Infected with Adware Virtumundo & Trojan Agent Winlogonhook..

Chiyame · Feb 17, 2008

Hi there. I'm having difficulty with removing Adware Virtumundo and Trojan Agent Winlogonhook. I currently have Spy Sweeper for anti-spyware and Trend-Micro PC-cillin Internet Security for antivirus. I try to delete Adware Virtumundo with Spy Sweeper, but after I scan again, it's still there. Same thing with the Trojan. Spy Sweeper keeps blocking things like HERE4SEARCH.BIZ or something like that... So I decided to come here and see if you could help.

I did the 5 steps before posting a log.. and it said to post a Panda Activescan and the DSS log. Here they are:

Panda Activescan log:

Incident Status Location

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Mozilla Firefox\plugins\NPMorpBr.dll
Dialer

ialer.KZW Not disinfected C:\WINDOWS\system32\winpcl32.dll
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Grace\Application Data\Mozilla\Firefox\Profiles\msqdzoos.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Grace\Application Data\Mozilla\Firefox\Profiles\msqdzoos.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Grace\Application Data\Mozilla\Firefox\Profiles\msqdzoos.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Grace\Application Data\Mozilla\Firefox\Profiles\msqdzoos.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Grace\Application Data\Mozilla\Firefox\Profiles\msqdzoos.default\cookies.txt[.overture.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Grace\Application Data\Mozilla\Firefox\Profiles\msqdzoos.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Grace\Application Data\Mozilla\Firefox\Profiles\msqdzoos.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Grace\Application Data\Mozilla\Firefox\Profiles\msqdzoos.default\cookies.txt[.com.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Grace\Application Data\Mozilla\Firefox\Profiles\msqdzoos.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Grace\Application Data\Mozilla\Firefox\Profiles\msqdzoos.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Grace\Application Data\Mozilla\Firefox\Profiles\msqdzoos.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Grace\Cookies\grace@doubleclick[2].txt
Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\Grace\Cookies\grace@mysearch[2].txt
Dialer

ialer.KZW Not disinfected C:\Documents and Settings\Grace\Local Settings\Temp\gos171.tmp
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Grace\Local Settings\Temp\Warcraft 3 Frozen Throne 1.x.rar[keygen.exe]
Dialer

ialer.KZW Not disinfected C:\Documents and Settings\Grace\Local Settings\Temp\Warcraft 3 Frozen Throne 1.x.rar[crack.exe]
Potentially unwanted tool:Application/MyWay Not disinfected C:\Program Files\AWS\WeatherBug\s4Setp.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MorpheusBar\bar\1.bin\M0PLUGIN.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MorpheusBar\bar\1.bin\M0POPSWT.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MorpheusBar\bar\1.bin\NPMORPBR.DLL

Deckard System Scanner:
Deckard's System Scanner v20071014.68
Run by Grace on 2008-02-16 16:55:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
18: 2008-02-17 00:56:09 UTC - RP153 - Deckard's System Scanner Restore Point
17: 2008-02-16 07:25:30 UTC - RP152 - Software Distribution Service 3.0
16: 2008-02-15 15:52:09 UTC - RP151 - Software Distribution Service 3.0
15: 2008-02-15 13:53:56 UTC - RP150 - Software Distribution Service 3.0
14: 2008-02-15 11:07:47 UTC - RP149 - Software Distribution Service 3.0

-- First Restore Point --
1: 2008-02-10 19:50:40 UTC - RP136 - Removed Project64 1.6

