Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Command Service/virtumonde Fixed?


  • This topic is locked This topic is locked
12 replies to this topic

#1 wano

wano

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leeds
  • Local time:05:02 AM

Posted 21 September 2007 - 03:39 PM

Hi
Despite thinking I was being protected by Ad-Aware and Norton I have recently been plagued by pop-ups and severe Windows slow-down. By reading and acting upon the brilliant information on these forums, I have removed Virtumonde and Command Service, amongst other things. I now get no pop-ups and the performance generally seems better. I would just like to make sure that there is nothing nasty still lurking!

I now have Ad-Aware, Spybot, SuperAntiSpyware, Spyware Blaster and AVG installed. I have followed all the instructions in the Preparation Guide, and here is the HijackThis log. Many thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:18:36, on 21/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\atwtusb.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpamPal\spampal.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {031FD6F3-191A-18BE-3020-4C71C5039793} - C:\WINDOWS\system32\epapi.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C1EDEA9-1311-18BC-6720-4C71C5039694} - C:\WINDOWS\system32\jyao.dll (file missing)
O2 - BHO: (no name) - {0CD36C86-FFDC-496A-9A6F-4567911598F0} - (no file)
O2 - BHO: (no name) - {17399DB8-0F5C-0EAD-7EB4-0595BA85DF94} - (no file)
O2 - BHO: (no name) - {2C1DB68C-7233-7FC4-4B12-2FC79F07B492} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5DD785E9-7B64-4BC9-A2E5-2236841551AF} - (no file)
O2 - BHO: baloudHelperObj Class - {6165D324-3AAF-4C63-B545-C7D2285BEA1C} - C:\Program Files\ReadAndWrite6\thbho.dll
O2 - BHO: (no name) - {64CEC70B-99D6-46AD-ACE7-F2AE0F7EC50D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7F37DB47-4BF7-4459-81DE-1334E070B19F} - (no file)
O2 - BHO: (no name) - {8207A405-4316-4EA9-B880-4F4E93F9CC91} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C9B6A22B-64C0-6767-E458-3B76651A53C8} - C:\WINDOWS\system32\knia.dll (file missing)
O2 - BHO: (no name) - {CE863CC3-2852-4644-8144-224EF0B5F440} - (no file)
O2 - BHO: (no name) - {D431193B-E6E5-4D1C-916F-1AD5E73180A5} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ScriptSentry] C:\Program Files\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Svqywzrv] "C:\Documents and Settings\Wayne\My Documents\?ssembly\??oolsv.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/gb/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10958 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:02 AM

Posted 28 September 2007 - 01:34 PM

Hello,

* Download Combofix to your desktop.

In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.


* Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 wano

wano
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leeds
  • Local time:05:02 AM

Posted 28 September 2007 - 04:37 PM

Hi
Thanks for responding. Downloaded and ran Combofix (did not ask for a re-boot) Here's the Combofix log

ComboFix 07-09-29.3 - Wayne 2007-09-28 22:09:07.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.183 [GMT 1:00]
Running from: C:\Documents and Settings\Wayne\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-29 )))))))))))))))))))))))))))))))
.

