Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo/VirtuMonde/Rootkit Remnants & Infection


  • This topic is locked This topic is locked
7 replies to this topic

#1 aj02719

aj02719

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 08 January 2009 - 10:25 PM

Vundo/VirtuMonde/Rootkit Remnants & Infection

Last Monday (01/05), I became aware of some type of virus/malware on my PC. I’m running Windows XP with Norton Internet Security 2006 for virus/intrusion “protection”. My Norton subscription is active but will expire in 30 days. I noticed the problem because of pop-ups and issues with Internet Explorer. This computer is used by myself, my girlfriend, and other visitors, so I’m really unsure exactly when or how it was infected.

Norton identified the problem as Trojan.Vundo, and I attempted to fix it using that software. Ad-Aware identified a problem as VirtuMonde, and I again attempted to fix it. Most recently, Combofix identified a problem as Rootkit. Neither Norton, nor Ad-Aware identifies problems at this point.

I’ve used a myriad of programs to try to fix this. I’ve used CCleaner, HiJackThis, Norton, Ad-Aware, Combofix, and RSIT. It’s very possible that I’ve screwed up the computer with my brute-force and ignorant removal tactics.

My PC will almost always boot up, although it sometimes it is very slow while other times it freezes at the welcome screen. It used to freeze due to a rundll error (could not find "vgqsevvy.dll), but no longer does that. Restarts usually result in a stall. I can connect to the internet and I seem to be able to search successfully using Google.

Here are some additional errors I have noted:

Norton will not scan the entire hard drive, but rather only scans 5,000 files or so (Quick Scan Only). Norton LiveUpdate is unable to download Update files.The Norton toolbar also appears grayed-out in IE but shows up fine in Firefox. In safe mode, Norton typically cannot finish scanning, and the "System Shutdown" appears, causing a 60 second timeout until shutdown. The “search” option does not appear in Windows Explorer, and only displays the little “office assistant” dog. Some websites do not load at all. Sites and pop-up windows with Java seem to be problematic.

Any assistance is greatly appreciated!!!!



DDS (Ver_09-01-07.01) - NTFSx86
Run by Andy Jones at 22:18:05.09 on Thu 01/08/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.564 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files Two\PrintKey2000\Printkey2000.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Andy Jones\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [PCLEUSBTip] c:\program files\pinnacle\shared files\programs\usbtip\USBTip.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.6.0_02\bin\jusched.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bitmet~1.lnk - c:\program files\codebox\bitmeter\BitMeter2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files two\printkey2000\Printkey2000.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: motorola.com\idenupdate
Trusted Zone: movietickets.com\www
Trusted Zone: southcoastresponse.com\www
Notify: PCANotify - PCANotify.dll
AppInit_DLLs: hpizlv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andyjo~1\applic~1\mozilla\firefox\profiles\g67nmsn0.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - HiddenExtension: XUL Cache: {9EB572D1-7F24-4AE9-B122-FB90B33FC764} - c:\windows\system32\config\systemprofile\local settings\application data\{9EB572D1-7F24-4AE9-B122-FB90B33FC764}

============= SERVICES / DRIVERS ===============

R0 vburner;vburner;c:\windows\system32\drivers\vburner.sys [2008-12-20 15872]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-11-17 11165]
R3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-7 99376]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCCFLTR.SYS [2008-12-22 14095]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090107.032\NAVENG.SYS [2009-1-7 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090107.032\NAVEX15.SYS [2009-1-7 876112]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R4 Par1284;Par1284;c:\program files two\flexisign-pro 7\program\Par1284.sys [2004-11-19 53344]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-5 1251720]
S0 tpcdrdrv;tpcdrdrv;c:\windows\system32\drivers\tpcdrdrv.sys --> c:\windows\system32\drivers\tpcdrdrv.sys [?]
S3 awhost32;pcAnywhere Host Service;c:\program files two\symantec\pcanywhere\awhost32.exe [2004-11-1 106496]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S3 NUVision;NUVision II Video Service;c:\windows\system32\drivers\nuvvid2.sys [2007-1-21 153760]
S4 Transbase;Transbase;c:\bmwgroup\etklokal\transbase\tbmux32.exe --> c:\bmwgroup\etklokal\transbase\tbmux32.exe [?]