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as Grace.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:19 PM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\WINDOWS\V0400Mon.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Grace\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Grace.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O2 - BHO: (no name) - {F5D55A23-DBA5-4055-A53D-550462125BDE} - C:\WINDOWS\system32\byxyxyy.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [V0400Mon.exe] C:\WINDOWS\V0400Mon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKCU\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKUS\S-1-5-21-299502267-1801674531-1586401337-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Alexander')
O4 - HKUS\S-1-5-21-299502267-1801674531-1586401337-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Alexander')
O4 - HKUS\S-1-5-21-299502267-1801674531-1586401337-1005\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe" /startup (User 'Alexander')
O4 - HKUS\S-1-5-21-299502267-1801674531-1586401337-1005\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Alexander')
O4 - HKUS\S-1-5-21-299502267-1801674531-1586401337-1005\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 (User 'Alexander')
O4 - S-1-5-21-299502267-1801674531-1586401337-1005 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Alexander')
O4 - S-1-5-21-299502267-1801674531-1586401337-1005 Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe (User 'Alexander')
O4 - S-1-5-21-299502267-1801674531-1586401337-1005 Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'Alexander')
O4 - S-1-5-21-299502267-1801674531-1586401337-1005 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Alexander')
O4 - S-1-5-21-299502267-1801674531-1586401337-1005 User Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe (User 'Alexander')
O4 - S-1-5-21-299502267-1801674531-1586401337-1005 User Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'Alexander')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190660627264
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190660616108
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: byxyxyy - byxyxyy.dll (file missing)
O20 - Winlogon Notify: winpcl32 - C:\WINDOWS\SYSTEM32\winpcl32.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 10474 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 vcdrom (Virtual CD-ROM Device Driver) - c:\windows\system32\drivers\vcdrom.sys <Not Verified; Microsoft Corporation; VirtualCdRom>

S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 XDva039 - c:\windows\system32\xdva039.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&268D196D&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&268D196D&0
Service: i8042prt

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&268D196D&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&268D196D&0
Service: i8042prt

-- Scheduled Tasks -------------------------------------------------------------

2008-02-16 13:00:25 1644 --a------ C:\WINDOWS\Tasks\wrSpySweeper_L18694C15470E48D2AB70ACF5915DC5D1.job
2008-02-16 09:12:23 1636 --a------ C:\WINDOWS\Tasks\wrSpySweeper_L74B6844779B1462F9EB8B0418CFA4031.job
2008-02-15 06:03:36 1646 --a------ C:\WINDOWS\Tasks\wrSpySweeper_L26F2FCCC3C9C4F33A59AE65FFC86E8E2.job
2008-01-31 17:00:45 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-01-16 and 2008-02-16 -----------------------------

2008-02-16 13:28:58 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 13:28:36 0 d-------- C:\WINDOWS\LastGood
2008-02-15 18:34:01 0 d-------- C:\Documents and Settings\Grace\.housecall6.6
2008-02-15 16:17:25 444 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-02-15 15:55:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-02-15 15:55:02 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-02-15 15:55:02 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-02-15 15:55:02 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-02-15 15:55:02 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-02-15 15:55:02 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-02-15 15:55:02 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-02-15 15:55:02 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-02-15 15:55:02 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-02-15 15:55:02 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-02-15 15:55:02 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-02-15 15:55:02 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-02-15 15:55:02 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-02-15 15:55:02 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-02-15 15:55:01 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-02-15 15:54:56 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-02-14 16:21:20 0 d-------- C:\Documents and Settings\Alexander\Application Data\Sun
2008-02-14 14:56:49 0 d-------- C:\Program Files\MorpheusBar
2008-02-12 20:28:54 53248 --a------ C:\WINDOWS\system32\ImageOle.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-02-12 20:28:53 0 d-------- C:\Program Files\Ocean Technologies & Media
2008-02-12 20:28:28 0 d-------- C:\Documents and Settings\Grace\Application Data\InstallShield
2008-02-11 21:54:48 222880 --a------ C:\WINDOWS\War3Unin.dat
2008-02-11 21:54:46 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-02-11 21:54:46 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-02-11 21:50:31 0 d-------- C:\Program Files\Warcraft III
2008-02-10 11:11:22 0 d-------- C:\Program Files\MSXML 4.0
2008-02-10 00:56:55 0 d-------- C:\Program Files\PC Drivers HeadQuarters
2008-02-10 00:56:55 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-02-10 00:53:54 0 d-------- C:\WINDOWS\Drivers
2008-02-09 23:51:10 0 d-------- C:\Program Files\AsiaSoft Online
2008-02-08 16:26:38 0 d-------- C:\WINDOWS\Sun
2008-02-08 16:26:38 0 d-------- C:\Documents and Settings\Grace\Application Data\Sun
2008-02-08 15:01:13 0 d-------- C:\Documents and Settings\Alexander\Application Data\LimeWire
2008-02-08 14:56:41 0 d-------- C:\Program Files\Java
2008-02-08 14:55:02 0 d-------- C:\Program Files\Common Files\Java
2008-02-08 13:25:45 0 d-------- C:\Documents and Settings\Alexander\Application Data\Morpheus
2008-02-08 13:16:23 0 d-------- C:\Program Files\Morpheus
2008-02-05 20:49:52 24064 --a------ C:\WINDOWS\system32\winpcl32.dll
2008-02-05 19:57:10 0 d-------- C:\Program Files\MagicISO
2008-02-02 19:11:12 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-31 17:00:03 0 d-------- C:\Program Files\Apple Software Update
2008-01-31 17:00:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-30 21:35:12 0 d-------- C:\Program Files\Project64 1.6
2008-01-30 18:50:03 0 d-------- C:\Program Files\free-downloads.net
2008-01-30 18:49:19 0 d-------- C:\Program Files\Alcohol Soft
2008-01-30 18:31:58 715248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-29 16:07:36 0 d-------- C:\Program Files\KLC
2008-01-28 21:47:10 0 d-------- C:\Documents and Settings\Grace\Application Data\WeatherBug
2008-01-27 20:23:20 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-01-26 18:22:48 0 d-------- C:\Documents and Settings\Alexander\Application Data\Yahoo!
2008-01-26 18:18:39 0 d-------- C:\Program Files\PasswordRecovery
2008-01-21 00:30:03 65536 --a------ C:\WINDOWS\IFinst27.exe
2008-01-18 14:31:48 0 d-------- C:\Documents and Settings\Grace\Application Data\WinRAR

-- Find3M Report ---------------------------------------------------------------

2008-02-16 16:59:00 0 d-------- C:\Program Files\Trend Micro
2008-02-16 14:50:19 0 d-------- C:\Program Files\Messenger
2008-02-16 14:50:17 0 d-------- C:\Program Files\Lexmark 2300 Series
2008-02-16 14:45:13 0 d-------- C:\Program Files\Google
2008-02-12 23:37:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-08 14:55:02 0 d-------- C:\Program Files\Common Files
2008-01-26 18:15:29 164 --a------ C:\install.dat
2008-01-21 16:51:19 0 d-------- C:\Program Files\Gravity
2008-01-20 21:40:21 0 d-------- C:\Documents and Settings\Grace\Application Data\Macromedia
2008-01-19 22:17:13 0 d-------- C:\Documents and Settings\Grace\Application Data\Google
2008-01-12 11:22:59 0 d-------- C:\Documents and Settings\Grace\Application Data\Creative
2008-01-12 11:06:11 0 d-------- C:\Program Files\Creative
2008-01-12 10:53:31 0 d-------- C:\Program Files\SightSpeed
2008-01-10 12:02:52 0 d-------- C:\Documents and Settings\Grace\Application Data\Yahoo!
2008-01-10 11:21:14 0 d-------- C:\Documents and Settings\Grace\Application Data\Adobe
2008-01-10 11:17:48 0 d-------- C:\Program Files\Yahoo!
2008-01-07 11:59:15 0 d-------- C:\Program Files\AskSBar

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdee021-0d17-467f-a1ff-c7a115230949}]
12/10/2007 01:46 PM 1510424 --a------ C:\Program Files\free-downloads.net\tbfree.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
01/07/2008 11:59 AM 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5D55A23-DBA5-4055-A53D-550462125BDE}]
C:\WINDOWS\system32\byxyxyy.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{ECDEE021-0D17-467F-A1FF-C7A115230949}"= C:\Program Files\free-downloads.net\tbfree.dll [12/10/2007 01:46 PM 1510424]

[-HKEY_CLASSES_ROOT\CLSID\{ECDEE021-0D17-467F-A1FF-C7A115230949}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/17/2002 11:28 AM]
"pdfFactory Pro Dispatcher v1"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe" [07/22/2003 09:03 PM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [12/28/2006 10:52 PM]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [07/21/2005 01:07 AM]
"EzPrint"="C:\Program Files\Lexmark 2300 Series\ezprint.exe" [08/01/2005 07:05 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 02:06 AM]
"V0400Mon.exe"="C:\WINDOWS\V0400Mon.exe" [06/03/2007 09:01 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 03:42 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]
"Creative Live! Cam Manager"="C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [06/07/2007 02:01 PM]
"CTRegRun"="C:\WINDOWS\CTRegRun.EXE" [10/05/2006 10:17 PM]
"CreativeTaskScheduler"="C:\Program Files\Creative\Shared Files\CTSched.exe" [11/17/2006 01:42 AM]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [08/29/2007 10:55 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [12/3/2007 11:10:00 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F5D55A23-DBA5-4055-A53D-550462125BDE}"= C:\WINDOWS\system32\byxyxyy.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyxyy]
byxyxyy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpcl32]
winpcl32.dll 02/05/2008 08:49 PM 24064 C:\WINDOWS\system32\winpcl32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - RKPAVPROC

-- End of Deckard's System Scanner: finished at 2008-02-16 17:03:12 ------------

Thanks in advance :smooch:

screen317 · Feb 18, 2008

Hi Chiyame, and welcome to TSF.