2007-09-28 22:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-26 22:21 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-09-26 15:01 <DIR> d-------- C:\Documents and Settings\Julie Brayshaw\Application Data\WinRAR
2007-09-26 11:04 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-09-25 22:25 <DIR> d-------- C:\Program Files\Secunia
2007-09-21 14:00 <DIR> d-------- C:\Documents and Settings\Julie Brayshaw\Application Data\textHELP
2007-09-21 07:10 <DIR> d-------- C:\Documents and Settings\Julie Brayshaw\Application Data\Comodo
2007-09-20 21:48 <DIR> d-------- C:\Documents and Settings\Wayne\Application Data\Comodo
2007-09-20 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-09-20 21:45 <DIR> d-------- C:\Program Files\Comodo
2007-09-16 23:56 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-16 23:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-15 21:49 <DIR> d-------- C:\Program Files\SpamPal
2007-09-15 21:49 <DIR> d-------- C:\Documents and Settings\Wayne\Application Data\SpamPal
2007-09-15 21:27 <DIR> d-------- C:\Program Files\Script Sentry
2007-09-15 21:10 <DIR> d-------- C:\Program Files\Cookie Jar
2007-09-14 16:46 <DIR> d-------- C:\Program Files\iTunes
2007-09-14 16:44 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-14 16:44 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-09-14 16:38 <DIR> d-------- C:\Program Files\QuickTime
2007-09-14 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-14 16:31 <DIR> d-------- C:\Documents and Settings\Wayne\Application Data\Leadertech
2007-09-14 06:51 <DIR> d-------- C:\Documents and Settings\Julie Brayshaw\Application Data\SUPERAntiSpyware.com
2007-09-13 22:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-13 22:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-13 22:08 <DIR> d-------- C:\Documents and Settings\Wayne\Application Data\SUPERAntiSpyware.com
2007-09-13 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-13 07:17 1,332,564 ---hs---- C:\WINDOWS\system32\xybeg.bak2
2007-09-12 22:10 <DIR> d-------- C:\Documents and Settings\Wayne\.housecall6.6
2007-09-12 21:50 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-09-12 17:56 6,448 ---hs---- C:\WINDOWS\system32\xybeg.bak1
2007-09-12 17:55 109,600 --a------ C:\WINDOWS\system32\sptll.dll
2007-09-11 23:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-11 21:50 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-09-10 16:30 <DIR> d-------- C:\Documents and Settings\Julie Brayshaw\Application Data\Ambient Design
2007-09-10 16:28 <DIR> d-------- C:\Program Files\Ambient Design
2007-09-10 08:28 7,808 --a------ C:\WINDOWS\system32\drivers\psi_mf.sys
2007-09-09 22:21 <DIR> d-------- C:\Documents and Settings\Julie Brayshaw\Application Data\Sunbelt Software
2007-09-09 20:29 <DIR> d-------- C:\Documents and Settings\Wayne\Application Data\Sunbelt Software
2007-09-08 06:59 6,448 --ahs---- C:\WINDOWS\system32\dccdd.bak1
2007-09-07 14:30 6,448 --ahs---- C:\WINDOWS\system32\ttvwa.bak1
2007-09-07 11:49 1,312,400 --ahs---- C:\WINDOWS\system32\rrutv.bak2
2007-09-07 06:20 1,338,134 ---hs---- C:\WINDOWS\system32\mnnmp.bak2
2007-09-07 03:24 6,448 --ahs---- C:\WINDOWS\system32\mnnmp.bak1
2007-09-06 23:21 <DIR> d-------- C:\WINDOWS\pss
2007-09-06 22:38 1,334,321 --ahs---- C:\WINDOWS\system32\bbeeg.ini2
2007-09-06 08:35 6,448 --a------ C:\WINDOWS\system32\nqtss.bak1
2007-09-06 06:11 1,334,065 --ahs---- C:\WINDOWS\system32\bbeeg.bak2
2007-09-05 20:52 6,488 --ahs---- C:\WINDOWS\system32\bbeeg.bak1
2007-09-05 18:54 1,310,378 --ahs---- C:\WINDOWS\system32\ttutv.bak2
2007-09-05 13:23 6,448 --ahs---- C:\WINDOWS\system32\ttutv.bak1
2007-09-05 08:10 6,488 --ahs---- C:\WINDOWS\system32\xyadd.bak1
2007-09-05 06:32 1,312,064 --ahs---- C:\WINDOWS\system32\nmllm.bak2
2007-09-03 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-09-03 22:21 <DIR> d-------- C:\Program Files\Bonjour
2007-09-03 22:12 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-26 21:55 --------- d-------- C:\Documents and Settings\Wayne\Application Data\AdobeUM
2007-09-26 06:20 --------- d-------- C:\Program Files\Yahoo!
2007-09-22 12:01 --------- d-------- C:\Program Files\ReadAndWrite6
2007-09-21 18:18 --------- d-------- C:\Program Files\Google
2007-09-16 19:36 44544 --a------ C:\WINDOWS\system32\hticons.dll
2007-09-14 16:46 --------- d-------- C:\Program Files\iPod
2007-09-14 16:45 --------- d-------- C:\Program Files\Apple Software Update
2007-09-12 06:50 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-08 22:12 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-08 21:38 --------- d-------- C:\Program Files\Symantec
2007-09-08 21:34 --------- d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-08-26 11:34 --------- d-------- C:\Documents and Settings\Julie Brayshaw\Application Data\Bamzooki
2007-08-25 18:16 --------- d-------- C:\Program Files\BAMZOOKi
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-29 18:59 --------- d-------- C:\Documents and Settings\Julie Brayshaw\Application Data\AdobeUM
2007-06-29 22:22 534064 --a------ C:\WINDOWS\James.exe
2007-06-29 22:22 40960 --a------ C:\WINDOWS\James.dll
2007-06-29 22:22 338880 --a------ C:\WINDOWS\James.scr
.