=============== Created Last 30 ================

2009-01-08 16:54 <DIR> --d----- c:\program files\Runtime Software
2009-01-07 20:31 <DIR> a-dshr-- C:\cmdcons
2009-01-07 20:30 161,792 a------- c:\windows\SWREG.exe
2009-01-07 20:30 98,816 a------- c:\windows\sed.exe
2009-01-07 19:12 <DIR> --d----- C:\FixThis
2009-01-07 17:20 446,464 a----r-- c:\windows\system32\hhactivex.dll
2009-01-07 17:20 328,480 a------- c:\windows\system32\ssa3d30.ocx
2009-01-07 17:20 176,128 a------- c:\windows\system32\RcdScan.dll
2009-01-07 17:20 89,360 a------- c:\windows\system32\VB5DB.DLL
2009-01-07 17:00 73,216 a------- c:\windows\system32\ffkuz.dll
2009-01-07 06:54 <DIR> --d----- c:\program files\CCleaner
2009-01-06 21:12 119,808 a------- C:\VundoFix.exe
2008-12-22 21:24 <DIR> --d----- C:\TorrentFiles
2008-12-22 19:10 21,504 a------- c:\windows\system32\hidserv.dll
2008-12-22 19:10 21,504 a------- c:\windows\system32\dllcache\hidserv.dll
2008-12-22 19:10 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2008-12-22 19:10 12,160 a------- c:\windows\system32\dllcache\mouhid.sys
2008-12-22 19:10 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2008-12-22 19:10 14,592 a------- c:\windows\system32\dllcache\kbdhid.sys
2008-12-22 19:10 65 a------- c:\windows\iTouch.ini
2008-12-22 19:02 12,953 a------- c:\windows\system32\drivers\itchfltr.sys
2008-12-22 19:02 37,887 -------- c:\windows\system32\drivers\Lhidusb.sys
2008-12-22 19:02 14,095 -------- c:\windows\system32\drivers\LCCFLTR.SYS
2008-12-22 19:02 <DIR> --d----- c:\program files\common files\Logitech
2008-12-20 18:04 1,219,862 a------- c:\temp\JHymn 0.9.2.zip
2008-12-20 14:28 15,872 a------- c:\windows\system32\drivers\vburner.sys
2008-12-20 14:26 <DIR> --d----- c:\program files\Xilisoft

==================== Find3M ====================

2009-01-06 18:31 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-06 18:31 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-06 18:31 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-06 18:31 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-04 21:46 180,224 a------- c:\windows\system32\xvidvfw.dll
2008-12-04 21:42 815,104 a------- c:\windows\system32\xvidcore.dll
2008-10-28 17:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-28 17:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-28 17:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-28 17:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-28 17:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\SETCA.tmp
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-03-07 19:42 10,856 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-02 15:14 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090220080903\index.dat

============= FINISH: 22:18:53.20 ===============

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:46 AM

Posted 09 January 2009 - 06:36 PM

Hello Aj02719 and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 aj02719

aj02719
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 12 January 2009 - 10:27 PM

Thunder, thanks for the reply. And sorry for my slow response. I admittedly have been still trying to work on the problems I have been having. I don't know if these actions would have any effect on the first log I posted. I am still having big probems, and still appear to be infected.

I did the tasks as requested, although it seems Norton is not behaving correctly at all and is missing program files (i.e. nmain.exe.).

GooredFix v1.81 by jpshortstuff
Log created at 21:53 on 12/01/2009 running Option #2 (Andy Jones)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{9EB572D1-7F24-4AE9-B122-FB90B33FC764}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{9EB572D1-7F24-4AE9-B122-FB90B33FC764}"
->Backing up value... Done.
->Deleting value... Done.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{9EB572D1-7F24-4AE9-B122-FB90B33FC764}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"



ComboFix 09-01-11.04 - Andy Jones 2009-01-12 22:06:43.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.520 [GMT -5:00]
Running from: c:\antivirus progs\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-11 20:40 . 2009-01-12 17:31 664 --a------ c:\windows\SYSTEM32\d3d9caps.dat
2009-01-11 11:15 . 2009-01-11 11:15 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2009-01-11 11:15 . 2009-01-11 11:15 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl
2009-01-11 09:13 . 2009-01-11 09:17 <DIR> d-------- C:\My Backup
2009-01-11 09:10 . 2009-01-12 21:56 <DIR> d-------- C:\AntiVirus Progs
2009-01-10 08:55 . 2009-01-10 08:55 <DIR> d-------- c:\documents and settings\Administrator.JONESY\Application Data\DivX
2009-01-09 09:51 . 2009-01-09 09:51 <DIR> d-------- c:\documents and settings\Administrator.JONESY\Application Data\Malwarebytes
2009-01-09 09:32 . 2009-01-09 09:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 09:32 . 2009-01-09 09:32 <DIR> d-------- c:\documents and settings\Andy Jones\Application Data\Malwarebytes
2009-01-09 09:32 . 2009-01-09 09:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-09 09:32 . 2009-01-04 18:38 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-09 09:32 . 2009-01-04 18:38 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-08 16:54 . 2009-01-08 16:54 <DIR> d-------- c:\program files\Runtime Software
2009-01-07 20:14 . 2009-01-07 20:15 <DIR> d-------- C:\rsit
2009-01-07 19:12 . 2009-01-07 21:07 <DIR> d-------- C:\FixThis
2009-01-07 17:20 . 2000-03-23 12:50 446,464 -ra------ c:\windows\SYSTEM32\hhactivex.dll
2009-01-07 17:20 . 1998-11-10 10:46 328,480 --a------ c:\windows\SYSTEM32\ssa3d30.ocx
2009-01-07 17:20 . 2002-01-08 17:00 176,128 --a------ c:\windows\SYSTEM32\RcdScan.dll
2009-01-07 17:20 . 1998-06-17 23:00 89,360 --a------ c:\windows\SYSTEM32\VB5DB.DLL
2009-01-07 06:54 . 2009-01-11 09:12 <DIR> d-------- c:\program files\CCleaner
2009-01-06 21:50 . 2009-01-06 21:50 <DIR> d-------- c:\documents and settings\Administrator.JONESY\Application Data\Talkback
2008-12-22 19:10 . 2008-04-13 20:11 21,504 --a------ c:\windows\SYSTEM32\hidserv.dll
2008-12-22 19:10 . 2008-04-13 20:11 21,504 --a------ c:\windows\SYSTEM32\DLLCACHE\hidserv.dll
2008-12-22 19:10 . 2008-04-13 14:39 14,592 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys
2008-12-22 19:10 . 2008-04-13 14:39 14,592 --a------ c:\windows\SYSTEM32\DLLCACHE\kbdhid.sys
2008-12-22 19:10 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys
2008-12-22 19:10 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DLLCACHE\mouhid.sys
2008-12-22 19:10 . 2009-01-12 21:44 65 --a------ c:\windows\iTouch.ini
2008-12-22 19:02 . 2008-12-22 19:02 <DIR> d-------- c:\program files\Logitech
2008-12-22 19:02 . 2008-12-22 19:02 <DIR> d-------- c:\program files\Common Files\Logitech
2008-12-22 19:02 . 2004-03-03 09:50 37,887 --------- c:\windows\SYSTEM32\DRIVERS\Lhidusb.sys
2008-12-22 19:02 . 2004-03-03 09:50 14,095 --------- c:\windows\SYSTEM32\DRIVERS\LCCFLTR.SYS
2008-12-22 19:02 . 2004-03-10 13:42 12,953 --a------ c:\windows\SYSTEM32\DRIVERS\itchfltr.sys
2008-12-20 14:28 . 2008-03-26 11:19 15,872 --a------ c:\windows\SYSTEM32\DRIVERS\vburner.sys
2008-12-20 14:26 . 2008-12-20 14:26 <DIR> d-------- c:\program files\Xilisoft
2008-12-16 17:18 . 2008-12-16 17:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 03:11 --------- d-----w c:\documents and settings\All Users\Application Data\Bitmeter2
2009-01-13 03:04 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-13 02:49 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-12 22:27 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-11 16:15 --------- d-----w c:\program files\Java
2009-01-10 13:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-07 22:27 --------- d-----w c:\program files\Yahoo!
2009-01-07 22:20 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-06 23:31 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-06 23:31 60,808 ----a-w c:\windows\SYSTEM32\S32EVNT1.DLL
2009-01-06 23:31 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-06 23:31 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-06 23:31 --------- d-----w c:\program files\Symantec
2009-01-06 04:37 --------- d-----w c:\documents and settings\Andy Jones\Application Data\uTorrent
2008-12-16 22:19 --------- d-----w c:\program files\HP
2008-12-13 06:40 3,593,216 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-08 21:51 --------- d-----w c:\program files\GSpot Codec
2008-12-08 21:49 --------- d-----w c:\program files\Xvid
2008-12-05 02:46 180,224 ----a-w c:\windows\SYSTEM32\xvidvfw.dll
2008-12-05 02:42 815,104 ----a-w c:\windows\SYSTEM32\xvidcore.dll
2008-12-01 01:53 --------- d-----w c:\program files\Lavasoft
2008-12-01 01:53 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-01 01:52 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-26 01:29 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-13 21:37 --------- d-----w c:\program files\iTunes
2008-11-13 21:37 --------- d-----w c:\program files\iPod
2008-11-13 21:37 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-13 21:35 --------- d-----w c:\program files\Bonjour
2008-11-13 21:34 --------- d-----w c:\program files\DivX
2008-10-28 22:36 823,296 ----a-w c:\windows\SYSTEM32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\SYSTEM32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\SYSTEM32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\SYSTEM32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\SYSTEM32\DivX.dll
2008-10-24 11:21 455,296 ------w c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\SYSTEM32\SETCA.tmp
2008-10-23 12:36 286,720 ----a-w c:\windows\SYSTEM32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\SYSTEM32\DLLCACHE\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2007-08-25 03:52 300,400 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-03-08 00:42 10,856 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
2008-09-02 20:14 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008090220080903\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-07_21.00.32.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2007-07-12 05:22:00 135,168 ----a-w c:\windows\SYSTEM32\java.exe
+ 2009-01-11 16:15:19 144,792 ----a-w c:\windows\SYSTEM32\java.exe
- 2007-07-12 05:22:04 135,168 ----a-w c:\windows\SYSTEM32\javaw.exe
+ 2009-01-11 16:15:19 144,792 ----a-w c:\windows\SYSTEM32\javaw.exe
- 2007-07-12 06:22:38 139,264 ----a-w c:\windows\SYSTEM32\javaws.exe
+ 2009-01-11 16:15:20 148,888 ----a-w c:\windows\SYSTEM32\javaws.exe
+ 2009-01-13 02:42:26 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6f0.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 339,968 2004-08-25 17:52:00 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 155,648 2006-01-12 20:40:44 c:\program files\Common Files\Ahead\Lib\bak\NeroCheck.exe

----a-w 180,269 2004-11-27 14:49:51 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 185,896 2008-07-16 10:17:29 c:\program files\Common Files\Real\Update_OB\realsched.exe