My apologies for the delay; we're all volunteers, and we've been swamped.

Before we begin, configure Windows XP to show hidden files:
Navigate to Start --> My Computer.
Select the Tools menu and click Folder Options. Select the View tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Then, please go to VirusTotal, and upload the following files for analysis:
C:\WINDOWS\SYSTEM32\winpcl32.dll

Post the results in your reply.

Next, we'll be using ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Chiyame · Feb 18, 2008

Hi. Thanks for the reply

.. Here are the results:

Virus Total:
File has already been analysed:
MD5: 49f37913c5ebd7a324e0bf0dfb96f33a
Date: 02.18.2008 01:49:34 (CET) [<1D]
Results: 24/32
Permalink: analisis/a36c8fe7a54c24a3d4b59576c735bfa7

ComboFix:

ComboFix 08-02-18.1 - Grace 2008-02-18 14:16:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.77 [GMT -8:00]
Running from: C:\Documents and Settings\Grace\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\VCdControlTool.exe
C:\WINDOWS\system32\jkkigfd.dll
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\system32\winpcl32.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-16 16:42 . 2008-02-16 16:42 <DIR> d-------- C:\Deckard
2008-02-16 13:29 . 2008-02-16 13:58 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-16 13:29 . 2008-02-16 13:58 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-16 13:29 . 2008-02-16 13:58 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-16 13:28 . 2008-02-16 16:09 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-16 09:22 . 2007-01-24 17:45 102,800 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-15 18:34 . 2008-02-15 23:09 <DIR> d-------- C:\Documents and Settings\Grace\.housecall6.6
2008-02-15 16:17 . 2008-02-15 16:17 444 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-02-15 15:55 . 2008-02-15 15:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-02-15 15:54 . 2008-02-15 15:54 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-02-12 21:46 . 2004-06-14 14:56 427,864 --a------ C:\WINDOWS\system32\XceedZip.dll
2008-02-12 20:28 . 2008-02-12 20:28 <DIR> d-------- C:\Program Files\Ocean Technologies & Media
2008-02-12 20:28 . 2008-02-12 20:28 <DIR> d-------- C:\Documents and Settings\Grace\Application Data\InstallShield
2008-02-12 20:28 . 2008-02-12 20:28 <DIR> d-------- C:\DOCUME~1\Grace\APPLIC~1\InstallShield
2008-02-12 20:28 . 2006-03-14 02:26 53,248 --a------ C:\WINDOWS\system32\ImageOle.dll
2008-02-11 21:54 . 2008-02-12 20:01 222,880 --a------ C:\WINDOWS\War3Unin.dat
2008-02-11 21:54 . 2008-02-12 16:59 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-02-11 21:54 . 2008-02-12 16:59 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-02-11 21:50 . 2008-02-17 23:00 <DIR> d-------- C:\Program Files\Warcraft III
2008-02-10 11:11 . 2008-02-10 11:11 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-10 00:56 . 2008-02-10 00:56 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2008-02-10 00:56 . 2008-02-10 00:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Drivers HeadQuarters
2008-02-10 00:53 . 2008-02-10 00:53 <DIR> d-------- C:\WINDOWS\Drivers
2008-02-09 23:51 . 2008-02-09 23:51 <DIR> d-------- C:\Program Files\AsiaSoft Online
2008-02-08 16:26 . 2008-02-08 16:26 <DIR> d-------- C:\WINDOWS\Sun
2008-02-08 15:01 . 2008-02-08 15:35 <DIR> d-------- C:\Documents and Settings\Alexander\Application Data\LimeWire
2008-02-08 14:59 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-08 14:56 . 2008-02-08 14:59 <DIR> d-------- C:\Program Files\Java
2008-02-08 14:55 . 2008-02-08 14:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-08 13:25 . 2008-02-16 14:13 <DIR> d-------- C:\Documents and Settings\Alexander\Application Data\Morpheus
2008-02-05 19:57 . 2008-02-05 21:20 <DIR> d-------- C:\Program Files\MagicISO
2008-02-02 21:32 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-02-02 21:32 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-02-02 21:32 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-02-02 21:32 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-02-02 19:11 . 2008-02-12 17:45 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-31 17:00 . 2008-01-31 17:00 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-31 17:00 . 2008-01-31 17:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2008-01-30 21:35 . 2008-02-10 11:50 <DIR> d-------- C:\Program Files\Project64 1.6
2008-01-30 18:50 . 2008-02-16 14:44 <DIR> d-------- C:\Program Files\free-downloads.net
2008-01-30 18:49 . 2008-01-30 18:49 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-01-30 18:31 . 2008-01-30 18:31 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-29 16:07 . 2008-01-29 16:07 <DIR> d-------- C:\Program Files\KLC
