll
C:\WINDOWS\system32\winopn32.dll
C:\WINDOWS\system32\winpsa32.dll
C:\WINDOWS\system32\winzlo32.dll
F:\pa39xth.cmd

Folder::
D:\Documents and Settings\All Users\Application Data\systemerrorfixer
D:\Documents and Settings\All Users\Application Data\SalesMon
C:\Program Files\Common Files\SystemErrorFixer

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cfc93ccc-f7f6-11dc-9ed2-0013ceb63817}]

Rootkit::
C:\WINDOWS\BM6b5ac6f0.xml
C:\WINDOWS\system32\VwHOUvut.ini
C:\WINDOWS\system32\VwHOUvut.ini2
C:\WINDOWS\system32\blbqecwn.dll


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also post a new HijackThis log
  • 0

#5
Rorschach112
Posted 02 June 2008 - 05:57 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP