Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, Trojans And Other Malware


  • This topic is locked This topic is locked
17 replies to this topic

#1 RisingPhoenix120

RisingPhoenix120

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 18 February 2008 - 01:38 PM

I've run more programs than I can count to try to get rid of this malware. Main reoccurring problem seems to be Virtumonde, which is supposedly removed by some programs but has returned each time. It's causing pop-ups, multiplying IE windows and freezing up of browsers.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:37, on 2008-02-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\Matts Stuff\HiJackThis_v2.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.203\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [BM6ba065dc] Rundll32.exe "C:\WINDOWS\system32\hkidjlvs.dll",s
O4 - HKUS\S-1-5-18\..\Run: [Lolpbguh] C:\WINDOWS\system32\??rss.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Lolpbguh] C:\WINDOWS\system32\??rss.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://24.231.158.230:8888/kxhcm10.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0133f365dc1934...tzip/RdxIE2.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1203314545390
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C111A91F-D4EC-4D22-8D27-C3BCB0389F43} (AudioHandlerEmbedded) - http://reccentercam.uis.edu/activex/AMC.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

--

Thanks for any assistance.

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:35 AM

Posted 19 February 2008 - 09:17 AM

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 RisingPhoenix120

RisingPhoenix120
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 19 February 2008 - 04:20 PM

Sorry to have given the impression that I didn't scan with an anti-virus beforehand. I've scanned with more than I can count, including Spybot S&D, Panda Antivirus, AVG, Ad-Aware, Spyhunter, SuperAntiSpyware. Spyware Doctor and more. I just uninstalled them prior to running HijackThis because I've used so many within the past couple of days; hated cluttering the system with anti-viruses starting up when I restarted. I think I'm on my way to having this Vundo Virus removed, though I'm unsure considering that SuperAntiSpyware keeps finding it. Running Symantec's removal tool now, in hopes that it will clear up much of this virus. I'd still appreciate help in finding other forms of malware on this system.

Ran AntiVir, though. Here's the log.



AntiVir PersonalEdition Classic
Report file date: Tuesday, February 19, 2008 13:06

Scanning for 835736 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: Owner
Computer name: MATT

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 19:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 18:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 21:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 18:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 20:27:15
ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 9/13/2007 20:26:55
ANTIVIR2.VDF : 7.0.0.1 2048 Bytes 9/13/2007 20:27:04
ANTIVIR3.VDF : 7.0.0.2 2048 Bytes 9/13/2007 20:27:13
AVEWIN32.DLL : 7.6.0.15 2806272 Bytes 9/17/2007 23:43:56
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 16:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 13:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 8/3/2007 14:46:00
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 13:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 18:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 13:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 17:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 18:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 18:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 15:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, February 19, 2008 13:06

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
15 processes with 15 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '15' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde11.zip
[DETECTION] Contains suspicious code HEUR/PwdZIP
[INFO] The file was moved to '482d1c37.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde17.zip
[DETECTION] Contains suspicious code HEUR/PwdZIP
[INFO] The file was moved to '482d1c41.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip
[DETECTION] Contains suspicious code HEUR/PwdZIP
[INFO] The file was moved to '48351c42.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip
[DETECTION] Contains suspicious code HEUR/PwdZIP
[INFO] The file was moved to '48351c43.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle2.zip
[DETECTION] Contains suspicious code HEUR/PwdZIP
[INFO] The file was moved to '49966594.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle3.zip
[DETECTION] Contains suspicious code HEUR/PwdZIP
[INFO] The file was moved to '48351c44.qua'!
C:\Documents and Settings\Owner\Desktop\Matts Stuff\Game stuff\Other\Lolibatch\SpyHunter 3.0+KEY\Patch.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Bifrose.afz Backdoor server programs
[INFO] The file was moved to '482f1fb1.qua'!
C:\Program Files\Starcraft\scbw0_111.exe
[DETECTION] Is the Trojan horse TR/Crack.D
[INFO] The file was moved to '481d2a37.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\eljygozy.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '48252b36.qua'!
C:\WINDOWS\system32\winsystem .exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Bifrose.afz Backdoor server programs
[INFO] The file was moved to '482934f0.qua'!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!


End of the scan: Tuesday, February 19, 2008 15:01
Used time: 1:55:17 min

The scan has been done completely.