2008-01-29 16:07 . 1999-12-07 07:00 61,491 --a------ C:\WINDOWS\system32\wbemdisp.TLB
2008-01-29 15:39 . 2004-07-14 16:26 152,848 --a------ C:\WINDOWS\system32\COMDLG32.OCX
2008-01-28 21:47 . 2008-01-28 21:47 <DIR> d-------- C:\Documents and Settings\Grace\Application Data\WeatherBug
2008-01-28 21:47 . 2008-01-28 21:47 <DIR> d-------- C:\DOCUME~1\Grace\APPLIC~1\WeatherBug
2008-01-27 20:23 . 2008-02-04 01:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2008-01-26 18:22 . 2008-01-26 18:27 <DIR> d-------- C:\Documents and Settings\Alexander\Application Data\Yahoo!
2008-01-26 18:18 . 2008-01-26 18:18 <DIR> d-------- C:\Program Files\PasswordRecovery
2008-01-21 00:30 . 2008-01-21 00:52 65,536 --a------ C:\WINDOWS\IFinst27.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 00:59 --------- d-----w C:\Program Files\Trend Micro
2008-02-16 22:50 --------- d-----w C:\Program Files\Lexmark 2300 Series
2008-02-16 22:45 --------- d-----w C:\Program Files\Google
2008-02-13 07:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-27 02:15 164 ----a-w C:\install.dat
2008-01-22 00:51 --------- d-----w C:\Program Files\Gravity
2008-01-12 19:25 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Creative
2008-01-12 19:22 --------- d-----w C:\Documents and Settings\Grace\Application Data\Creative
2008-01-12 19:22 --------- d-----w C:\DOCUME~1\Grace\APPLIC~1\Creative
2008-01-12 19:06 --------- d-----w C:\Program Files\Creative
2008-01-12 18:55 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\muvee Technologies
2008-01-12 18:53 --------- d-----w C:\Program Files\SightSpeed
2008-01-10 20:02 --------- d-----w C:\Documents and Settings\Grace\Application Data\Yahoo!
2008-01-10 20:02 --------- d-----w C:\DOCUME~1\Grace\APPLIC~1\Yahoo!
2008-01-10 19:29 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2008-01-10 19:21 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2008-01-10 19:17 --------- d-----w C:\Program Files\Yahoo!
2008-01-07 19:59 --------- d-----w C:\Program Files\AskSBar
2008-01-07 19:58 --------- d-----w C:\Documents and Settings\Alexander\Application Data\WeatherBug
2008-01-05 04:56 1,526,640 ----a-w C:\WINDOWS\WRSetup.dll
2008-01-05 04:34 23,920 ----a-w C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-05 04:34 21,872 ----a-w C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-05 04:34 20,336 ----a-w C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-01-05 04:34 163,696 ----a-w C:\WINDOWS\system32\drivers\ssidrv.sys
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-11-26 22:47 194,888 ----a-w C:\WINDOWS\Unwash6.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdee021-0d17-467f-a1ff-c7a115230949}]
2007-12-10 13:46 1510424 --a------ C:\Program Files\free-downloads.net\tbfree.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-07 11:59 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5D55A23-DBA5-4055-A53D-550462125BDE}]
C:\WINDOWS\system32\byxyxyy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{ECDEE021-0D17-467F-A1FF-C7A115230949}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{ECDEE021-0D17-467F-A1FF-C7A115230949}"= C:\Program Files\free-downloads.net\tbfree.dll [2007-12-10 13:46 1510424]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2008-01-07 11:59 267592]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"Creative Live! Cam Manager"="C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2007-06-07 14:01 155648]
"CTRegRun"="C:\WINDOWS\CTRegRun.EXE" [2006-10-05 22:17 53248]
"CreativeTaskScheduler"="C:\Program Files\Creative\Shared Files\CTSched.exe" [2006-11-17 01:42 53341]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2007-08-29 10:55 1347584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 11:28 684032]
"pdfFactory Pro Dispatcher v1"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe" [2003-07-22 21:03 380928]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-12-28 22:52 3429904]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 01:07 200704]
"EzPrint"="C:\Program Files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 07:05 94208]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"V0400Mon.exe"="C:\WINDOWS\V0400Mon.exe" [2007-06-03 09:01 32768]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-12-03 11:10:00 394856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F5D55A23-DBA5-4055-A53D-550462125BDE}"= C:\WINDOWS\system32\byxyxyy.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyxyy]
byxyxyy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpcl32]
winpcl32.dll

