Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Vundo Virus


  • This topic is locked This topic is locked
14 replies to this topic

#1 Gingerbridgeman

Gingerbridgeman

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 10 November 2007 - 08:42 AM

Hi,

I have the Vundo Trojan on my computer. I have run through your advice section on it (http://www.bleepingcomputer.com/forums/topic18610.html) but I am still infected.

The symptoms I have noticed are my desktop icons regularly disappearing and a constant ad popping up when on the internet.

I post my HijackThis log below if you can help.

Thank you,

Richard


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:36:55, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\program files\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper -
{02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -
C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO -
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: EpsonToolBandKicker Class -
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON
Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page -
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON
Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88}
- C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee VirusScan -
{BA52B914-B692-46c4-B683-905236F6F655} -
c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common
Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program
Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit
SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program
Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
(User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program
Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} -
http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE
Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime
Environment 1.6.0) -
http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O18 - Protocol: bwfile-8876480 -
{9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program
Files\Logitech\Desktop
Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -
C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program
Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB -
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC -
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) -
B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd -
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Labs Licensing Service - Creative Labs -
C:\Program Files\Common Files\Creative Labs
Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology
Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program
Files\DellSupport\brkrsvc.exe
O23 - Service: Firebird Server - MAGIX Instance
(FirebirdServerMAGIXInstance) - MAGIX® - C:\Program
Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) -
Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage
Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common
Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program
Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common
Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc -
c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. -
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc -
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) -
McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation -
C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools
- C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown
owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead
Systems, Inc. - C:\Program Files\Common Files\Ulead
Systems\DVD\ULCDRSvr.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common
Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -
America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10001 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:13 AM

Posted 14 November 2007 - 02:49 PM

Hello Gingerbridgeman.

Please run ComboFix.

If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Gingerbridgeman

Gingerbridgeman
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 19 November 2007 - 04:41 PM

Hi SifuMike, thanks for the help.

Below are my two logs, the ComboFix one first.

Richard.

ComboFix 07-11-08.1 - David Bridger 2007-11-15 19:12:55.1 - NTFSx86
Running from: C:\Documents and Settings\David Bridger\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\autorun.inf
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\pac.txt

.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 19:12 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 09:23 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-09 20:23 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-09 20:23 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\SUPERAntiSpyware.com
2007-11-09 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-09 19:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-09 14:42 <DIR> d-------- C:\Documents and Settings\David Bridger\.housecall6.6
2007-11-09 14:42 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-08 19:16 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\Smart PC Solutions
2007-11-08 17:38 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\RegistrySmart
2007-11-08 17:37 <DIR> d-------- C:\Program Files\RegistrySmart
2007-11-08 12:36 443,528 ---hs---- C:\WINDOWS\system32\ghhkj.bak2
2007-11-08 12:28 114,464 --a--c--- C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-11-08 12:19 6,465 ---hs---- C:\WINDOWS\system32\ghhkj.bak1
2007-11-08 08:13 <DIR> d-------- C:\WINDOWS\system32\runtime
2007-11-07 20:05 <DIR> d-------- C:\Program Files\eMule
2007-11-07 09:52 <DIR> d-------- C:\Program Files\BitComet
2007-11-06 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-11-06 20:42 <DIR> d-------- C:\Program Files\NCH Software
2007-11-06 20:42 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\NCH Software
2007-11-06 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2007-11-06 20:22 1,916,928 --------- C:\WINDOWS\UNNVEContent.exe
2007-11-05 20:04 <DIR> d-------- C:\Patch
2007-11-05 16:39 0 --a------ C:\WINDOWS\system32\wvuttus.dll.vir
2007-11-05 09:58 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-05 08:03 <DIR> d-------- C:\WINDOWS\system32\Mz18r
2007-11-05 08:03 <DIR> d-------- C:\temp\mZOr
2007-11-04 17:14 786 --a------ C:\8979.bat
2007-11-04 11:55 <DIR> d-------- C:\VundoFix Backups
2007-11-04 10:00 786 --a------ C:\6321.bat
2007-11-04 09:23 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-11-04 08:04 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\AdwareAlert
2007-11-04 07:53 786 --a------ C:\6737.bat
2007-11-04 07:53 786 --a------ C:\4292.bat
2007-11-03 17:38 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2007-11-03 17:38 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2007-11-03 07:43 82 --a------ C:\n.bat
2007-11-03 07:43 0 --a------ C:\z.dat
2007-11-02 19:42 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-10-26 18:56 <DIR> d-------- C:\Program Files\Monkey's Audio
2007-10-26 18:50 <DIR> d-------- C:\Program Files\Winamp
2007-10-26 18:50 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\Winamp
2007-10-25 18:44 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\Apple Computer
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-21 12:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-21 12:38 <DIR> d-------- C:\Program Files\UG
2007-10-21 12:38 <DIR> d-------- C:\Program Files\Readme
2007-10-21 12:38 <DIR> d-------- C:\Program Files\PDir
2007-10-21 12:38 <DIR> d-------- C:\Program Files\Free Trials
2007-10-21 12:37 <DIR> d-------- C:\Program Files\Bonus
2007-10-21 12:37 <DIR> d-------- C:\Program Files\AutoRun
2007-10-17 19:03 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\BitTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2007-11-15 19:01 0 -c--a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2007-11-14 18:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-10 09:07 --------- d-----w C:\Program Files\QuickTime
2007-11-10 09:05 --------- d-----w C:\Program Files\PC Tools Firewall Plus
2007-11-10 09:03 --------- d-----w C:\Program Files\Kontiki
2007-11-09 20:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-09 15:55 22 ----a-w C:\WINDOWS\Fonts\a.zip
2007-11-09 15:25 518 ----a-w C:\Program Files\Shortcut to Internet Explorer.lnk
2007-11-09 14:42 --------- d-----w C:\Program Files\AOL 9.0b
2007-11-09 08:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-08 17:04 --------- d-----w C:\Program Files\Google
2007-11-08 12:28 --------- d-----w C:\Program Files\McAfee.com
2007-11-08 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-11-08 12:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-05 19:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-05 09:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-11-03 07:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-10-30 15:25 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\CyberLink
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 18:39 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-21 17:24 --------- d-----w C:\Program Files\DivX
2007-10-21 15:17 --------- d-----w C:\Program Files\Ulead Systems
2007-10-21 12:52 --------- d-----w C:\Program Files\CyberLink
2007-10-15 18:03 --------- d-----w C:\Program Files\Picasa2
2007-10-15 10:13 --------- d-----w C:\Program Files\Common Files\Logishrd
2007-10-12 14:05 --------- d-----w C:\Program Files\EPSON
2007-10-10 18:32 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\PCToolsFirewallPlus
2007-10-10 18:30 --------- d-----w C:\Program Files\Common Files\PC Tools
2007-10-08 19:50 --------- d-----w C:\Program Files\Java
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 43,528 -c----w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-09-28 16:07 3,596,288 -c--a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 129,784 -c--a-w C:\WINDOWS\system32\pxafs.dll
2007-09-28 16:07 120,056 -c--a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-09-28 16:07 118,520 -c--a-w C:\WINDOWS\system32\pxinsi64.exe
2007-09-28 16:07 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 -c--a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 -c--a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 -c--a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 -c--a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-19 14:26 39,768 ----a-w C:\WINDOWS\system32\drivers\pctmp.sys
2007-09-19 14:26 195,928 ----a-w C:\WINDOWS\system32\drivers\pctfw2.sys
2007-09-19 14:26 17,752 ----a-w C:\WINDOWS\system32\drivers\pctssipc.sys
2007-09-19 14:26 114,008 ----a-w C:\WINDOWS\system32\drivers\pctfw.sys
2007-09-18 15:07 --------- d-----w C:\Program Files\Common Files\AOL
2007-09-18 09:47 48,704 -c--a-w C:\Documents and Settings\David Bridger\Application Data\GDIPFONTCACHEV1.DAT
2007-09-10 15:32 560 -c--a-w C:\Documents and Settings\David Bridger\Application Data\ViewerApp.dat
2007-08-21 06:15 683,520 -c--a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-20 10:04 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-05-19 11:50 84,876 ----a-w C:\Program Files\PowerDirector.ico
2007-05-19 11:50 57 ----a-w C:\Program Files\SN.txt
2006-02-18 10:55 251 -c--a-w C:\Program Files\wt3d.ini
2006-02-22 09:11:03 104 -csh--r C:\WINDOWS\system32\0F2C5CBD34.sys
2007-07-21 17:08:27 56 -csh--r C:\WINDOWS\system32\334642A4E2.sys
2006-03-12 09:09:16 56 -csh--r C:\WINDOWS\system32\4231EEA5B5.sys
2007-07-21 17:08:27 5,018 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 18:29]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-21 12:46]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 10:44]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2007-10-19 12:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 17:40 C:\WINDOWS\MIDIDEF.EXE]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 07:03]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Broadband Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Broadband Assistant.lnk
backup=C:\WINDOWS\pss\AOL Broadband Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\WINDOWS\kdx\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
"C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
Rundll32 CTMBHA.DLL,MBMon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
"C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray

R1 pctfw2;pctfw2;\??\C:\WINDOWS\system32\drivers\pctfw2.sys
R1 pctmp;PC Tools Firewall Memory Protection Driver;C:\WINDOWS\system32\drivers\pctmp.sys
R1 pctssipc;PC Tools Security Suite IPC Driver;C:\WINDOWS\system32\drivers\pctssipc.sys
R3 csaudio;USB2.0 Audio Device Driver;C:\WINDOWS\system32\DRIVERS\CsAud.sys
R3 DCamUSB20;Hi-Speed USB DVD Creator;C:\WINDOWS\system32\Drivers\CsMini20.sys
R3 Usb20Scan;BELKIN Still Image;C:\WINDOWS\system32\Drivers\cresscan.sys
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
S3 UPnPService;UPnPService;C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-04 08:04:52 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
"2007-11-09 07:26:29 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.exe
"2007-11-11 22:00:00 C:\WINDOWS\Tasks\SmartDefrag.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 19:17:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 19:17:55
.
--- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:20:47, on 15/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
c:\program files\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\AOL\1184936867\ee\aolsoftware.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9871 bytes

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:13 AM

Posted 19 November 2007 - 11:16 PM

Hi Gingerbridgeman,

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\wvuttus.dll.vir

Folder:: 
C:\VundoFix Backups


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Gingerbridgeman

Gingerbridgeman
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 25 November 2007 - 02:25 PM

Hi SifuMike, here are my two logs. Combofix first.

Thanks,

Richard.

ComboFix 07-11-19.3 - David Bridger 2007-11-22 17:16:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.550 [GMT 0:00]
Running from: C:\Documents and Settings\David Bridger\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 )))))))))))))))))))))))))))))))
.

2007-11-22 13:29 <DIR> d-------- C:\Documents and Settings\David Bridger\CG Cache
2007-11-21 16:37 14,604 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2007-11-10 09:23 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-09 20:23 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-09 20:23 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\SUPERAntiSpyware.com
2007-11-09 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-09 19:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-09 14:42 <DIR> d-------- C:\Documents and Settings\David Bridger\.housecall6.6
2007-11-09 14:42 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-08 19:16 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\Smart PC Solutions
2007-11-08 17:38 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\RegistrySmart
2007-11-08 17:37 <DIR> d-------- C:\Program Files\RegistrySmart
2007-11-08 12:36 443,528 ---hs---- C:\WINDOWS\system32\ghhkj.bak2
2007-11-08 12:28 114,464 --a--c--- C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-11-08 12:19 6,465 ---hs---- C:\WINDOWS\system32\ghhkj.bak1
2007-11-08 12:17 443,877 ---hs---- C:\WINDOWS\system32\ghhkj.ini
2007-11-08 11:37 0 --a------ C:\WINDOWS\system32\asfiles.txt
2007-11-08 11:25 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-08 11:25 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-07 20:05 <DIR> d-------- C:\Program Files\eMule
2007-11-07 09:52 <DIR> d-------- C:\Program Files\BitComet
2007-11-06 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-11-06 20:42 <DIR> d-------- C:\Program Files\NCH Software
2007-11-06 20:42 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\NCH Software
2007-11-06 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2007-11-06 20:22 1,916,928 --------- C:\WINDOWS\UNNVEContent.exe
2007-11-05 20:04 <DIR> d-------- C:\Patch
2007-11-05 09:58 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-05 08:03 <DIR> d-------- C:\temp\mZOr
2007-11-04 17:14 786 --a------ C:\8979.bat
2007-11-04 10:00 786 --a------ C:\6321.bat
2007-11-04 09:23 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-11-04 08:04 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\AdwareAlert
2007-11-04 07:53 786 --a------ C:\6737.bat
2007-11-04 07:53 786 --a------ C:\4292.bat
2007-11-03 17:38 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2007-11-03 07:43 82 --a------ C:\n.bat
2007-11-03 07:43 0 --a------ C:\z.dat
2007-11-02 19:42 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-10-26 18:56 <DIR> d-------- C:\Program Files\Monkey's Audio
2007-10-26 18:50 <DIR> d-------- C:\Program Files\Winamp
2007-10-26 18:50 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\Winamp
2007-10-25 18:44 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 17:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2007-11-22 17:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-22 13:26 0 -c--a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2007-11-22 13:24 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-21 16:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-19 19:44 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-11-19 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-11-10 09:07 --------- d-----w C:\Program Files\QuickTime
2007-11-10 09:05 --------- d-----w C:\Program Files\PC Tools Firewall Plus
2007-11-10 09:03 --------- d-----w C:\Program Files\Kontiki
2007-11-09 20:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-09 15:55 22 ----a-w C:\WINDOWS\Fonts\a.zip
2007-11-09 15:25 518 ----a-w C:\Program Files\Shortcut to Internet Explorer.lnk
2007-11-09 14:42 --------- d-----w C:\Program Files\AOL 9.0b
2007-11-09 08:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-08 17:04 --------- d-----w C:\Program Files\Google
2007-11-08 12:28 --------- d-----w C:\Program Files\McAfee.com
2007-11-08 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-11-08 12:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-05 09:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-11-03 07:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-10-30 15:25 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\CyberLink
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 10:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-21 17:24 --------- d-----w C:\Program Files\DivX
2007-10-21 12:52 --------- d-----w C:\Program Files\CyberLink
2007-10-21 12:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-21 12:39 --------- d-----w C:\Program Files\UG
2007-10-21 12:39 --------- d-----w C:\Program Files\Readme
2007-10-21 12:39 --------- d-----w C:\Program Files\PDir
2007-10-21 12:38 --------- d-----w C:\Program Files\Free Trials
2007-10-21 12:38 --------- d-----w C:\Program Files\Bonus
2007-10-21 12:37 --------- d-----w C:\Program Files\AutoRun
2007-10-17 19:03 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\BitTorrent
2007-10-15 18:03 --------- d-----w C:\Program Files\Picasa2
2007-10-15 10:13 --------- d-----w C:\Program Files\Common Files\Logishrd
2007-10-12 14:05 --------- d-----w C:\Program Files\EPSON
2007-10-10 18:32 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\PCToolsFirewallPlus
2007-10-10 18:30 --------- d-----w C:\Program Files\Common Files\PC Tools
2007-10-08 19:50 --------- d-----w C:\Program Files\Java
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 43,528 -c----w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-09-28 16:07 3,596,288 -c--a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 129,784 -c--a-w C:\WINDOWS\system32\pxafs.dll
2007-09-28 16:07 120,056 -c--a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-09-28 16:07 118,520 -c--a-w C:\WINDOWS\system32\pxinsi64.exe
2007-09-28 16:07 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 -c--a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 -c--a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 -c--a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 -c--a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-18 09:47 48,704 -c--a-w C:\Documents and Settings\David Bridger\Application Data\GDIPFONTCACHEV1.DAT
2007-09-10 15:32 560 -c--a-w C:\Documents and Settings\David Bridger\Application Data\ViewerApp.dat
2007-05-19 11:50 84,876 ----a-w C:\Program Files\PowerDirector.ico
2007-05-19 11:50 57 ----a-w C:\Program Files\SN.txt
2006-02-18 10:55 251 -c--a-w C:\Program Files\wt3d.ini
2006-02-22 09:11 104 -csh--r C:\WINDOWS\system32\0F2C5CBD34.sys
2007-07-21 17:08 56 -csh--r C:\WINDOWS\system32\334642A4E2.sys
2006-03-12 09:09 56 -csh--r C:\WINDOWS\system32\4231EEA5B5.sys
2007-07-21 17:08 5,018 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 17:40 C:\WINDOWS\MIDIDEF.EXE]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 07:03]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 18:29]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-21 12:46]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 10:44]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2007-10-19 12:25]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 05:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Broadband Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Broadband Assistant.lnk
backup=C:\WINDOWS\pss\AOL Broadband Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\WINDOWS\kdx\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-07-20 18:28 67128 --a--c--- C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
Rundll32 CTMBHA.DLL,MBMon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-05-19 19:38 1957888 -----c--- C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a--c--- C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-03-31 07:03 68856 --a--c--- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe /tray

R1 pctfw2;pctfw2;\??\C:\WINDOWS\system32\drivers\pctfw2.sys
R1 pctmp;PC Tools Firewall Memory Protection Driver;C:\WINDOWS\system32\drivers\pctmp.sys
R1 pctssipc;PC Tools Security Suite IPC Driver;C:\WINDOWS\system32\drivers\pctssipc.sys
R3 csaudio;USB2.0 Audio Device Driver;C:\WINDOWS\system32\DRIVERS\CsAud.sys
R3 DCamUSB20;Hi-Speed USB DVD Creator;C:\WINDOWS\system32\Drivers\CsMini20.sys
R3 Usb20Scan;BELKIN Still Image;C:\WINDOWS\system32\Drivers\cresscan.sys
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
S3 UPnPService;UPnPService;C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-04 08:04:52 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2007-11-09 07:26:29 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
"2007-11-11 22:00:00 C:\WINDOWS\Tasks\SmartDefrag.job"
- C:\Program Files\IObit\IObit SmartDefrag\schedule.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 17:18:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-22 17:19:42
C:\ComboFix2.txt ... 2007-11-15 19:17
.
--- E O F



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:22:46, on 22/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\vso\mcvsescn.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Common Files\AOL\1184936867\ee\aolsoftware.exe
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Padus, Inc. - (no file)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9969 bytes

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:13 AM

Posted 25 November 2007 - 04:16 PM

Hi Gingerbridgeman,

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.ini
C:\n.bat
C:\z.dat
C:\8979.bat
C:\6321.bat
C:\6737.bat
C:\4292.bat

Folder:: 
C:\temp\mZOr


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Gingerbridgeman

Gingerbridgeman
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 28 November 2007 - 04:01 PM

Hi SifuMike. Here are my two logs again. As ever, Combofix first.

Thanks,

Richard.

ComboFix 07-11-19.3 - David Bridger 2007-11-26 13:50:15.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1513 [GMT 0:00]
Running from: C:\Documents and Settings\David Bridger\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David Bridger\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\4292.bat
C:\6321.bat
C:\6737.bat
C:\8979.bat
C:\n.bat
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\ghhkj.ini
C:\z.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\4292.bat
C:\6321.bat
C:\6737.bat
C:\8979.bat
C:\n.bat
C:\temp\mZOr
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\ghhkj.ini
C:\z.dat

.
((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 )))))))))))))))))))))))))))))))
.

2007-11-24 20:08 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-23 19:46 <DIR> d-------- C:\WINDOWS\system32\Dell
2007-11-23 17:24 <DIR> d-------- C:\Program Files\Free Window Registry Repair
2007-11-23 17:06 5,914,648 --a------ C:\Program Files\SUPERAntiSpyware.exe
2007-11-23 16:17 <DIR> d-------- C:\Install
2007-11-23 15:58 487,424 --a------ C:\FDS3WIN A00.exe
2007-11-23 15:41 6,977 --a------ C:\WINDOWS\system32\DDMI2.sys
2007-11-23 15:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2007-11-23 15:34 <DIR> d-------- C:\Program Files\Dell Support Center
2007-11-23 15:34 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-11-23 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-11-23 15:03 <DIR> d-------- C:\Program Files\RegCleaner
2007-11-22 13:29 <DIR> d-------- C:\Documents and Settings\David Bridger\CG Cache
2007-11-22 13:24 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2007-11-22 13:24 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2007-11-22 13:24 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-11-22 13:24 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2007-11-21 16:37 14,604 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2007-11-10 09:23 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-09 20:23 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-09 20:23 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\SUPERAntiSpyware.com
2007-11-09 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-09 19:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-09 14:42 <DIR> d-------- C:\Documents and Settings\David Bridger\.housecall6.6
2007-11-09 14:42 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-08 19:16 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\Smart PC Solutions
2007-11-08 17:38 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\RegistrySmart
2007-11-08 17:37 <DIR> d-------- C:\Program Files\RegistrySmart
2007-11-08 12:28 114,464 --a--c--- C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-11-08 11:37 0 --a------ C:\WINDOWS\system32\asfiles.txt
2007-11-08 11:25 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-08 08:13 <DIR> d-------- C:\WINDOWS\system32\runtime
2007-11-07 20:05 <DIR> d-------- C:\Program Files\eMule
2007-11-07 09:52 <DIR> d-------- C:\Program Files\BitComet
2007-11-06 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-11-06 20:42 <DIR> d-------- C:\Program Files\NCH Software
2007-11-06 20:42 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\NCH Software
2007-11-06 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2007-11-06 20:22 1,916,928 --------- C:\WINDOWS\UNNVEContent.exe
2007-11-05 20:04 <DIR> d-------- C:\Patch
2007-11-05 16:39 0 --a------ C:\WINDOWS\system32\wvuttus.dll.vir
2007-11-05 09:58 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-05 08:03 <DIR> d-------- C:\WINDOWS\system32\Mz18r
2007-11-04 09:23 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-11-04 08:04 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\AdwareAlert
2007-11-03 17:38 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2007-11-03 17:38 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2007-11-02 19:42 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-10-26 18:50 <DIR> d-------- C:\Program Files\Winamp
2007-10-26 18:50 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 13:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2007-11-26 12:09 0 -c--a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2007-11-25 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-24 16:20 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-23 19:21 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-23 19:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-23 16:55 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-23 16:26 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-23 16:26 --------- d-----w C:\Program Files\RGB
2007-11-23 16:26 --------- d-----w C:\Program Files\DivX
2007-11-23 16:26 --------- d-----w C:\Program Files\AOL Toolbar(2)
2007-11-23 16:26 --------- d-----w C:\Program Files\Adobe Photoshop Elements
2007-11-23 15:41 --------- d--h--w C:\Documents and Settings\David Bridger\Application Data\GTek
2007-11-23 14:43 --------- d-----w C:\Program Files\Sony Corporation
2007-11-23 14:42 --------- d-----w C:\Program Files\MAGIX
2007-11-23 11:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-19 19:44 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-11-19 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-11-10 09:07 --------- d-----w C:\Program Files\QuickTime
2007-11-10 09:05 --------- d-----w C:\Program Files\PC Tools Firewall Plus
2007-11-10 09:03 --------- d-----w C:\Program Files\Kontiki
2007-11-09 15:55 22 ----a-w C:\WINDOWS\Fonts\a.zip
2007-11-09 15:25 518 ----a-w C:\Program Files\Shortcut to Internet Explorer.lnk
2007-11-09 14:42 --------- d-----w C:\Program Files\AOL 9.0b
2007-11-08 17:04 --------- d-----w C:\Program Files\Google
2007-11-08 12:28 --------- d-----w C:\Program Files\McAfee.com
2007-11-08 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-11-08 12:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-05 09:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-11-03 07:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-10-30 15:25 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\CyberLink
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 18:44 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\Apple Computer
2007-10-25 10:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-21 12:52 --------- d-----w C:\Program Files\CyberLink
2007-10-21 12:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-21 12:39 --------- d-----w C:\Program Files\UG
2007-10-21 12:39 --------- d-----w C:\Program Files\Readme
2007-10-21 12:39 --------- d-----w C:\Program Files\PDir
2007-10-21 12:38 --------- d-----w C:\Program Files\Free Trials
2007-10-21 12:38 --------- d-----w C:\Program Files\Bonus
2007-10-21 12:37 --------- d-----w C:\Program Files\AutoRun
2007-10-17 19:03 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\BitTorrent
2007-10-15 18:03 --------- d-----w C:\Program Files\Picasa2
2007-10-15 10:13 --------- d-----w C:\Program Files\Common Files\Logishrd
2007-10-12 14:05 --------- d-----w C:\Program Files\EPSON
2007-10-10 18:32 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\PCToolsFirewallPlus
2007-10-10 18:30 --------- d-----w C:\Program Files\Common Files\PC Tools
2007-10-08 19:50 --------- d-----w C:\Program Files\Java
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 43,528 -c----w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-09-28 16:07 3,596,288 -c--a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 129,784 -c--a-w C:\WINDOWS\system32\pxafs.dll
2007-09-28 16:07 120,056 -c--a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-09-28 16:07 118,520 -c--a-w C:\WINDOWS\system32\pxinsi64.exe
2007-09-28 16:07 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 -c--a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 -c--a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 -c--a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 -c--a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-18 09:47 48,704 -c--a-w C:\Documents and Settings\David Bridger\Application Data\GDIPFONTCACHEV1.DAT
2007-09-10 15:32 560 -c--a-w C:\Documents and Settings\David Bridger\Application Data\ViewerApp.dat
2007-05-19 11:50 84,876 ----a-w C:\Program Files\PowerDirector.ico
2007-05-19 11:50 57 ----a-w C:\Program Files\SN.txt
2006-02-18 10:55 251 -c--a-w C:\Program Files\wt3d.ini
2006-02-22 09:11 104 -csh--r C:\WINDOWS\system32\0F2C5CBD34.sys
2007-07-21 17:08 56 -csh--r C:\WINDOWS\system32\334642A4E2.sys
2006-03-12 09:09 56 -csh--r C:\WINDOWS\system32\4231EEA5B5.sys
2007-07-21 17:08 5,018 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 17:40 C:\WINDOWS\MIDIDEF.EXE]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 07:03]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 18:29]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-21 12:46]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 10:44]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24]
"HostManager"="C:\Program Files\Common Files\AOL\1184936867\ee\AOLSoftware.exe" [2006-11-17 13:21]
"RegistryMechanic"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 05:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Broadband Assistant.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\WINDOWS\kdx\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-07-20 18:28 67128 --a--c--- C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
Rundll32 CTMBHA.DLL,MBMon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-05-19 19:38 1957888 -----c--- C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a--c--- C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-03-31 07:03 68856 --a--c--- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe /tray

R1 pctfw2;pctfw2;\??\C:\WINDOWS\system32\drivers\pctfw2.sys
R1 pctmp;PC Tools Firewall Memory Protection Driver;C:\WINDOWS\system32\drivers\pctmp.sys
R1 pctssipc;PC Tools Security Suite IPC Driver;C:\WINDOWS\system32\drivers\pctssipc.sys
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter
R3 csaudio;USB2.0 Audio Device Driver;C:\WINDOWS\system32\DRIVERS\CsAud.sys
R3 DCamUSB20;Hi-Speed USB DVD Creator;C:\WINDOWS\system32\Drivers\CsMini20.sys
R3 Usb20Scan;BELKIN Still Image;C:\WINDOWS\system32\Drivers\cresscan.sys
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
S3 UPnPService;UPnPService;C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-04 08:04:52 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2007-11-09 07:26:29 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 13:54:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-26 13:55:00
C:\ComboFix2.txt ... 2007-11-22 17:19
C:\ComboFix3.txt ... 2007-11-15 19:17
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:58:44, on 26/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Common Files\AOL\1184936867\ee\AOLSoftware.exe
c:\program files\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1184936867\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/en/10/install/gtdownde.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Padus, Inc. - (no file)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10455 bytes

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:13 AM

Posted 28 November 2007 - 04:58 PM

Hi Gingerbridgeman,


You have a suspicious file we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\FDS3WIN A00.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.





We just need to do some clean up.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\wvuttus.dll.vir

Folder:: 
C:\WINDOWS\system32\Mz18r


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Gingerbridgeman

Gingerbridgeman
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 29 November 2007 - 03:48 PM

Hi SifuMike. Here are the three logs, the virus total one first, then combofix, then hijack this.

Thanks again,

Gingerbridgeman

File FDS3WIN_A00.exe received on 11.29.2007 11:41:35 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 3/32 (9.38%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.11.29.0 2007.11.29 -
AntiVir 7.6.0.34 2007.11.29 -
Authentium 4.93.8 2007.11.28 -
Avast 4.7.1074.0 2007.11.28 -
AVG 7.5.0.503 2007.11.28 -
BitDefender 7.2 2007.11.29 -
CAT-QuickHeal 9.00 2007.11.28 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.11.29 -
DrWeb 4.44.0.09170 2007.11.29 -
eSafe 7.0.15.0 2007.11.28 suspicious Trojan/Worm
eTrust-Vet 31.3.5335 2007.11.29 -
Ewido 4.0 2007.11.28 -
FileAdvisor 1 2007.11.29 -
Fortinet 3.14.0.0 2007.11.29 -
F-Prot 4.4.2.54 2007.11.28 -
F-Secure 6.70.13030.0 2007.11.29 -
Ikarus T3.1.1.12 2007.11.29 -
Kaspersky 7.0.0.125 2007.11.29 -
McAfee 5173 2007.11.28 -
Microsoft 1.3007 2007.11.29 -
NOD32v2 2692 2007.11.28 -
Norman 5.80.02 2007.11.28 -
Panda 9.0.0.4 2007.11.28 -
Prevx1 V2 2007.11.29 -
Rising 20.20.22.00 2007.11.29 -
Sophos 4.23.0 2007.11.29 -
Sunbelt 2.2.907.0 2007.11.27 VIPRE.Suspicious
Symantec 10 2007.11.29 -
TheHacker 6.2.9.144 2007.11.28 -
VBA32 3.12.2.5 2007.11.28 -
VirusBuster 4.3.26:9 2007.11.28 -
Webwasher-Gateway 6.6.2 2007.11.29 -
Additional information
File size: 487424 bytes
MD5: 8f272e1b9c8c6aa349dea1694577805e
SHA1: 4d60f8f836f6917b58d184cd5d826e09275c61f5
packers: UPX
packers: UPX
packers: UPX
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.


ComboFix 07-11-19.3 - David Bridger 2007-11-29 11:55:08.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1522 [GMT 0:00]
Running from: C:\Documents and Settings\David Bridger\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David Bridger\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\wvuttus.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Mz18r
C:\WINDOWS\system32\wvuttus.dll.vir