((((((((((((((((((((((((((((( snapshot_2007-09-16_173107.96 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 53,248 2006-05-25 00:22:06 C:\WINDOWS\bdoscandel.exe
----a-w 135,168 2007-09-28 08:06:08 C:\WINDOWS\catchme.exe
----a-w 45,056 2007-09-16 22:57:38 C:\WINDOWS\BDOSCAN8\avxdisk.dll
----a-w 10,240 2007-09-16 22:57:38 C:\WINDOWS\BDOSCAN8\avxs.dll
----a-w 27,136 2007-09-16 22:57:38 C:\WINDOWS\BDOSCAN8\avxt.dll
----a-w 181,760 2007-09-27 21:38:39 C:\WINDOWS\BDOSCAN8\bdcore.dll
----a-w 118,784 2005-03-01 13:08:48 C:\WINDOWS\BDOSCAN8\bdupd.dll
----a-w 53,248 2005-03-01 13:08:52 C:\WINDOWS\BDOSCAN8\ipsupd.dll
----a-w 142,848 2007-09-16 22:57:41 C:\WINDOWS\BDOSCAN8\libfn.dll
----a-w 86,016 2007-09-16 22:57:38 C:\WINDOWS\BDOSCAN8\librtvr.dll
----a-w 141,424 2006-08-24 07:28:54 C:\WINDOWS\Downloaded Program Files\asinst.dll
----a-w 118,784 2005-03-01 13:08:48 C:\WINDOWS\Downloaded Program Files\bdupd.dll
----a-w 53,248 2005-03-01 13:08:52 C:\WINDOWS\Downloaded Program Files\ipsupd.dll
----a-r 2,058,343 2003-07-07 12:36:00 C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DAT
----a-r 115,288 2003-07-08 10:48:00 C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DLL
----a-r 65,536 2007-09-25 21:25:38 C:\WINDOWS\Installer\{0A4DF5B0-983C-4691-9D4A-9FD1D4B2A69F}\ARPPRODUCTICON.exe
----a-r 12,288 2007-09-26 21:21:41 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
----a-r 135,168 2007-09-26 21:21:41 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
----a-r 11,264 2007-09-26 21:21:41 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
----a-r 27,136 2007-09-26 21:21:41 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
----a-r 4,096 2007-09-26 21:21:41 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
----a-r 794,624 2007-09-26 21:21:42 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
----a-r 249,856 2007-09-26 21:21:41 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
----a-r 23,040 2007-09-26 21:21:42 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
----a-r 286,720 2007-09-26 21:21:41 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
----a-r 409,600 2007-09-26 21:21:41 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
----a-r 23,558 2007-09-26 20:55:07 C:\WINDOWS\Installer\{AC76BA86-0000-7EC8-7489-000000000606}\ARPPRODUCTICON.exe
----a-w 1,486,080 2007-09-18 17:40:54 C:\WINDOWS\system32\FNTCACHE.DAT
----a-w 844,800 2007-07-22 17:39:27 C:\WINDOWS\system32\swreg.exe
----a-w 11,776 2003-03-25 17:53:50 C:\WINDOWS\system32\ZPORT4AS.dll
----a-w 110,592 2007-03-29 08:20:50 C:\WINDOWS\system32\ActiveScan\as.dll
----a-w 233,472 2006-10-05 15:15:26 C:\WINDOWS\system32\ActiveScan\ascontrol.dll
----a-w 96,256 2005-06-03 13:03:18 C:\WINDOWS\system32\ActiveScan\asmdat.dll
----a-w 36,864 2003-08-01 10:00:16 C:\WINDOWS\system32\ActiveScan\certdll.dll
----a-w 86,016 2005-05-20 12:42:44 C:\WINDOWS\system32\ActiveScan\instlsp.dll
----a-w 4,608 2006-02-16 17:20:20 C:\WINDOWS\system32\ActiveScan\memvfile.dll
----a-w 348,160 2005-10-25 17:08:32 C:\WINDOWS\system32\ActiveScan\msvcr71.dll
----a-w 139,264 2004-05-04 14:01:02 C:\WINDOWS\system32\ActiveScan\pavaleas.dll
----a-w 45,056 2006-07-14 12:04:10 C:\WINDOWS\system32\ActiveScan\pavdr.exe
----a-w 159,832 2006-04-10 09:50:02 C:\WINDOWS\system32\ActiveScan\pavexcom.dll
----a-w 94,208 2006-02-14 12:05:38 C:\WINDOWS\system32\ActiveScan\pavinas.dll
----a-w 180,224 2006-02-16 17:35:38 C:\WINDOWS\system32\ActiveScan\pavoe.dll
----a-w 122,880 2006-10-05 15:15:38 C:\WINDOWS\system32\ActiveScan\pavpz.dll
----a-w 8,704 2006-06-30 13:13:38 C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
----a-w 49,152 2004-02-04 13:08:42 C:\WINDOWS\system32\ActiveScan\port32.dll
----a-w 69,632 2006-08-01 12:23:10 C:\WINDOWS\system32\ActiveScan\pscpu.dll
----a-w 1,388,544 2006-08-23 12:06:08 C:\WINDOWS\system32\ActiveScan\pskahk.dll
----a-w 10,752 2006-08-17 10:38:14 C:\WINDOWS\system32\ActiveScan\pskalloc.dll
----a-w 61,440 2006-09-04 10:49:54 C:\WINDOWS\system32\ActiveScan\pskas.dll
----a-w 779,264 2006-08-18 07:46:18 C:\WINDOWS\system32\ActiveScan\pskavs.dll
----a-w 417,792 2007-03-26 13:25:34 C:\WINDOWS\system32\ActiveScan\pskcmp.dll
----a-w 90,112 2006-08-09 09:42:24 C:\WINDOWS\system32\ActiveScan\pskfss.dll
----a-w 208,896 2006-07-19 09:55:58 C:\WINDOWS\system32\ActiveScan\pskhtml.dll
----a-w 9,728 2006-01-20 15:57:00 C:\WINDOWS\system32\ActiveScan\pskmas.dll
----a-w 14,336 2006-05-17 08:50:12 C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
----a-w 33,280 2006-08-16 09:58:12 C:\WINDOWS\system32\ActiveScan\pskpack.dll
----a-w 266,240 2006-06-30 13:42:36 C:\WINDOWS\system32\ActiveScan\pskscs.dll
----a-w 62,976 2006-08-17 13:33:14 C:\WINDOWS\system32\ActiveScan\pskutil.dll
----a-w 13,312 2006-08-08 12:13:10 C:\WINDOWS\system32\ActiveScan\pskvfile.dll
----a-w 69,632 2006-08-18 07:53:08 C:\WINDOWS\system32\ActiveScan\pskvfs.dll
----a-w 167,936 2006-08-18 07:49:50 C:\WINDOWS\system32\ActiveScan\pskvm.dll
----a-w 353,840 2007-04-18 16:16:04 C:\WINDOWS\system32\ActiveScan\psscan.dll
----a-w 35,328 2007-01-22 13:42:48 C:\WINDOWS\system32\ActiveScan\rawvfile.dll
----a-w 9,488 1997-09-18 05:12:32 C:\WINDOWS\system32\ActiveScan\sporder.dll
----a-w 69,632 2006-02-28 16:23:40 C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
----a-w 821,728 2007-09-22 08:01:41 C:\WINDOWS\system32\drivers\avg7core.sys
----a-w 75,520 2007-09-20 20:45:29 C:\WINDOWS\system32\drivers\cmdmon.sys
----a-w 51,328 2007-09-20 20:45:29 C:\WINDOWS\system32\drivers\inspect.sys
----a-w 182,248 2007-08-07 16:20:44 C:\WINDOWS\system32\Macromed\Director\swdir.dll
----a-w 2,115,816 2007-06-11 20:34:34 C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
----a-w 190,696 2007-06-11 20:34:40 C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
----a-w 45,218 2007-09-26 05:13:00 C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
----a-w 585,728 2007-08-07 12:35:56 C:\WINDOWS\system32\Macromed\Shockwave 10\Control.dll
----a-w 1,490,944 2007-08-07 12:19:40 C:\WINDOWS\system32\Macromed\Shockwave 10\dirapi.dll
----a-w 24,576 2007-08-07 12:36:32 C:\WINDOWS\system32\Macromed\Shockwave 10\DynaPlayer.dll
----a-w 1,113,600 2007-08-07 15:52:32 C:\WINDOWS\system32\Macromed\Shockwave 10\gi.dll
----a-w 52,288 2007-08-07 12:08:48 C:\WINDOWS\system32\Macromed\Shockwave 10\gtapi.dll
----a-w 606,208 2007-08-07 12:17:24 C:\WINDOWS\system32\Macromed\Shockwave 10\iml32.dll
----a-w 339,968 2007-08-07 12:35:22 C:\WINDOWS\system32\Macromed\Shockwave 10\Plugin.dll
----a-w 483,328 2007-08-07 12:35:32 C:\WINDOWS\system32\Macromed\Shockwave 10\PluginPing.dll
----a-w 180,224 2007-08-07 12:28:38 C:\WINDOWS\system32\Macromed\Shockwave 10\Proj.dll
----a-w 391,144 2007-08-07 16:20:28 C:\WINDOWS\system32\Macromed\Shockwave 10\SwHelper_1020023.exe
----a-w 77,824 2007-08-07 12:37:56 C:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
----a-w 86,016 2007-08-07 12:35:18 C:\WINDOWS\system32\Macromed\Shockwave 10\SwMenu.dll
----a-w 98,304 2007-08-07 12:37:58 C:\WINDOWS\system32\Macromed\Shockwave 10\SwOnce.dll
----a-w 50,808 2007-08-07 12:08:46 C:\WINDOWS\system32\Macromed\Shockwave 10\SYMCCHECKER.DLL
.
----a-w 109,056 2007-07-19 23:47:22 C:\WINDOWS\catchme.exe
----a-r 12,288 2006-09-27 21:59:43 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
----a-r 135,168 2006-09-27 21:59:43 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
----a-r 11,264 2006-09-27 21:59:43 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
----a-r 27,136 2006-09-27 21:59:43 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
----a-r 4,096 2006-09-27 21:59:43 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
----a-r 794,624 2006-09-27 21:59:43 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
----a-r 249,856 2006-09-27 21:59:43 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
----a-r 23,040 2006-09-27 21:59:43 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
----a-r 286,720 2006-09-27 21:59:43 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
----a-r 409,600 2006-09-27 21:59:43 C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
----a-w 1,486,104 2007-09-15 07:45:11 C:\WINDOWS\system32\FNTCACHE.DAT
----a-w 279,552 2007-07-22 17:39:27 C:\WINDOWS\system32\swreg.exe
----a-w 821,600 2007-09-08 08:43:48 C:\WINDOWS\system32\drivers\avg7core.sys
----a-w 182,512 2007-05-02 11:32:04 C:\WINDOWS\system32\Macromed\Director\swdir.dll
----a-w 585,728 2007-04-30 16:11:28 C:\WINDOWS\system32\Macromed\Shockwave 10\Control.dll
----a-w 1,490,944 2007-04-30 15:08:40 C:\WINDOWS\system32\Macromed\Shockwave 10\dirapi.dll
----a-w 24,576 2007-04-30 15:30:38 C:\WINDOWS\system32\Macromed\Shockwave 10\DynaPlayer.dll
----a-w 1,089,024 2007-04-30 15:47:02 C:\WINDOWS\system32\Macromed\Shockwave 10\gi.dll
----a-w 52,288 2007-04-30 14:47:42 C:\WINDOWS\system32\Macromed\Shockwave 10\gtapi.dll
----a-w 606,208 2007-04-30 15:05:32 C:\WINDOWS\system32\Macromed\Shockwave 10\iml32.dll
----a-w 339,968 2007-04-30 16:11:22 C:\WINDOWS\system32\Macromed\Shockwave 10\Plugin.dll
----a-w 483,328 2007-04-30 16:11:24 C:\WINDOWS\system32\Macromed\Shockwave 10\PluginPing.dll
----a-w 180,224 2007-04-30 16:11:30 C:\WINDOWS\system32\Macromed\Shockwave 10\Proj.dll
----a-w 77,824 2007-04-30 15:33:00 C:\WINDOWS\system32\Macromed\Shockwave 10\SwInit.exe
----a-w 86,016 2007-04-30 15:29:00 C:\WINDOWS\system32\Macromed\Shockwave 10\SwMenu.dll
----a-w 98,304 2007-04-30 15:33:00 C:\WINDOWS\system32\Macromed\Shockwave 10\SwOnce.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{031FD6F3-191A-18BE-3020-4C71C5039793}]
C:\WINDOWS\system32\epapi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C1EDEA9-1311-18BC-6720-4C71C5039694}]
C:\WINDOWS\system32\jyao.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CD36C86-FFDC-496A-9A6F-4567911598F0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17399DB8-0F5C-0EAD-7EB4-0595BA85DF94}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C1DB68C-7233-7FC4-4B12-2FC79F07B492}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DD785E9-7B64-4BC9-A2E5-2236841551AF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64CEC70B-99D6-46AD-ACE7-F2AE0F7EC50D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F37DB47-4BF7-4459-81DE-1334E070B19F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8207A405-4316-4EA9-B880-4F4E93F9CC91}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C9B6A22B-64C0-6767-E458-3B76651A53C8}]
C:\WINDOWS\system32\knia.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE863CC3-2852-4644-8144-224EF0B5F440}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D431193B-E6E5-4D1C-916F-1AD5E73180A5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 15:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-08-24 04:14 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-08-24 04:01 C:\WINDOWS\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 C:\WINDOWS\AGRSMMSG.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-11-10 17:06]
"USB2Check"="C:\WINDOWS\system32\PCLECoInst.dll" [2005-12-21 11:14]
"atwtusb"="atwtusb.exe" [2005-09-21 18:08 C:\WINDOWS\system32\ATWTUSB.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-13 21:20]
"SpyHunter"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55]
"ScriptSentry"="C:\Program Files\Script Sentry\ScriptSentry.exe" [2002-07-04 20:44]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-09-20 21:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 19:09]
"Svqywzrv"="C:\Documents and Settings\Wayne\My Documents\?ssembly\??oolsv.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 05:37:56]
Device Detector 2.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2006-09-29 20:23:12]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]