15777 Scanning directories
552017 Files were scanned
4 viruses and/or unwanted programs were found
6 Files were classified as suspicious:
0 files were deleted
0 files were repaired
10 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
552013 Files not concerned
8405 Archives were scanned
2 Warnings
10 Notes

=========================================
The eljygozy.dll seems to be a reoccurring one on my system. Yesterday I deleted a .rar on my desktop named "Catchme" that contained this dll.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:35 AM

Posted 19 February 2008 - 04:32 PM

Hi,

I've scanned with more than I can count, including Spybot S&D, Panda Antivirus, AVG, Ad-Aware, Spyhunter, SuperAntiSpyware. Spyware Doctor and more.

Yes, but you need a working Antivirus installed, not only Antispywarescanners and online scans. The Antivirus is needed, to PREVENT malware, not necessarily to delete malware. If you don't have realtime protection present, nothing will prevent malware in the first place :thumbsup:

I even see you used cracked versions of Antispywarescanners:

C:\Documents and Settings\Owner\Desktop\Matts Stuff\Game stuff\Other\Lolibatch\SpyHunter 3.0+KEY\Patch.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Bifrose.afz Backdoor server programs


Or at least tried to used them, because the "patch" is a backdoor instead. No wonder that your system is so severly infected. You should stay away from illegal software/cracks/hacks... because that's how you got infected in the first place. Ironic isn't it? Searching for a crack for your Antispywarescanners to clean your system from malware, but instead install another infection on top?

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Edited by miekiemoes, 19 February 2008 - 04:36 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 RisingPhoenix120

RisingPhoenix120
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 19 February 2008 - 08:13 PM

Seems to have combined a previous run in this log.

ComboFix 08-02-18.1 - Owner 2008-02-19 20:00:14.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1660 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\Spyware removers\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\dycyqfed.dll
C:\WINDOWS\system32\gjjlm.ini
C:\WINDOWS\system32\gjjlm.ini2
C:\WINDOWS\system32\ipnwcxee.dll
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\mljjg.exe
C:\WINDOWS\system32\vefjjpov.dll
C:\WINDOWS\system32\vopjjfev.ini
.
---- Previous Run -------
.
C:\WINDOWS\system32\dycyqfed.dll
C:\WINDOWS\system32\gjjlm.ini
C:\WINDOWS\system32\gjjlm.ini2
C:\WINDOWS\system32\ipnwcxee.dll
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\mljjg.exe
C:\WINDOWS\system32\vefjjpov.dll
C:\WINDOWS\system32\vopjjfev.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-19 18:39 . 2008-02-19 18:39 262,144 --a------ C:\WINDOWS\system32\default_user_class.dat
2008-02-19 18:36 . 2008-02-19 18:36 <DIR> d-------- C:\Program Files\UPHClean
2008-02-19 18:25 . 2008-02-19 18:42 2,048 --a------ C:\WINDOWS\system32\drivers\kgpfr.cfg
2008-02-19 18:24 . 2008-02-19 18:24 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-02-19 12:10 . 2008-02-19 18:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-19 01:37 . 2008-02-19 01:37 <DIR> d-------- C:\Program Files\Unlocker