----a-w 110,592 2004-01-07 06:01:00 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 45,056 2002-09-30 06:00:00 c:\program files\Creative\SBAudigy2\DVDAudio\bak\CTDVDDet.EXE

----a-w 49,152 2002-10-29 14:18:24 c:\program files\Creative\SBAudigy2\Surround Mixer\bak\CTSysVol.exe

----a-w 57,344 2004-08-23 23:19:22 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 290,816 2004-04-12 01:15:14 c:\program files\Dell\Media Experience\bak\PCMService.exe

----a-w 45,056 2005-04-12 15:27:18 c:\program files\Elaborate Bytes\VirtualCloneDrive\bak\VCDDaemon.exe

----a-w 68,856 2007-07-28 02:07:53 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

----a-w 49,152 2005-02-17 03:11:42 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 54,840 2007-05-08 20:24:20 c:\program files\HP\HP Software Update\hpwuSchd2.exe

----a-w 135,168 2004-03-23 17:16:16 c:\program files\Intel\Intel Application Accelerator\bak\iaanotif.exe

----a-w 221,184 2003-09-04 01:12:44 c:\program files\Intel\Modem Event Monitor\bak\IntelMEM.exe

----a-w 256,576 2006-10-30 14:36:36 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 289,576 2008-10-01 23:57:12 c:\program files\iTunes\iTunesHelper.exe

----a-w 132,496 2007-07-12 08:00:36 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe

----a-w 282,624 2006-10-25 23:58:18 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-09-06 19:09:14 c:\program files\QuickTime\QTTask.exe

----a-w 57,344 2005-05-19 13:47:36 c:\program files\SlySoft\CloneCD\bak\CloneCDTray.exe

----a-w 0 2004-02-06 16:29:17 c:\program files two\321Studios\Platinum\bak\makedir

----a-w 1,957,977 2006-07-05 13:20:08 c:\program files two\tunebite\bak\tunebite.exe

----a-w 90,112 2000-05-11 06:00:00 c:\windows\bak\UpdReg.EXE

----a-w 406,016 2003-11-10 21:06:08 c:\windows\SYSTEM32\bak\PSDrvCheck.exe
----a-w 406,016 2004-03-11 05:26:10 c:\windows\SYSTEM32\PSDrvCheck.exe

----a-w 122,939 2004-08-13 06:05:00 c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [N/A]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [N/A]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [N/A]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [N/A]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [N/A]
"UpdReg"="c:\windows\UpdReg.EXE" [N/A]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [N/A]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [N/A]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [N/A]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [N/A]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [N/A]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [N/A]
"PCLEUSBTip"="c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [N/A]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [N/A]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 1169744]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 1945688]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 149024]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-16 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]
"CTHelper"="CTHELPER.EXE" [2003-02-20 c:\windows\SYSTEM32\CTHELPER.EXE]
"AsioReg"="CTASIO.DLL" [2003-02-20 c:\windows\SYSTEM32\CTASIO.DLL]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-18 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2008-06-29 1462272]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
Printkey2000.lnk - c:\program files two\PrintKey2000\Printkey2000.exe [2005-10-22 869376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2004-11-01 11:50 8704 c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=hpizlv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
"msacm.DVACM"= DVACM.acm
"VIDC.NTN1"= NUVision.ax
"vidc.dvsd"= dvc.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe]
c:\program files two\tunebite\tunebite.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files Two\\FlexiSIGN-PRO 7\\Program\\App.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=