C:\Documents and Settings\Wayne\Start Menu\Programs\Startup\
Secunia PSI (BETA).lnk - C:\Program Files\Secunia\PSI (BETA)\PSI.exe [2007-09-11 08:55:40]
SpamPal.lnk - C:\Program Files\SpamPal\spampal.exe [2005-10-24 20:08:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 05:37:56]
Device Detector 2.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2006-09-29 20:23:12]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 aiptektp;HyperPen;C:\WINDOWS\system32\DRIVERS\aiptektp.sys
R3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys
S3 utblfilt;utblfilt;C:\WINDOWS\system32\drivers\utblfilt.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-18 12:43:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-28 19:00:01 C:\WINDOWS\Tasks\HPpromotions journeysoftware.job"
- C:\Program Files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe
"2007-09-11 18:13:09 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-29 22:12:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-29 22:12:58
C:\ComboFix-quarantined-files.txt ... 2007-09-29 22:12
.
--- E O F ---


And here's the HJT log, thanks again

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:20:10, on 29/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Secunia\PSI (BETA)\PSI.exe
C:\Program Files\SpamPal\spampal.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {031FD6F3-191A-18BE-3020-4C71C5039793} - C:\WINDOWS\system32\epapi.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C1EDEA9-1311-18BC-6720-4C71C5039694} - C:\WINDOWS\system32\jyao.dll (file missing)
O2 - BHO: (no name) - {0CD36C86-FFDC-496A-9A6F-4567911598F0} - (no file)
O2 - BHO: (no name) - {17399DB8-0F5C-0EAD-7EB4-0595BA85DF94} - (no file)
O2 - BHO: (no name) - {2C1DB68C-7233-7FC4-4B12-2FC79F07B492} - (no file)
O2 - BHO: (no name) - {5DD785E9-7B64-4BC9-A2E5-2236841551AF} - (no file)
O2 - BHO: baloudHelperObj Class - {6165D324-3AAF-4C63-B545-C7D2285BEA1C} - C:\Program Files\ReadAndWrite6\thbho.dll
O2 - BHO: (no name) - {64CEC70B-99D6-46AD-ACE7-F2AE0F7EC50D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7F37DB47-4BF7-4459-81DE-1334E070B19F} - (no file)
O2 - BHO: (no name) - {8207A405-4316-4EA9-B880-4F4E93F9CC91} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C9B6A22B-64C0-6767-E458-3B76651A53C8} - C:\WINDOWS\system32\knia.dll (file missing)
O2 - BHO: (no name) - {CE863CC3-2852-4644-8144-224EF0B5F440} - (no file)
O2 - BHO: (no name) - {D431193B-E6E5-4D1C-916F-1AD5E73180A5} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ScriptSentry] C:\Program Files\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Svqywzrv] "C:\Documents and Settings\Wayne\My Documents\?ssembly\??oolsv.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Secunia PSI (BETA).lnk = C:\Program Files\Secunia\PSI (BETA)\PSI.exe
O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190756639984
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/gb/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10556 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:02 AM

Posted 28 September 2007 - 05:16 PM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\xybeg.bak2
C:\WINDOWS\system32\xybeg.bak1
C:\WINDOWS\system32\sptll.dll
C:\WINDOWS\system32\dccdd.bak1
C:\WINDOWS\system32\ttvwa.bak1
C:\WINDOWS\system32\rrutv.bak2
C:\WINDOWS\system32\mnnmp.bak2
C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\bbeeg.bak2
C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\ttutv.bak2
C:\WINDOWS\system32\ttutv.bak1
C:\WINDOWS\system32\xyadd.bak1
C:\WINDOWS\system32\nmllm.bak2

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{031FD6F3-191A-18BE-3020-4C71C5039793}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C1EDEA9-1311-18BC-6720-4C71C5039694}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CD36C86-FFDC-496A-9A6F-4567911598F0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17399DB8-0F5C-0EAD-7EB4-0595BA85DF94}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C1DB68C-7233-7FC4-4B12-2FC79F07B492}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DD785E9-7B64-4BC9-A2E5-2236841551AF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64CEC70B-99D6-46AD-ACE7-F2AE0F7EC50D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F37DB47-4BF7-4459-81DE-1334E070B19F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8207A405-4316-4EA9-B880-4F4E93F9CC91}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C9B6A22B-64C0-6767-E458-3B76651A53C8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE863CC3-2852-4644-8144-224EF0B5F440}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D431193B-E6E5-4D1C-916F-1AD5E73180A5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcWzrd"=-
"SpyHunter"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Svqywzrv"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Also, Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\James.scr

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply as well.

Do the same for next files:

C:\WINDOWS\James.exe
C:\WINDOWS\James.dll
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 wano

wano
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leeds
  • Local time:05:02 AM

Posted 28 September 2007 - 06:19 PM

Hi
Thanks for your time, I really appreciate your help.

I followed your instructions. This time Combofix re-booted my PC. Here's the contents of Combofix.txt

ComboFix 07-09-29.3 - Wayne 2007-09-29 23:34:18.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.116 [GMT 1:00]
Running from: C:\Documents and Settings\Wayne\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wayne\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\xybeg.bak2
C:\WINDOWS\system32\xybeg.bak1
C:\WINDOWS\system32\sptll.dll
C:\WINDOWS\system32\dccdd.bak1
C:\WINDOWS\system32\ttvwa.bak1
C:\WINDOWS\system32\rrutv.bak2
C:\WINDOWS\system32\mnnmp.bak2
C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\bbeeg.bak2
C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\ttutv.bak2
C:\WINDOWS\system32\ttutv.bak1
C:\WINDOWS\system32\xyadd.bak1
C:\WINDOWS\system32\nmllm.bak2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\bbeeg.bak2
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\dccdd.bak1
C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\mnnmp.bak2
C:\WINDOWS\system32\nmllm.bak2
C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\rrutv.bak2
C:\WINDOWS\system32\sptll.dll
C:\WINDOWS\system32\ttutv.bak1
C:\WINDOWS\system32\ttutv.bak2
C:\WINDOWS\system32\ttvwa.bak1
C:\WINDOWS\system32\xyadd.bak1
C:\WINDOWS\system32\xybeg.bak1
C:\WINDOWS\system32\xybeg.bak2

.
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-29 )))))))))))))))))))))))))))))))
.