2008-02-18 18:21 . 2008-02-18 18:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-18 18:21 . 2004-08-04 02:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-02-18 18:19 . 2008-02-19 16:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-18 18:19 . 2008-02-18 18:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-18 18:19 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2008-02-18 18:19 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2008-02-18 17:13 . 2008-02-18 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZILLAbar
2008-02-18 16:30 . 2008-02-18 16:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\STOPzilla!
2008-02-18 15:08 . 2008-02-19 08:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-02-18 15:07 . 2008-02-19 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-02-18 13:23 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-18 13:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-18 12:32 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-18 12:32 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-18 12:32 . 2008-02-16 19:46 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-18 12:32 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-18 12:32 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-18 12:32 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-18 12:32 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-18 01:38 . 2008-02-18 01:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-17 23:18 . 2008-02-18 13:18 <DIR> d-------- C:\Documents and Settings\Owner\.rainlendar2
2008-02-17 20:57 . 2008-02-17 20:57 244 --ah----- C:\sqmnoopt07.sqm
2008-02-17 20:57 . 2008-02-17 20:57 244 --ah----- C:\sqmnoopt06.sqm
2008-02-17 20:57 . 2008-02-17 20:57 232 --ah----- C:\sqmdata07.sqm
2008-02-17 20:57 . 2008-02-17 20:57 232 --ah----- C:\sqmdata06.sqm
2008-02-17 20:32 . 2008-02-17 20:32 <DIR> d-------- C:\Program Files\MSECACHE
2008-02-17 20:11 . 2008-02-17 20:11 <DIR> d-------- C:\Documents and Settings\Owner\SmitfraudFix
2008-02-17 18:49 . 2008-02-17 18:49 169 --a------ C:\WINDOWS\AvDetected.ini
2008-02-17 17:35 . 2004-08-04 02:56 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2008-02-17 16:42 . 2008-02-17 16:43 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-17 16:42 . 2008-02-17 16:42 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-17 16:31 . 2008-02-17 17:32 474 --ahs---- C:\WINDOWS\system32\cuislleu.ini
2008-02-17 12:31 . 2007-03-06 16:33 12,336 --a------ C:\WINDOWS\system32\PGUNNT.EXE
2008-02-17 11:58 . 2008-02-18 13:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-17 11:48 . 2008-02-19 18:16 13,246 --a------ C:\WINDOWS\BM6ba065dc.xml
2008-02-17 11:48 . 2008-02-19 18:16 22 --a------ C:\WINDOWS\pskt.ini
2008-02-16 14:09 . 2008-02-16 14:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-16 14:09 . 2008-02-16 14:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-16 01:35 . 2008-02-17 00:22 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\skypePM
2008-02-16 01:35 . 2008-02-16 01:35 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-02-16 01:34 . 2008-02-17 02:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-02-16 01:32 . 2008-02-16 18:07 <DIR> d-------- C:\Program Files\Skype
2008-02-16 01:32 . 2008-02-16 01:32 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-02-16 01:32 . 2008-02-16 01:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-02-12 16:53 . 2007-02-18 17:00 18,764 --a------ C:\WINDOWS\system32\ddmon.dll
2008-02-07 17:01 . 2008-02-07 17:09 2,577 --a------ C:\WINDOWS\system32\CONFIGnew.NT.nt
2008-02-03 21:54 . 2008-02-03 21:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webcammax
2008-02-01 13:30 . 2008-02-13 13:06 <DIR> d-------- C:\Program Files\WMR11
2008-01-27 00:32 . 2008-01-27 00:32 1,025 --a------ C:\WINDOWS\system32\cwvbmw0.tgz

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 23:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-19 19:11 --------- d-----w C:\Program Files\Starcraft
2008-02-18 23:05 --------- d-----w C:\Program Files\Steam
2008-02-18 21:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-02-18 18:18 --------- d-----w C:\Program Files\Rainlendar2
2008-02-18 18:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-18 01:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 22:32 --------- d-----w C:\Program Files\QuickTime
2008-02-17 07:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ruckus Network
2008-02-09 16:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-01-14 17:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-01-12 04:34 --------- d-----w C:\Program Files\OpenAL
2008-01-11 21:25 --------- d-----w C:\Program Files\id Software
2008-01-11 04:35 --------- d-----w C:\Program Files\Valve
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-09 03:02 --------- d-----w C:\Program Files\Ruckus Player
2008-01-08 16:23 --------- d-----w C:\Documents and Settings\LocalService\Application Data\MathWorks
2008-01-07 13:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent DNA
2008-01-02 08:00 --------- d-----w C:\Program Files\MSXML 6.0
2008-01-01 20:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ansys
2008-01-01 19:58 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-01 19:03 --------- d-----w C:\Program Files\Microsoft WSE
2007-12-25 18:41 --------- d-----w C:\Program Files\PeerGuardian2
2007-12-24 16:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\sentinel
2007-12-24 15:32 --------- d-----w C:\Program Files\Real
2007-09-14 23:21 22,328 ----a-w C:\Documents and Settings\Owner\Application Data\PnkBstrK.sys
2007-07-23 03:07 317 ----a-w C:\Documents and Settings\All Users\Application Data\5512.bat
2007-06-24 02:14 8,076 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2006-07-30 17:55 1 ----a-w C:\Documents and Settings\Owner\SI.bin
2006-02-10 21:55 604 ---ha-w C:\Program Files\STLL Notifier
2005-09-17 21:00 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-05-02 20:47 56 --sha-r C:\WINDOWS\system32\4784377DBD.sys
.
<pre>
----a-w		   282,624 2008-02-17 22:32:06  C:\Program Files\QuickTime\qttask		  .exe
----a-w		 1,365,504 2008-02-18 18:18:34  C:\Program Files\Rainlendar2\Rainlendar2 .exe
----a-w		   158,208 2008-02-18 18:21:46  C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSCONFIG .EXE
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Lolpbguh"="C:\WINDOWS\system32\??rss.exe" [2004-08-04 02:56 6144]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 53760 C:\WINDOWS\system32\narrator.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterCheck Monitor.LNK]
backup=C:\WINDOWS\pss\InterCheck Monitor.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^mtkds.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^BitTorrent.lnk]
backup=C:\WINDOWS\pss\BitTorrent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HDDlife.lnk]
backup=C:\WINDOWS\pss\HDDlife.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^QuickLauncher.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]
backup=C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Registration Ghost Recon Advanced WarfighterŽ 2 Demo.LNK]
backup=C:\WINDOWS\pss\Registration Ghost Recon Advanced WarfighterŽ 2 Demo.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Registration Lock On]
backup=C:\WINDOWS\pss\Registration Lock OnStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^RivaTuner.lnk]
backup=C:\WINDOWS\pss\RivaTuner.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\68935640]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoaderAproposClient]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2007-11-09 23:57 286016 C:\Program Files\BitTorrent_DNA\dna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6ba065dc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2004-05-17 21:30 543232 C:\WINDOWS\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 16:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DHzpColorBoost]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a------ 2007-03-13 15:38 39264 C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-09-10 21:56 86960 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5100 Series]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
--a------ 2002-12-10 18:32 155648 C:\Program Files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
--a------ 2002-12-10 18:31 61440 C:\Program Files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
--a------ 2002-12-10 17:54 127022 C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2003-06-07 05:32 50688 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Miyl]
C:\WINDOWS\??curity\w?aclt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
--a------ 2003-09-02 20:25 73728 C:\WINDOWS\system32\sstray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-17 00:07 8491008 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-07-03 11:32 81920 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-17 00:07 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pakun]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC_CLEAN]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pop06ap]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-17 17:32 282624 C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-07-21 13:40 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBCSTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SCANINICIO]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDAutoLiveupdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
--a------ 2003-09-19 12:09 36864 C:\WINDOWS\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-01 17:22 21898024 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startkey]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-03-11 18:18 135168 C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwiftToDoListLite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTraySD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Task List]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tcactive]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tcmonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tddtmp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-07-21 13:40 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Memory Card Detector]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2004-11-22 07:18 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoDriverHook]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebCamRT.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZSScheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"ewido security suite control"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Autodesk Licensing Service"=3 (0x3)
"usnjsvc"=3 (0x3)
"SQLWriter"=3 (0x3)
"mi-raysat_3dsmax9_32"=2 (0x2)
"IDriverT"=3 (0x3)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"PnkBstrA"=2 (0x2)
"NVSvc"=2 (0x2)
"nTuneService"=2 (0x2)
"MSSQL$AUTODESKVAULT"=2 (0x2)
"matlabserver"=2 (0x2)
"LexBceS"=2 (0x2)
"C-DillaCdaC11BA"=2 (0x2)
"Bonjour Service"=2 (0x2)

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys [2006-07-05 07:46]
R2 Dev_UNIDRV;Dev_UNIDRV;C:\WINDOWS\system32\Drivers\UNIDRV.SYS [2006-04-07 11:26]
S1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys []
S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys []
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-06-10 14:16]
S3 scrcap;scrcap;C:\WINDOWS\system32\DRIVERS\scrcap.sys []
S4 MSSQL$AUTODESKVAULT;SQL Server (AUTODESKVAULT);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" []
S4 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" []
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b32d220-56df-11db-88bc-0040ca89ceb9}]
\Shell\AutoRun\command - explorer.exe /n,/e,\

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 06:00:00 C:\WINDOWS\Tasks\Owner backup.job"
- C:\Program Files\AMUST\Registry Cleaner\RegCleaner.exe
"2008-02-16 06:20:00 C:\WINDOWS\Tasks\Owner scan and fix.job"
- C:\Program Files\AMUST\Registry Cleaner\RegCleaner.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 20:04:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\WinRAR\rarext.dll
-> C:\Program Files\Unlocker\UnlockerCOM.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
.
**************************************************************************
.
Completion time: 2008-02-19 20:10:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-20 01:10:54
.
2008-02-13 08:02:31 --- E O F ---

#6 RisingPhoenix120

RisingPhoenix120
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 19 February 2008 - 08:15 PM

I deleted some stuff earlier today, FYI.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\kmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\VFind.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKUS\S-1-5-18\..\Run: [Lolpbguh] C:\WINDOWS\system32\??rss.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Lolpbguh] C:\WINDOWS\system32\??rss.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://24.231.158.230:8888/kxhcm10.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0133f365dc1934...tzip/RdxIE2.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1203314545390
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C111A91F-D4EC-4D22-8D27-C3BCB0389F43} (AudioHandlerEmbedded) - http://reccentercam.uis.edu/activex/AMC.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

--

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:35 AM

Posted 20 February 2008 - 03:04 AM

Hi,

Not sure from when this latest HijackThislog is, since you didn't copy and paste the header in it.

Also, I asked you to install Avira, but I don't see it present in your latest log. Can you explain me this?
Did you uninstall Avira again?

Also, I see references to AVG Antivirus and Avast Antivirus present in your log, but disabled via msconfig. Are these Antivirus still installed?
And I see a LOT of other programs disabled via msconfig, however most do not contain any values anymore, only the main keys - have you been using a Registry Cleaner in the past here?

Please answer my questions first about Avira, Avast and AVG Antivirus first before we can proceed with this, because this is really confusing for me if steps were done in between I didn't ask to do.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 RisingPhoenix120

RisingPhoenix120
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 20 February 2008 - 12:04 PM

I apologize. I did install Avira; scanned and restarted a few times, and uninstalled it. Sorry about that. Shouldn't have done that (Wasn't thinking). Neither Avast nor AVG are installed on my system at the moment. Avast was uninstalled ages ago. AVG was installed and uninstalled recently when getting a round of antivirus programs over the past week. I uninstalled them because I didn't want my system bogged down with multiple scanners at the same time. I had several issues this past week with the computer freezing (never happened before) when doing even the most minor of things, so I hope you can understand why I've been removing things. I disable things in msconfig, also, because most are unnecessary for me and I don't want them loading. I have used a couple of registry cleaners in the past (mainly Registry Mechanic to be specific) to alleviate the errors and dead-ends in the registry.

My pop-up problems seem to be gone, to be honest. Combofix got rid of the issues for the most part it would seem. I had some pos##.tmp files multiplying (probably some hundreds of tiny 3-10KB files) in both my C drive main directory and also in my "My Documents" folder. After Combofix was ran, these were gone.

Again, sorry for the confusion. I've just trying my best to get rid of some issues myself. Thanks. Also, that HijackThis log was created merely minutes before I posted it.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:35 AM

Posted 20 February 2008 - 12:32 PM

Hi,

You really should install Avira again, because how would you prevent future malware?
So install Avira again as a first step.

Also, I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then, let's deal with the rest. We'll also delete the related entries with Avast and AVG you disabled via msconfig and a lot of other orphaned entries you've disabled via msconfig previously, because most of them don't contain any values anymore, so enabling them via msconfig won't load the programs anyway. That's because the registry cleaners you used previously deleted these values.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup
C:\Documents and Settings\All Users\Application Data\5512.bat
C:\WINDOWS\BM6ba065dc.xml
C:\WINDOWS\pskt.ini
RENV::
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Rainlendar2\Rainlendar2 .exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSCONFIG .EXE
Driver::
scrcap
PavProc
ShldDrv
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Lolpbguh"=-
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^mtkds.exe]
[-HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
[-HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\68935640]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoaderAproposClient]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6ba065dc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DHzpColorBoost]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5100 Series]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Miyl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pakun]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC_CLEAN]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pop06ap]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBCSTray]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SCANINICIO]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDAutoLiveupdate]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNM]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startkey]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwiftToDoListLite]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTraySD]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Task List]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tcactive]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tcmonitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tddtmp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Memory Card Detector]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoDriverHook]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebCamRT.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZSScheduler]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NPFMntor"=-
"navapsvc"=-
"ewido security suite control"=-
"AVGEMS"=-
"Avg7UpdSvc"=-
"Avg7Alrt"=-
"avast! Web Scanner"=-
"avast! Mail Scanner"=-
"avast! Antivirus"=-
"aswUpdSv"=-
"Viewpoint Manager Service"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b32d220-56df-11db-88bc-0040ca89ceb9}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 RisingPhoenix120

RisingPhoenix120
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 20 February 2008 - 03:49 PM

Here is the Combofix log.