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-28 14:00 <DIR> d-------- C:\Program Files\New Folder
2007-11-28 12:42 <DIR> d-------- C:\Program Files\MagicISO
2007-11-26 20:02 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-11-24 20:08 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-23 19:46 <DIR> d-------- C:\WINDOWS\system32\Dell
2007-11-23 17:24 <DIR> d-------- C:\Program Files\Free Window Registry Repair
2007-11-23 17:06 5,914,648 --a------ C:\Program Files\SUPERAntiSpyware.exe
2007-11-23 16:17 <DIR> d-------- C:\Install
2007-11-23 15:58 487,424 --a------ C:\FDS3WIN A00.exe
2007-11-23 15:41 6,977 --a------ C:\WINDOWS\system32\DDMI2.sys
2007-11-23 15:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2007-11-23 15:34 <DIR> d-------- C:\Program Files\Dell Support Center
2007-11-23 15:34 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-11-23 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-11-23 15:03 <DIR> d-------- C:\Program Files\RegCleaner
2007-11-22 13:29 <DIR> d-------- C:\Documents and Settings\David Bridger\CG Cache
2007-11-22 13:24 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2007-11-22 13:24 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2007-11-22 13:24 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-11-22 13:24 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2007-11-21 16:37 14,604 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2007-11-10 09:23 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-09 20:23 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-09 20:23 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\SUPERAntiSpyware.com
2007-11-09 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-09 19:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-09 14:42 <DIR> d-------- C:\Documents and Settings\David Bridger\.housecall6.6
2007-11-09 14:42 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-08 19:16 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\Smart PC Solutions
2007-11-08 17:38 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\RegistrySmart
2007-11-08 17:37 <DIR> d-------- C:\Program Files\RegistrySmart
2007-11-08 12:28 114,464 --a--c--- C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-11-08 11:37 0 --a------ C:\WINDOWS\system32\asfiles.txt
2007-11-08 11:25 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-08 08:13 <DIR> d-------- C:\WINDOWS\system32\runtime
2007-11-07 20:05 <DIR> d-------- C:\Program Files\eMule
2007-11-07 09:52 <DIR> d-------- C:\Program Files\BitComet
2007-11-06 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-11-06 20:42 <DIR> d-------- C:\Program Files\NCH Software
2007-11-06 20:42 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\NCH Software
2007-11-06 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2007-11-06 20:22 1,916,928 --------- C:\WINDOWS\UNNVEContent.exe
2007-11-05 20:04 <DIR> d-------- C:\Patch
2007-11-05 09:58 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-04 09:23 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-11-04 08:04 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\AdwareAlert
2007-11-03 17:38 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2007-11-03 17:38 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2007-11-02 19:42 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 12:00 0 -c--a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2007-11-29 11:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2007-11-29 09:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-29 08:48 --------- d-----w C:\Program Files\Adobe Photoshop Elements
2007-11-29 08:43 --------- d-----w C:\Program Files\EPSON
2007-11-26 14:07 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-11-26 14:05 --------- d-----w C:\Program Files\Roxio
2007-11-24 16:20 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-23 19:21 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-23 19:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-23 16:55 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-23 16:26 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-23 16:26 --------- d-----w C:\Program Files\RGB
2007-11-23 16:26 --------- d-----w C:\Program Files\DivX
2007-11-23 16:26 --------- d-----w C:\Program Files\AOL Toolbar(2)
2007-11-23 15:41 --------- d--h--w C:\Documents and Settings\David Bridger\Application Data\GTek
2007-11-23 14:43 --------- d-----w C:\Program Files\Sony Corporation
2007-11-23 14:42 --------- d-----w C:\Program Files\MAGIX
2007-11-23 11:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-19 19:44 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-11-19 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-11-10 09:07 --------- d-----w C:\Program Files\QuickTime
2007-11-10 09:05 --------- d-----w C:\Program Files\PC Tools Firewall Plus
2007-11-10 09:03 --------- d-----w C:\Program Files\Kontiki
2007-11-09 15:55 22 ----a-w C:\WINDOWS\Fonts\a.zip
2007-11-09 15:25 518 ----a-w C:\Program Files\Shortcut to Internet Explorer.lnk
2007-11-09 14:42 --------- d-----w C:\Program Files\AOL 9.0b
2007-11-08 17:04 --------- d-----w C:\Program Files\Google
2007-11-08 12:28 --------- d-----w C:\Program Files\McAfee.com
2007-11-08 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-11-08 12:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-05 09:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-11-03 07:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-10-30 15:25 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\CyberLink
2007-10-26 18:54 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\Winamp
2007-10-26 18:50 --------- d-----w C:\Program Files\Winamp
2007-10-25 18:44 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\Apple Computer
2007-10-25 10:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-21 12:52 --------- d-----w C:\Program Files\CyberLink
2007-10-21 12:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-21 12:39 --------- d-----w C:\Program Files\UG
2007-10-21 12:39 --------- d-----w C:\Program Files\Readme
2007-10-21 12:39 --------- d-----w C:\Program Files\PDir
2007-10-21 12:38 --------- d-----w C:\Program Files\Free Trials
2007-10-21 12:38 --------- d-----w C:\Program Files\Bonus
2007-10-21 12:37 --------- d-----w C:\Program Files\AutoRun
2007-10-17 19:03 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\BitTorrent
2007-10-15 18:03 --------- d-----w C:\Program Files\Picasa2
2007-10-15 10:13 --------- d-----w C:\Program Files\Common Files\Logishrd
2007-10-10 18:32 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\PCToolsFirewallPlus
2007-10-10 18:30 --------- d-----w C:\Program Files\Common Files\PC Tools
2007-10-08 19:50 --------- d-----w C:\Program Files\Java
2007-09-28 16:07 43,528 -c----w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-09-18 09:47 48,704 -c--a-w C:\Documents and Settings\David Bridger\Application Data\GDIPFONTCACHEV1.DAT
2007-09-10 15:32 560 -c--a-w C:\Documents and Settings\David Bridger\Application Data\ViewerApp.dat
2007-05-19 11:50 84,876 ----a-w C:\Program Files\PowerDirector.ico
2007-05-19 11:50 57 ----a-w C:\Program Files\SN.txt
2006-02-18 10:55 251 -c--a-w C:\Program Files\wt3d.ini
2006-02-22 09:11 104 -csh--r C:\WINDOWS\system32\0F2C5CBD34.sys
2007-07-21 17:08 56 -csh--r C:\WINDOWS\system32\334642A4E2.sys
2006-03-12 09:09 56 -csh--r C:\WINDOWS\system32\4231EEA5B5.sys
2007-07-21 17:08 5,018 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 17:40 C:\WINDOWS\MIDIDEF.EXE]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 07:03]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 18:29]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-21 12:46]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 10:44]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24]
"HostManager"="C:\Program Files\Common Files\AOL\1184936867\ee\AOLSoftware.exe" [2006-11-17 13:21]
"RegistryMechanic"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 05:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Broadband Assistant.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\WINDOWS\kdx\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-07-20 18:28 67128 --a--c--- C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
Rundll32 CTMBHA.DLL,MBMon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-05-19 19:38 1957888 -----c--- C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a--c--- C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-03-31 07:03 68856 --a--c--- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe /tray

R1 pctfw2;pctfw2;\??\C:\WINDOWS\system32\drivers\pctfw2.sys
R1 pctmp;PC Tools Firewall Memory Protection Driver;C:\WINDOWS\system32\drivers\pctmp.sys
R1 pctssipc;PC Tools Security Suite IPC Driver;C:\WINDOWS\system32\drivers\pctssipc.sys
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter
R3 csaudio;USB2.0 Audio Device Driver;C:\WINDOWS\system32\DRIVERS\CsAud.sys
R3 DCamUSB20;Hi-Speed USB DVD Creator;C:\WINDOWS\system32\Drivers\CsMini20.sys
R3 Usb20Scan;BELKIN Still Image;C:\WINDOWS\system32\Drivers\cresscan.sys
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
S3 UPnPService;UPnPService;C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-04 08:04:52 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2007-11-09 07:26:29 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 12:01:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 12:07:39 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-26 13:55
C:\ComboFix3.txt ... 2007-11-22 17:19
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:48, on 29/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\QuickTime\qttask.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Common Files\AOL\1184936867\ee\AOLSoftware.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\program files\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1184936867\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/en/10/install/gtdownde.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Padus, Inc. - (no file)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10958 bytes

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:13 AM

Posted 29 November 2007 - 04:00 PM

Hi Gingerbridgeman,


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\FDS3WIN A00.exe


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Gingerbridgeman

Gingerbridgeman
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 29 November 2007 - 04:21 PM

Hi SifuMike. Smae again, Combofix then Hijackthis.