2007-09-28 22:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-26 22:21 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-09-26 15:01 <DIR> d-------- C:\Documents and Settings\Julie Brayshaw\Application Data\WinRAR
2007-09-26 11:04 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-09-25 22:25 <DIR> d-------- C:\Program Files\Secunia
2007-09-21 14:00 <DIR> d-------- C:\Documents and Settings\Julie Brayshaw\Application Data\textHELP
2007-09-21 07:10 <DIR> d-------- C:\Documents and Settings\Julie Brayshaw\Application Data\Comodo
2007-09-20 21:48 <DIR> d-------- C:\Documents and Settings\Wayne\Application Data\Comodo
2007-09-20 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-09-20 21:45 <DIR> d-------- C:\Program Files\Comodo
2007-09-16 23:56 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-16 23:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-15 21:49 <DIR> d-------- C:\Program Files\SpamPal
2007-09-15 21:49 <DIR> d-------- C:\Documents and Settings\Wayne\Application Data\SpamPal
2007-09-15 21:27 <DIR> d-------- C:\Program Files\Script Sentry
2007-09-15 21:10 <DIR> d-------- C:\Program Files\Cookie Jar
2007-09-14 16:46 <DIR> d-------- C:\Program Files\iTunes
2007-09-14 16:44 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-14 16:44 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-09-14 16:38 <DIR> d-------- C:\Program Files\QuickTime
2007-09-14 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-14 16:31 <DIR> d-------- C:\Documents and Settings\Wayne\Application Data\Leadertech
2007-09-14 06:51 <DIR> d-------- C:\Documents and Settings\Julie Brayshaw\Application Data\SUPERAntiSpyware.com
2007-09-13 22:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-13 22:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-13 22:08 <DIR> d-------- C:\Documents and Settings\Wayne\Application Data\SUPERAntiSpyware.com
2007-09-13 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-12 22:10 <DIR> d-------- C:\Documents and Settings\Wayne\.housecall6.6
2007-09-12 21:50 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-09-11 23:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-11 21:50 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-09-10 16:30 <DIR> d-------- C:\Documents and Settings\Julie Brayshaw\Application Data\Ambient Design
2007-09-10 16:28 <DIR> d-------- C:\Program Files\Ambient Design
2007-09-10 08:28 7,808 --a------ C:\WINDOWS\system32\drivers\psi_mf.sys
2007-09-09 22:21 <DIR> d-------- C:\Documents and Settings\Julie Brayshaw\Application Data\Sunbelt Software
2007-09-09 20:29 <DIR> d-------- C:\Documents and Settings\Wayne\Application Data\Sunbelt Software
2007-09-06 23:21 <DIR> d-------- C:\WINDOWS\pss
2007-09-03 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-09-03 22:21 <DIR> d-------- C:\Program Files\Bonjour
2007-09-03 22:12 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-26 21:55 --------- d-------- C:\Documents and Settings\Wayne\Application Data\AdobeUM
2007-09-26 06:20 --------- d-------- C:\Program Files\Yahoo!
2007-09-22 12:01 --------- d-------- C:\Program Files\ReadAndWrite6
2007-09-21 18:18 --------- d-------- C:\Program Files\Google
2007-09-16 19:36 44544 --a------ C:\WINDOWS\system32\hticons.dll
2007-09-14 16:46 --------- d-------- C:\Program Files\iPod
2007-09-14 16:45 --------- d-------- C:\Program Files\Apple Software Update
2007-09-12 06:50 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-08 22:12 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-08 21:38 --------- d-------- C:\Program Files\Symantec
2007-09-08 21:34 --------- d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-08-26 11:34 --------- d-------- C:\Documents and Settings\Julie Brayshaw\Application Data\Bamzooki
2007-08-25 18:16 --------- d-------- C:\Program Files\BAMZOOKi
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-29 18:59 --------- d-------- C:\Documents and Settings\Julie Brayshaw\Application Data\AdobeUM
2007-06-29 22:22 534064 --a------ C:\WINDOWS\James.exe
2007-06-29 22:22 40960 --a------ C:\WINDOWS\James.dll
2007-06-29 22:22 338880 --a------ C:\WINDOWS\James.scr
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 15:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-08-24 04:14 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 C:\WINDOWS\AGRSMMSG.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-11-10 17:06]
"USB2Check"="C:\WINDOWS\system32\PCLECoInst.dll" [2005-12-21 11:14]
"atwtusb"="atwtusb.exe" [2005-09-21 18:08 C:\WINDOWS\system32\ATWTUSB.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-13 21:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55]
"ScriptSentry"="C:\Program Files\Script Sentry\ScriptSentry.exe" [2002-07-04 20:44]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-09-20 21:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 19:09]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 05:37:56]
Device Detector 2.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2006-09-29 20:23:12]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]

C:\Documents and Settings\Wayne\Start Menu\Programs\Startup\
Secunia PSI (BETA).lnk - C:\Program Files\Secunia\PSI (BETA)\PSI.exe [2007-09-11 08:55:40]
SpamPal.lnk - C:\Program Files\SpamPal\spampal.exe [2005-10-24 20:08:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 05:37:56]
Device Detector 2.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2006-09-29 20:23:12]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 aiptektp;HyperPen;C:\WINDOWS\system32\DRIVERS\aiptektp.sys
R3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys
S3 utblfilt;utblfilt;C:\WINDOWS\system32\drivers\utblfilt.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-18 12:43:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-28 19:00:01 C:\WINDOWS\Tasks\HPpromotions journeysoftware.job"
- C:\Program Files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe
"2007-09-11 18:13:09 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-29 23:39:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-29 23:41:11 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-29 23:41
C:\ComboFix2.txt ... 2007-09-29 22:12
.
--- E O F ---