ComboFix 08-02-18.1 - Owner 2008-02-20 15:28:55.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1520 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\Spyware removers\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

FILE ::
C:\Documents and Settings\All Users\Application Data\5512.bat
C:\WINDOWS\BM6ba065dc.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\5512.bat
C:\WINDOWS\BM6ba065dc.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_PAVPROC
-------\LEGACY_SHLDDRV
-------\PavProc
-------\scrcap
-------\ShldDrv


((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-19 21:53 . 2008-02-19 21:53 <DIR> d-------- C:\Program Files\Data Realms
2008-02-19 20:10 . 2008-02-19 20:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-19 18:39 . 2008-02-19 18:39 262,144 --a------ C:\WINDOWS\system32\default_user_class.dat
2008-02-19 18:36 . 2008-02-19 18:36 <DIR> d-------- C:\Program Files\UPHClean
2008-02-19 18:25 . 2008-02-19 18:42 2,048 --a------ C:\WINDOWS\system32\drivers\kgpfr.cfg
2008-02-19 18:24 . 2008-02-19 18:24 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-02-19 12:10 . 2008-02-19 18:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-19 01:37 . 2008-02-19 01:37 <DIR> d-------- C:\Program Files\Unlocker
2008-02-18 18:21 . 2008-02-18 18:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-18 18:21 . 2004-08-04 02:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-02-18 18:19 . 2008-02-20 11:40 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-18 18:19 . 2008-02-18 18:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-02-18 18:19 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2008-02-18 18:19 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2008-02-18 17:13 . 2008-02-18 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZILLAbar
2008-02-18 16:30 . 2008-02-18 16:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\STOPzilla!
2008-02-18 15:08 . 2008-02-19 08:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-02-18 15:07 . 2008-02-19 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-02-18 13:23 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-18 13:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-18 13:21 . 2008-02-18 13:21 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2008-02-18 12:32 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-18 12:32 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-18 12:32 . 2008-02-16 19:46 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-18 12:32 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-18 12:32 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-18 12:32 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-18 12:32 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-18 01:38 . 2008-02-18 01:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-17 23:18 . 2008-02-18 13:18 <DIR> d-------- C:\Documents and Settings\Owner\.rainlendar2
2008-02-17 20:57 . 2008-02-17 20:57 244 --ah----- C:\sqmnoopt07.sqm
2008-02-17 20:57 . 2008-02-17 20:57 244 --ah----- C:\sqmnoopt06.sqm
2008-02-17 20:57 . 2008-02-17 20:57 232 --ah----- C:\sqmdata07.sqm
2008-02-17 20:57 . 2008-02-17 20:57 232 --ah----- C:\sqmdata06.sqm
2008-02-17 20:32 . 2008-02-17 20:32 <DIR> d-------- C:\Program Files\MSECACHE
2008-02-17 18:49 . 2008-02-17 18:49 169 --a------ C:\WINDOWS\AvDetected.ini
2008-02-17 16:42 . 2008-02-17 16:43 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-17 16:42 . 2008-02-17 16:42 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-17 16:31 . 2008-02-17 17:32 474 --ahs---- C:\WINDOWS\system32\cuislleu.ini
2008-02-17 12:31 . 2007-03-06 16:33 12,336 --a------ C:\WINDOWS\system32\PGUNNT.EXE
2008-02-17 11:58 . 2008-02-18 13:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-16 14:09 . 2008-02-16 14:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-16 14:09 . 2008-02-16 14:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-16 01:35 . 2008-02-17 00:22 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\skypePM
2008-02-16 01:35 . 2008-02-16 01:35 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-02-16 01:34 . 2008-02-17 02:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-02-16 01:32 . 2008-02-16 18:07 <DIR> d-------- C:\Program Files\Skype
2008-02-16 01:32 . 2008-02-16 01:32 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-02-16 01:32 . 2008-02-16 01:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-02-12 16:53 . 2007-02-18 17:00 18,764 --a------ C:\WINDOWS\system32\ddmon.dll
2008-02-07 17:01 . 2008-02-07 17:09 2,577 --a------ C:\WINDOWS\system32\CONFIGnew.NT.nt
2008-02-03 21:54 . 2008-02-03 21:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webcammax
2008-02-01 13:30 . 2008-02-20 12:37 <DIR> d-------- C:\Program Files\WMR11
2008-01-27 00:32 . 2008-01-27 00:32 1,025 --a------ C:\WINDOWS\system32\cwvbmw0.tgz