ComboFix 07-11-19.3 - David Bridger 2007-11-29 21:11:28.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1444 [GMT 0:00]
Running from: C:\Documents and Settings\David Bridger\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David Bridger\Desktop\CFscript.txt
* Created a new restore point

FILE
C:\FDS3WIN A00.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FDS3WIN A00.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-29 14:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-29 14:53 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-29 14:37 <DIR> d-------- C:\Program Files\MagicDisc
2007-11-29 14:37 92,544 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2007-11-29 14:10 <DIR> d-------- C:\New Folder
2007-11-28 14:00 <DIR> d-------- C:\Program Files\New Folder
2007-11-28 12:42 <DIR> d-------- C:\Program Files\MagicISO
2007-11-26 20:02 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2007-11-24 20:08 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-23 19:46 <DIR> d-------- C:\WINDOWS\system32\Dell
2007-11-23 17:24 <DIR> d-------- C:\Program Files\Free Window Registry Repair
2007-11-23 17:06 5,914,648 --a------ C:\Program Files\SUPERAntiSpyware.exe
2007-11-23 16:17 <DIR> d-------- C:\Install
2007-11-23 15:41 6,977 --a------ C:\WINDOWS\system32\DDMI2.sys
2007-11-23 15:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2007-11-23 15:34 <DIR> d-------- C:\Program Files\Dell Support Center
2007-11-23 15:34 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-11-23 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-11-23 15:03 <DIR> d-------- C:\Program Files\RegCleaner
2007-11-22 13:29 <DIR> d-------- C:\Documents and Settings\David Bridger\CG Cache
2007-11-22 13:24 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2007-11-22 13:24 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2007-11-22 13:24 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-11-22 13:24 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2007-11-21 16:37 14,604 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2007-11-10 09:23 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-09 20:23 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-09 20:23 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\SUPERAntiSpyware.com
2007-11-09 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-09 19:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-09 14:42 <DIR> d-------- C:\Documents and Settings\David Bridger\.housecall6.6
2007-11-09 14:42 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-08 19:16 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\Smart PC Solutions
2007-11-08 17:38 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\RegistrySmart
2007-11-08 17:37 <DIR> d-------- C:\Program Files\RegistrySmart
2007-11-08 12:28 114,464 --a--c--- C:\WINDOWS\system32\drivers\naiavf5x.sys
2007-11-08 11:37 0 --a------ C:\WINDOWS\system32\asfiles.txt
2007-11-08 11:25 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-08 08:13 <DIR> d-------- C:\WINDOWS\system32\runtime
2007-11-07 20:05 <DIR> d-------- C:\Program Files\eMule
2007-11-07 09:52 <DIR> d-------- C:\Program Files\BitComet
2007-11-06 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-11-06 20:42 <DIR> d-------- C:\Program Files\NCH Software
2007-11-06 20:42 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\NCH Software
2007-11-06 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2007-11-06 20:22 1,916,928 --------- C:\WINDOWS\UNNVEContent.exe
2007-11-05 20:04 <DIR> d-------- C:\Patch
2007-11-05 09:58 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-04 09:23 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-11-04 08:04 <DIR> d-------- C:\Documents and Settings\David Bridger\Application Data\AdwareAlert
2007-11-03 17:38 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2007-11-03 17:38 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2007-11-02 19:42 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 21:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2007-11-29 20:22 0 -c--a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2007-11-29 20:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-29 09:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-29 08:48 --------- d-----w C:\Program Files\Adobe Photoshop Elements
2007-11-29 08:43 --------- d-----w C:\Program Files\EPSON
2007-11-26 14:07 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-11-26 14:05 --------- d-----w C:\Program Files\Roxio
2007-11-23 19:21 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-23 19:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-23 16:55 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-23 16:26 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-23 16:26 --------- d-----w C:\Program Files\RGB
2007-11-23 16:26 --------- d-----w C:\Program Files\DivX
2007-11-23 16:26 --------- d-----w C:\Program Files\AOL Toolbar(2)
2007-11-23 15:41 --------- d--h--w C:\Documents and Settings\David Bridger\Application Data\GTek
2007-11-23 14:43 --------- d-----w C:\Program Files\Sony Corporation
2007-11-23 14:42 --------- d-----w C:\Program Files\MAGIX
2007-11-23 11:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-19 19:44 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-11-19 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-11-10 09:07 --------- d-----w C:\Program Files\QuickTime
2007-11-10 09:05 --------- d-----w C:\Program Files\PC Tools Firewall Plus
2007-11-10 09:03 --------- d-----w C:\Program Files\Kontiki
2007-11-09 15:55 22 ----a-w C:\WINDOWS\Fonts\a.zip
2007-11-09 15:25 518 ----a-w C:\Program Files\Shortcut to Internet Explorer.lnk
2007-11-09 14:42 --------- d-----w C:\Program Files\AOL 9.0b
2007-11-08 17:04 --------- d-----w C:\Program Files\Google
2007-11-08 12:28 --------- d-----w C:\Program Files\McAfee.com
2007-11-08 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-11-08 12:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-05 09:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-11-03 07:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-10-30 15:25 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\CyberLink
2007-10-26 18:54 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\Winamp
2007-10-26 18:50 --------- d-----w C:\Program Files\Winamp
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 18:44 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\Apple Computer
2007-10-25 10:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-21 12:52 --------- d-----w C:\Program Files\CyberLink
2007-10-21 12:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-21 12:39 --------- d-----w C:\Program Files\UG
2007-10-21 12:39 --------- d-----w C:\Program Files\Readme
2007-10-21 12:39 --------- d-----w C:\Program Files\PDir
2007-10-21 12:38 --------- d-----w C:\Program Files\Free Trials
2007-10-21 12:38 --------- d-----w C:\Program Files\Bonus
2007-10-21 12:37 --------- d-----w C:\Program Files\AutoRun
2007-10-17 19:03 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\BitTorrent
2007-10-15 18:03 --------- d-----w C:\Program Files\Picasa2
2007-10-15 10:13 --------- d-----w C:\Program Files\Common Files\Logishrd
2007-10-10 18:32 --------- d-----w C:\Documents and Settings\David Bridger\Application Data\PCToolsFirewallPlus
2007-10-10 18:30 --------- d-----w C:\Program Files\Common Files\PC Tools
2007-10-08 19:50 --------- d-----w C:\Program Files\Java
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 43,528 -c----w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-09-28 16:07 3,596,288 -c--a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 -c--a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 129,784 -c----w C:\WINDOWS\system32\pxafs.dll
2007-09-28 16:07 120,056 -c----w C:\WINDOWS\system32\pxcpyi64.exe
2007-09-28 16:07 118,520 -c----w C:\WINDOWS\system32\pxinsi64.exe
2007-09-28 16:07 1,044,480 -c--a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 -c--a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 -c--a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 -c--a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 -c--a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-18 09:47 48,704 -c--a-w C:\Documents and Settings\David Bridger\Application Data\GDIPFONTCACHEV1.DAT
2007-09-10 15:32 560 -c--a-w C:\Documents and Settings\David Bridger\Application Data\ViewerApp.dat
2007-09-06 13:56 646,592 ----a-w C:\WINDOWS\system32\ad2mcmpgdec.dll
2007-09-06 13:56 440,256 ----a-w C:\WINDOWS\system32\ad2mpegin.dll
2007-05-19 11:50 84,876 ----a-w C:\Program Files\PowerDirector.ico
2007-05-19 11:50 57 ----a-w C:\Program Files\SN.txt
2006-02-18 10:55 251 -c--a-w C:\Program Files\wt3d.ini
2006-02-22 09:11 104 -csh--r C:\WINDOWS\system32\0F2C5CBD34.sys
2007-07-21 17:08 56 -csh--r C:\WINDOWS\system32\334642A4E2.sys
2006-03-12 09:09 56 -csh--r C:\WINDOWS\system32\4231EEA5B5.sys
2007-07-21 17:08 5,018 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-11-29_12.04.33.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-29 20:20:30 335,872 ----a-r C:\WINDOWS\Installer\{3E2C691B-B7E6-4053-B5C3-94B8BC407E7A}\ARPPRODUCTICON.exe
+ 2007-11-29 20:20:30 335,872 ----a-r C:\WINDOWS\Installer\{3E2C691B-B7E6-4053-B5C3-94B8BC407E7A}\NewShortcut1_14A1135510994F9B95B3E47B0BCD5DC9.exe
+ 2007-11-29 20:20:30 335,872 ----a-r C:\WINDOWS\Installer\{3E2C691B-B7E6-4053-B5C3-94B8BC407E7A}\NewShortcut1_6CCDF4E6D2AE4DD880FDF9AFF951AEAE.exe
+ 2007-11-29 20:20:30 335,872 ----a-r C:\WINDOWS\Installer\{3E2C691B-B7E6-4053-B5C3-94B8BC407E7A}\NewShortcut3_530AFAFF6F0A48BB88D004F9658322D3.exe
+ 2007-11-29 15:00:09 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-5464-3428-800000000003}\ARPPRODUCTICON.exe
- 2007-11-09 07:25:59 192,184 -c--a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-11-29 20:22:59 195,368 -c--a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2006-06-19 10:45:00 1,312,392 -c--a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2007-06-11 13:34:36 2,115,816 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2007-06-11 13:04:38 190,696 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-11-29 20:23:20 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_770.dat
+ 2007-11-29 20:23:28 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_a7c.dat
+ 2006-06-05 14:15:38 96,256 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_c8be176f\ATL80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 17:40 C:\WINDOWS\MIDIDEF.EXE]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 07:03]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 18:29]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-21 12:46]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 10:44]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24]
"HostManager"="C:\Program Files\Common Files\AOL\1184936867\ee\AOLSoftware.exe" [2006-11-17 13:21]
"RegistryMechanic"="" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 00:43]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 05:00]