And here's the new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:50:30, on 29/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\atwtusb.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Secunia\PSI (BETA)\PSI.exe
C:\Program Files\SpamPal\spampal.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: baloudHelperObj Class - {6165D324-3AAF-4C63-B545-C7D2285BEA1C} - C:\Program Files\ReadAndWrite6\thbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ScriptSentry] C:\Program Files\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Secunia PSI (BETA).lnk = C:\Program Files\Secunia\PSI (BETA)\PSI.exe
O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1190756639984
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/gb/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9451 bytes



Results of scan of James.scr

File James.scr received on 09.29.2007 00:54:41 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.9.29.0 2007.09.28 -
AntiVir 7.6.0.18 2007.09.28 -
Authentium 4.93.8 2007.09.28 -
Avast 4.7.1043.0 2007.09.28 -
AVG 7.5.0.488 2007.09.28 -
BitDefender 7.2 2007.09.29 -
CAT-QuickHeal 9.00 2007.09.28 -
ClamAV 0.91.2 2007.09.28 -
DrWeb 4.33 2007.09.28 -
eSafe 7.0.15.0 2007.09.23 -
eTrust-Vet 31.2.5169 2007.09.27 -
Ewido 4.0 2007.09.28 -
FileAdvisor 1 2007.09.29 -
Fortinet 3.11.0.0 2007.09.28 -
F-Prot 4.3.2.48 2007.09.27 -
F-Secure 6.70.13030.0 2007.09.28 -
Ikarus T3.1.1.12 2007.09.28 -
Kaspersky 7.0.0.125 2007.09.29 -
McAfee 5130 2007.09.28 -
Microsoft 1.2803 2007.09.29 -
NOD32v2 2558 2007.09.28 -
Norman 5.80.02 2007.09.28 -
Panda 9.0.0.4 2007.09.28 -
Prevx1 V2 2007.09.29 -
Rising 19.42.42.00 2007.09.28 -
Sophos 4.21.0 2007.09.28 -
Sunbelt 2.2.907.0 2007.09.28 -
Symantec 10 2007.09.29 -
TheHacker 6.2.6.073 2007.09.28 -
VBA32 3.12.2.4 2007.09.29 -
VirusBuster 4.3.26:9 2007.09.28 -
Webwasher-Gateway 6.0.1 2007.09.28 -
Additional information
File size: 338880 bytes
MD5: 08e9d9bec050a4e3ddfd81fa409d632a
SHA1: f8c68a3bce00ddca3ed80c7d633807b9901a2494

Results for James.exe

File James.exe received on 09.29.2007 01:02:18 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 48 and 68 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.9.29.0 2007.09.28 -
AntiVir 7.6.0.18 2007.09.28 -
Authentium 4.93.8 2007.09.28 -
Avast 4.7.1043.0 2007.09.28 -
AVG 7.5.0.488 2007.09.28 -
BitDefender 7.2 2007.09.29 -
CAT-QuickHeal 9.00 2007.09.28 -
ClamAV 0.91.2 2007.09.28 -
DrWeb 4.33 2007.09.28 -
eSafe 7.0.15.0 2007.09.23 -
eTrust-Vet 31.2.5169 2007.09.27 -
Ewido 4.0 2007.09.28 -
FileAdvisor 1 2007.09.29 -
Fortinet 3.11.0.0 2007.09.28 -
F-Prot 4.3.2.48 2007.09.27 -
F-Secure 6.70.13030.0 2007.09.28 -
Ikarus T3.1.1.12 2007.09.28 -
Kaspersky 7.0.0.125 2007.09.29 -
McAfee 5130 2007.09.28 -
Microsoft 1.2803 2007.09.29 -
NOD32v2 2558 2007.09.28 -
Norman 5.80.02 2007.09.28 -
Panda 9.0.0.4 2007.09.28 -
Prevx1 V2 2007.09.29 -
Rising 19.42.42.00 2007.09.28 -
Sophos 4.21.0 2007.09.28 -
Sunbelt 2.2.907.0 2007.09.28 -
Symantec 10 2007.09.29 -
TheHacker 6.2.6.073 2007.09.28 -
VBA32 3.12.2.4 2007.09.29 -
VirusBuster 4.3.26:9 2007.09.28 -
Webwasher-Gateway 6.0.1 2007.09.28 -
Additional information
File size: 534064 bytes
MD5: 65ff490770abef2ffc7fd947f5206067
SHA1: 01eda3cead1b5a6e690155f2333e1f7e51f4ee34
packers: Swf2Exe


Results for James.dll

File James.dll received on 09.29.2007 01:12:43 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.9.29.0 2007.09.28 -
AntiVir 7.6.0.18 2007.09.28 -
Authentium 4.93.8 2007.09.28 -
Avast 4.7.1043.0 2007.09.28 -
AVG 7.5.0.488 2007.09.28 -
BitDefender 7.2 2007.09.29 -
CAT-QuickHeal 9.00 2007.09.28 -
ClamAV 0.91.2 2007.09.28 -
DrWeb 4.33 2007.09.28 -
eSafe 7.0.15.0 2007.09.23 -
eTrust-Vet 31.2.5169 2007.09.27 -
Ewido 4.0 2007.09.28 -
FileAdvisor 1 2007.09.29 -
Fortinet 3.11.0.0 2007.09.28 -
F-Prot 4.3.2.48 2007.09.27 -
F-Secure 6.70.13030.0 2007.09.28 -
Ikarus T3.1.1.12 2007.09.28 -
Kaspersky 7.0.0.125 2007.09.29 -
McAfee 5130 2007.09.28 -
Microsoft 1.2803 2007.09.29 -
NOD32v2 2558 2007.09.28 -
Norman 5.80.02 2007.09.28 -
Panda 9.0.0.4 2007.09.28 -
Prevx1 V2 2007.09.29 -
Rising 19.42.42.00 2007.09.28 -
Sophos 4.21.0 2007.09.28 -
Sunbelt 2.2.907.0 2007.09.28 -
Symantec 10 2007.09.29 -
TheHacker 6.2.6.073 2007.09.28 -
VBA32 3.12.2.4 2007.09.29 -
VirusBuster 4.3.26:9 2007.09.28 -
Webwasher-Gateway 6.0.1 2007.09.28 -
Additional information
File size: 40960 bytes
MD5: 0409b45f5f6eec43651dd7a62bb6d5d1
SHA1: dc0dcb9cb81b633282b975c7a9368c80950d5d9f

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:02 AM

Posted 29 September 2007 - 12:51 AM

This looks OK again.