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 20:28 --------- d-----w C:\Program Files\Rainlendar2
2008-02-20 20:24 --------- d-----w C:\Program Files\Viewpoint
2008-02-20 20:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-20 02:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ruckus Network
2008-02-19 23:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-19 19:11 --------- d-----w C:\Program Files\Starcraft
2008-02-18 23:05 --------- d-----w C:\Program Files\Steam
2008-02-18 21:28 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-02-18 18:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-18 01:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 22:32 --------- d-----w C:\Program Files\QuickTime
2008-02-09 16:14 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-01-14 17:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-01-12 04:34 --------- d-----w C:\Program Files\OpenAL
2008-01-11 21:25 --------- d-----w C:\Program Files\id Software
2008-01-11 04:35 --------- d-----w C:\Program Files\Valve
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-09 03:02 --------- d-----w C:\Program Files\Ruckus Player
2008-01-08 16:23 --------- d-----w C:\Documents and Settings\LocalService\Application Data\MathWorks
2008-01-07 13:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent DNA
2008-01-02 08:00 --------- d-----w C:\Program Files\MSXML 6.0
2008-01-01 20:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ansys
2008-01-01 19:58 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-01 19:03 --------- d-----w C:\Program Files\Microsoft WSE
2007-12-25 18:41 --------- d-----w C:\Program Files\PeerGuardian2
2007-12-24 16:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\sentinel
2007-12-24 15:32 --------- d-----w C:\Program Files\Real
2007-09-14 23:21 22,328 ----a-w C:\Documents and Settings\Owner\Application Data\PnkBstrK.sys
2007-06-24 02:14 8,076 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2006-07-30 17:55 1 ----a-w C:\Documents and Settings\Owner\SI.bin
2006-02-10 21:55 604 ---ha-w C:\Program Files\STLL Notifier
2005-09-17 21:00 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-05-02 20:47 56 --sha-r C:\WINDOWS\system32\4784377DBD.sys
.
<pre>
----a-w		   282,624 2008-02-17 22:32:06  C:\Program Files\QuickTime\qttask		  .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 02:56 53760 C:\WINDOWS\system32\narrator.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterCheck Monitor.LNK]
backup=C:\WINDOWS\pss\InterCheck Monitor.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^BitTorrent.lnk]
backup=C:\WINDOWS\pss\BitTorrent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HDDlife.lnk]
backup=C:\WINDOWS\pss\HDDlife.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^QuickLauncher.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Registration Ghost Recon Advanced WarfighterŽ 2 Demo.LNK]
backup=C:\WINDOWS\pss\Registration Ghost Recon Advanced WarfighterŽ 2 Demo.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Registration Lock On]
backup=C:\WINDOWS\pss\Registration Lock OnStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^RivaTuner.lnk]
backup=C:\WINDOWS\pss\RivaTuner.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2007-11-09 23:57 286016 C:\Program Files\BitTorrent_DNA\dna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2004-05-17 21:30 543232 C:\WINDOWS\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 16:05 81920 C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a------ 2007-03-13 15:38 39264 C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-09-10 21:56 86960 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
--a------ 2002-12-10 18:32 155648 C:\Program Files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
--a------ 2002-12-10 18:31 61440 C:\Program Files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
--a------ 2002-12-10 17:54 127022 C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2003-06-07 05:32 50688 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
--a------ 2003-09-02 20:25 73728 C:\WINDOWS\system32\sstray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-17 00:07 8491008 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-07-03 11:32 81920 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-17 00:07 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-17 17:32 282624 C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-07-21 13:40 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
--a------ 2003-09-19 12:09 36864 C:\WINDOWS\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-01 17:22 21898024 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-03-11 18:18 135168 C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-07-21 13:40 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2004-11-22 07:18 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Autodesk Licensing Service"=3 (0x3)
"usnjsvc"=3 (0x3)
"SQLWriter"=3 (0x3)
"mi-raysat_3dsmax9_32"=2 (0x2)
"IDriverT"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"PnkBstrA"=2 (0x2)
"NVSvc"=2 (0x2)
"nTuneService"=2 (0x2)
"MSSQL$AUTODESKVAULT"=2 (0x2)
"matlabserver"=2 (0x2)
"LexBceS"=2 (0x2)
"C-DillaCdaC11BA"=2 (0x2)
"Bonjour Service"=2 (0x2)