R0 vburner;vburner;c:\windows\SYSTEM32\DRIVERS\vburner.sys [2008-12-20 15872]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-07 99376]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\SYSTEM32\DRIVERS\LCCFLTR.SYS [2008-12-22 14095]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2007-08-25 149352]
S0 tpcdrdrv;tpcdrdrv;c:\windows\system32\DRIVERS\tpcdrdrv.sys --> c:\windows\system32\DRIVERS\tpcdrdrv.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\SYSTEM32\DRIVERS\COH_Mon.sys [2007-05-29 23888]
S3 NUVision;NUVision II Video Service;c:\windows\SYSTEM32\DRIVERS\nuvvid2.sys [2007-01-21 153760]
S4 Transbase;Transbase;c:\bmwgroup\ETKLokal\transbase\tbmux32.exe --> c:\bmwgroup\ETKLokal\transbase\tbmux32.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-03 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Andy Jones.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 20:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: idenupdate.motorola.com
Trusted Zone: www.movietickets.com
Trusted Zone: www.southcoastresponse.com

c:\windows\Downloaded Program Files\tgctlsi.dll - c:\windows\Downloaded Program Files\sprtexternal.dll
O16 -: {42D06124-98A2-47EC-8098-3778B58CE7D5}
hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab
c:\windows\Downloaded Program Files\sprtexternal.inf
FF - ProfilePath - c:\documents and settings\Andy Jones\Application Data\Mozilla\Firefox\Profiles\g67nmsn0.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 22:11:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,df,0e,d1,f9,63,
fb,98,f9,c8,28,51,af,b0,29,a3,98,71,e4,09,d8,89,70,6b,b0,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,06,ea,37,a0,f1,
05,d2,77,71,3b,04,66,8b,46,0d,96,64,52,3e,23,bc,7e,18,b9,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,26,b5,00,2f,e5,
db,fc,b2,25,da,ec,7e,55,20,c9,26,45,91,f7,d2,28,20,0c,f5,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,a4,ca,7b,51,10,
8c,c1,b5,3e,1e,9e,e0,57,5a,93,61,d9,27,4d,35,7f,54,bb,69,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,1f,35,da,4d,4d,
05,7f,53,cd,44,cd,b9,a6,33,6c,cd,53,60,a4,21,26,c3,bc,dd,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,60,c9,e7,7e,98,
83,69,55,b0,18,ed,a7,3f,8d,37,a4,bd,83,4c,c3,02,c4,84,4c,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,46,41,ab,67,17,
36,14,60,31,77,e1,ba,b1,f8,68,02,c9,a4,6c,14,11,87,92,c6,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,5f,bf,61,cd,cd,
45,61,85,83,6c,56,8b,a0,85,96,ab,0b,c0,7b,e4,6e,b1,e3,03,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,2d,5f,15,31,4e,
ff,90,3a,51,fa,6e,91,28,9e,14,cc,15,a5,3b,a0,dd,1d,7d,fc,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,e8,7e,2d,41,94,
bd,d4,1f,b1,cd,45,5a,a8,c4,f8,b9,d8,68,77,ba,5b,a9,2f,6b,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,cb,5f,12,e6,8a,
d3,a3,7f,e3,0e,66,d5,eb,bc,2f,6b,45,76,55,51,8a,58,99,3f,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,a8,93,dc,9a,89,
5a,4a,47,fa,ea,66,7f,d4,3b,6b,70,b5,30,48,e5,af,cc,75,62,6c,43,2d,1e,aa,22,\
.
Completion time: 2009-01-12 22:14:13
ComboFix-quarantined-files.txt 2009-01-13 03:14:10
ComboFix2.txt 2009-01-09 11:05:00
ComboFix3.txt 2009-01-08 02:40:21
ComboFix4.txt 2009-01-08 02:05:30

Pre-Run: 16,113,573,888 bytes free
Post-Run: 16,186,597,376 bytes free

359 --- E O F --- 2008-12-18 13:42:01

Edited by aj02719, 12 January 2009 - 10:34 PM.