Delete the C:\Qoobox folder.

How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 wano

wano
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leeds
  • Local time:05:02 AM

Posted 29 September 2007 - 03:45 AM

Hello,
Everything seems OK: No browser pop-ups and generally the performance seems good. Actually haven't had a pop-up since I ran the first lot of fixes recommended in the preparation guide - I just had a suspicion that there may still be something I could not see that needed cleaning up!

Thanks again for all your help. Until I had these problems I had no idea this kind of forum existed. I think what you guys do is brilliant.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:02 AM

Posted 29 September 2007 - 05:57 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 wano

wano
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leeds
  • Local time:05:02 AM

Posted 30 September 2007 - 02:10 AM

Hi It's me again!

One more thing: I don't know if I should be concerned about this, but every time I run Ad-Aware, it finds '1 New Critical Object - a Registry Value' which has a TAC rating of 3. I assume Ad-Aware fixes it, but it shows up in the next scan. In the Ad-Aware log, the problem seems to relate to a program I downloaded called 'ScriptSentry' Should I uninstall it, or set Ad-Aware to ignore it? Here's the Ad-Aware log, I would appreciate it if you would check it out. (My PC seems to be running normally apart from this) Thanks.

Ad-Aware SE Build 1.06r1
Logfile Created on:01 October 2007 07:58:25
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R193 24.09.2007


References detected during the scan:

Windows(TAC index:3):1 total references


Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


01-10-2007 07:58:25 - Scan started. (Smart mode)

Listing running processes


#:1 [smss.exe]

#:2 [csrss.exe]

#:3 [winlogon.exe]

#:4 [services.exe]

#:5 [lsass.exe]

#:6 [ati2evxx.exe]

#:7 [svchost.exe]

#:8 [svchost.exe]

#:9 [svchost.exe]

#:10 [svchost.exe]

#:11 [svchost.exe]

#:12 [svchost.exe]

#:13 [spoolsv.exe]

#:14 [applemobiledeviceservice.exe]

#:15 [avgamsvr.exe]

#:16 [avgupsvc.exe]

#:17 [avgemc.exe]

#:18 [cmdagent.exe]

#:19 [dm1service.exe]

#:20 [hpzipm12.exe]

#:21 [svchost.exe]

#:22 [alg.exe]

#:23 [ati2evxx.exe]

#:24 [explorer.exe]

#:25 [hpgs2wnd.exe]

#:26 [hpwuschd2.exe]

#:27 [soundman.exe]

#:28 [agrsmmsg.exe]

#:29 [pdvdserv.exe]

#:30 [hpgs2wnf.exe]

#:31 [atwtusb.exe]

#:32 [avgcc.exe]

#:33 [jusched.exe]

#:34 [ituneshelper.exe]

#:35 [cpf.exe]

#:36 [tblmouse.exe]

#:37 [ctfmon.exe]

#:38 [msmsgs.exe]

#:39 [googletoolbarnotifier.exe]

#:40 [acrotray.exe]

#:41 [devdtct2.exe]

#:42 [hpqtra08.exe]

#:43 [psi.exe]

#:44 [spampal.exe]

#:45 [hpqste08.exe]

#:46 [hprblog.exe]

#:47 [ipodservice.exe]

#:48 [iexplore.exe]

#:49 [ad-aware.exe]

Memory scan result:

New critical objects: 0
Objects found so far: 0


Started registry scan


Windows Object Recognized!
Type : RegData
Data : c:\program files\script sentry\scriptsentry.exe "%1" %*
Rootkey : HKEY_CLASSES_ROOT
Object : regfile\shell\open\command
Value :
Data : c:\program files\script sentry\scriptsentry.exe "%1" %*

Registry Scan result:

New critical objects: 1
Objects found so far: 1


Started deep registry scan


Deep registry scan result:

New critical objects: 0
Objects found so far: 1


Started Tracking Cookie scan



Tracking cookie scan result:

New critical objects: 0
Objects found so far: 1



Deep scanning and examining files...


Disk Scan Result for C:\WINDOWS

New critical objects: 0
Objects found so far: 1

Disk Scan Result for C:\WINDOWS\system32

New critical objects: 0
Objects found so far: 1

Disk Scan Result for C:\DOCUME~1\Wayne\LOCALS~1\Temp\

New critical objects: 0
Objects found so far: 1


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".


Hosts file scan result:

6630 entries scanned.
New critical objects:0
Objects found so far: 1




Performing conditional scans...


Conditional scan result:

New critical objects: 0
Objects found so far: 1

08:03:20 Scan Complete

Summary Of This Scan

Total scanning time:00:04:55.313
Objects scanned:152178
Objects identified:1
Objects ignored:0
New critical objects:1

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:02 AM

Posted 30 September 2007 - 02:35 AM

Hi,

Ad-Ware is flagging ScriptSentry you have installed. Script Sentry checks the file associations as well and that's where Ad-Aware is flagging it.
You may ignore this from future scans, because there's nothing wrong with ScripSentry.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 wano

wano
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leeds
  • Local time:05:02 AM

Posted 30 September 2007 - 02:40 AM

That's great thank you!

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:02 AM

Posted 30 September 2007 - 03:55 AM

You're welcome :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:02 AM

Posted 01 October 2007 - 09:51 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users