C:\Documents and Settings\David Bridger\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-11-29 14:37:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Broadband Assistant.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\WINDOWS\kdx\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2007-07-20 18:28 67128 --a--c--- C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
Rundll32 CTMBHA.DLL,MBMon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-05-19 19:38 1957888 -----c--- C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a--c--- C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-03-31 07:03 68856 --a--c--- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe /tray

R1 pctfw2;pctfw2;\??\C:\WINDOWS\system32\drivers\pctfw2.sys
R1 pctmp;PC Tools Firewall Memory Protection Driver;C:\WINDOWS\system32\drivers\pctmp.sys
R1 pctssipc;PC Tools Security Suite IPC Driver;C:\WINDOWS\system32\drivers\pctssipc.sys
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter
R3 csaudio;USB2.0 Audio Device Driver;C:\WINDOWS\system32\DRIVERS\CsAud.sys
R3 DCamUSB20;Hi-Speed USB DVD Creator;C:\WINDOWS\system32\Drivers\CsMini20.sys
R3 Usb20Scan;BELKIN Still Image;C:\WINDOWS\system32\Drivers\cresscan.sys
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
S3 UPnPService;UPnPService;C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-04 08:04:52 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2007-11-09 07:26:29 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 21:16:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 21:17:13
C:\ComboFix2.txt ... 2007-11-29 12:07
C:\ComboFix3.txt ... 2007-11-26 13:55
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:19:02, on 29/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1184936867\ee\AOLSoftware.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Adobe\Adobe Premiere Elements 4.0\APD\Photo Downloader\Photodownloader.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1184936867\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/en/10/install/gtdownde.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Padus, Inc. - (no file)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11753 bytes

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:13 AM

Posted 29 November 2007 - 04:52 PM

Hi Gingerbridgeman,

Your log looks clean! :thumbsup: Good job on the cleanup!

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Gingerbridgeman

Gingerbridgeman
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 09 December 2007 - 03:37 PM

Dear SifuMike,

Thank you for all of your help. It was actually my Dad's computer that had the virus, but I used my account on here. Bleeping Computer helped me back in January but I was too much of a poor student to donate back then and I can't track down the topic anymore, so unfortunately I can't show my thanks to that person now. As such, half of our donation is from my Dad for this, half of it from me just as a way to pay my debt to this site.

It's great the way bleeping computer helps everyone, and we're very grateful for all of your help.

Best wishes,

Richard.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:13 AM

Posted 09 December 2007 - 04:58 PM

Thank you for the donation. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:13 AM

Posted 16 December 2007 - 01:05 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users