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys [2006-07-05 07:46]
R2 Dev_UNIDRV;Dev_UNIDRV;C:\WINDOWS\system32\Drivers\UNIDRV.SYS [2006-04-07 11:26]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-06-10 14:16]
S4 MSSQL$AUTODESKVAULT;SQL Server (AUTODESKVAULT);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" []
S4 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 06:00:00 C:\WINDOWS\Tasks\Owner backup.job"
- C:\Program Files\AMUST\Registry Cleaner\RegCleaner.exe
"2008-02-16 06:20:00 C:\WINDOWS\Tasks\Owner scan and fix.job"
- C:\Program Files\AMUST\Registry Cleaner\RegCleaner.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 15:35:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-02-20 15:41:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-20 20:41:05
ComboFix2.txt 2008-02-20 01:10:58
.
2008-02-13 08:02:31 --- E O F ---

========================================================

Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:46:43 PM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://24.231.158.230:8888/kxhcm10.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0133f365dc1934...tzip/RdxIE2.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1203314545390
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C111A91F-D4EC-4D22-8D27-C3BCB0389F43} (AudioHandlerEmbedded) - http://reccentercam.uis.edu/activex/AMC.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

--

I removed two of the Viewpoint entries, but the Viewpoint Toolbar remains. Each time I try to remove it, it'll bring up a "Toolbar Uninstallation" and a "Complete Uninstallation" option. Either one just closes the window and simply leaves the entry in the Add/Remove list.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:35 AM

Posted 20 February 2008 - 04:26 PM

Hi,

Can you please reinstall an Antivirus as I already told you previously? Unless you want to get infected again...
So install an Antivirus AS A FIRST STEP, before proceeding with the next steps...

Then, after you installed your Antivirus..

Go to start > run and copy and paste next in the field:

sc delete PavPrSrv Hit enter.

Then,
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the "Viewpoint Toolbar" Entry
  • Click on "Delete this entry"
  • Click "Yes"
Then,

Then, delete the C:\Program Files\QuickTime - folder and reinstall Quicktime afterwards again. Make sure you delete the C:\Program Files\QuickTime folder first before you reinstall it. This because there's a file present in there that is most probably infected, and even if it's not, it's better to delete the whole folder anyway and reinstall it since you really need the latest Quicktime version (since previous version is vulnerable)

Then, * Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://24.231.158.230:8888/kxhcm10.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0133f365dc1934...tzip/RdxIE2.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Reboot and post a new HijackThislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 RisingPhoenix120

RisingPhoenix120
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 20 February 2008 - 05:42 PM

I've reinstalled Avira Antivirus now. SUPERAntiSpyware has been on my system (guess it wasn't picked up in the logs) because it'it gave me the most luck in finding where the Virtumonde virus/spyware was located. But Avira is up and running steadily now.

When reinstalling Quicktime, I ran into an error.
"A network error occurred while attempting to read from the file: C:\WINDOWS\Installer\Quicktime.msi"
Personally I'm not too worried about Quicktime being reinstalled since I don't use it. Just a heads up, though. Everything else was done as you said, so here is the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:47 PM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1203314545390
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C111A91F-D4EC-4D22-8D27-C3BCB0389F43} (AudioHandlerEmbedded) - http://reccentercam.uis.edu/activex/AMC.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:35 AM

Posted 20 February 2008 - 06:04 PM

Ah, if you don't use Quicktime, then no need to install it :thumbsup:

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 RisingPhoenix120

RisingPhoenix120
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 20 February 2008 - 06:25 PM

After having done all this, my system is a lot more responsive and doesn't lag at all like it was this past week. Also, the pop-ups seem to be totally gone :blink: Never had an issue on my system this severe before, and thanks to you (many thanks) it's gone. I appreciate the fact that there are people with experience like you. They make the world a lot easier :thumbsup:

There's one file I'm curious about in my C directory. It's called "kmd", with the description of "Windows Command Processor". Probably nothing to worry about. I think it showed up after running that last command in the Run bar, because it was not there before.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:35 AM

Posted 21 February 2008 - 01:26 AM

Hi,

The kmd.exe file is a part of Combofix. Not sure if you already uninstalled Combofix though. If you uninstalled it and the file is still present there, then delete it manually. But it won't hurt to leave it there either :blink:

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users