R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 14:36]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 14:47]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 05:28]
S3 VF0400Afx;VF0400 Audio FX;C:\WINDOWS\system32\Drivers\V0400Afx.sys [2007-06-10 09:01]
S3 VF0400Vfx;VF0400 Video FX;C:\WINDOWS\system32\DRIVERS\V0400VFx.sys [2007-03-05 02:45]
S3 VF0400Vid;Live! Cam Notebook Pro (VF0400);C:\WINDOWS\system32\DRIVERS\V0400Vid.sys [2007-06-06 09:01]
S3 XDva039;XDva039;C:\WINDOWS\system32\XDva039.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 14:25:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\winpcl32.dll
.
Completion time: 2008-02-18 14:27:51
ComboFix-quarantined-files.txt 2008-02-18 22:27:42
.
2008-02-18 19:18:09 --- E O F ---

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:50 PM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\WINDOWS\V0400Mon.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\Internet Security 2007\PccUpdUI.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O2 - BHO: (no name) - {F5D55A23-DBA5-4055-A53D-550462125BDE} - C:\WINDOWS\system32\byxyxyy.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [V0400Mon.exe] C:\WINDOWS\V0400Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKCU\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKCU\..\Run: [Weather] "C:\Program Files\AWS\WeatherBug\Weather.exe" 1
O4 - HKUS\S-1-5-21-299502267-1801674531-1586401337-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Alexander')
O4 - HKUS\S-1-5-21-299502267-1801674531-1586401337-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Alexander')
O4 - HKUS\S-1-5-21-299502267-1801674531-1586401337-1005\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe" /startup (User 'Alexander')
O4 - HKUS\S-1-5-21-299502267-1801674531-1586401337-1005\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Alexander')
O4 - HKUS\S-1-5-21-299502267-1801674531-1586401337-1005\..\Run: [Weather] "C:\Program Files\AWS\WeatherBug\Weather.exe" 1 (User 'Alexander')
O4 - HKUS\S-1-5-21-299502267-1801674531-1586401337-1005\..\RunOnce: [Index Washer] "C:\Program Files\Webroot\Washer\WashIdx.exe" "Alexander" (User 'Alexander')
O4 - S-1-5-21-299502267-1801674531-1586401337-1005 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Alexander')
O4 - S-1-5-21-299502267-1801674531-1586401337-1005 Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe (User 'Alexander')
O4 - S-1-5-21-299502267-1801674531-1586401337-1005 Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'Alexander')
O4 - S-1-5-21-299502267-1801674531-1586401337-1005 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Alexander')
O4 - S-1-5-21-299502267-1801674531-1586401337-1005 User Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe (User 'Alexander')
O4 - S-1-5-21-299502267-1801674531-1586401337-1005 User Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'Alexander')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190660627264
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190660616108
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: byxyxyy - byxyxyy.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 10482 bytes

screen317 · Feb 20, 2008

Hi Chiyame,

First, download this file and save it as it's originally named, next to ComboFix.exe.

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

-screen317

Infected with Adware Virtumundo & Trojan Agent Winlogonhook..

Attachments

Top Contributors this Month

Recommended Communities