#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:46 AM

Posted 13 January 2009 - 03:51 AM

Hello Aj02719,

If Norton is giving you trouble, I'd uninstall it through Control Panel > Software, and reinstall it when we've finished. :thumbsup:

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:Driver::
tpcdrdrv
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 aj02719

aj02719
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 13 January 2009 - 07:39 AM

Thunder, again, thank you very much for your assistance. I uninstalled Norton, as it was loaded with problems. I will do some web surfing later to see how my browser is working.

ComboFix 09-01-11.04 - Andy Jones 2009-01-13 7:21:27.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.622 [GMT -5:00]
Running from: c:\antivirus progs\ComboFix.exe
Command switches used :: c:\documents and settings\Andy Jones\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_tpcdrdrv


((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-13 07:02 . 2009-01-13 07:02 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-01-11 20:40 . 2009-01-12 17:31 664 --a------ c:\windows\SYSTEM32\d3d9caps.dat
2009-01-11 11:15 . 2009-01-11 11:15 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2009-01-11 11:15 . 2009-01-11 11:15 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl
2009-01-11 09:13 . 2009-01-11 09:17 <DIR> d-------- C:\My Backup
2009-01-11 09:10 . 2009-01-12 21:56 <DIR> d-------- C:\AntiVirus Progs
2009-01-10 08:55 . 2009-01-10 08:55 <DIR> d-------- c:\documents and settings\Administrator.JONESY\Application Data\DivX
2009-01-09 09:51 . 2009-01-09 09:51 <DIR> d-------- c:\documents and settings\Administrator.JONESY\Application Data\Malwarebytes
2009-01-09 09:32 . 2009-01-09 09:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 09:32 . 2009-01-09 09:32 <DIR> d-------- c:\documents and settings\Andy Jones\Application Data\Malwarebytes
2009-01-09 09:32 . 2009-01-09 09:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-09 09:32 . 2009-01-04 18:38 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-09 09:32 . 2009-01-04 18:38 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-08 16:54 . 2009-01-08 16:54 <DIR> d-------- c:\program files\Runtime Software
2009-01-07 20:14 . 2009-01-07 20:15 <DIR> d-------- C:\rsit
2009-01-07 19:12 . 2009-01-07 21:07 <DIR> d-------- C:\FixThis
2009-01-07 17:20 . 2000-03-23 12:50 446,464 -ra------ c:\windows\SYSTEM32\hhactivex.dll
2009-01-07 17:20 . 1998-11-10 10:46 328,480 --a------ c:\windows\SYSTEM32\ssa3d30.ocx
2009-01-07 17:20 . 2002-01-08 17:00 176,128 --a------ c:\windows\SYSTEM32\RcdScan.dll
2009-01-07 17:20 . 1998-06-17 23:00 89,360 --a------ c:\windows\SYSTEM32\VB5DB.DLL
2009-01-07 06:54 . 2009-01-11 09:12 <DIR> d-------- c:\program files\CCleaner
2009-01-06 21:50 . 2009-01-06 21:50 <DIR> d-------- c:\documents and settings\Administrator.JONESY\Application Data\Talkback
2008-12-22 19:10 . 2008-04-13 20:11 21,504 --a------ c:\windows\SYSTEM32\hidserv.dll
2008-12-22 19:10 . 2008-04-13 20:11 21,504 --a------ c:\windows\SYSTEM32\DLLCACHE\hidserv.dll
2008-12-22 19:10 . 2008-04-13 14:39 14,592 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys
2008-12-22 19:10 . 2008-04-13 14:39 14,592 --a------ c:\windows\SYSTEM32\DLLCACHE\kbdhid.sys
2008-12-22 19:10 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys
2008-12-22 19:10 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DLLCACHE\mouhid.sys
2008-12-22 19:10 . 2009-01-13 07:28 65 --a------ c:\windows\iTouch.ini
2008-12-22 19:02 . 2008-12-22 19:02 <DIR> d-------- c:\program files\Logitech
2008-12-22 19:02 . 2008-12-22 19:02 <DIR> d-------- c:\program files\Common Files\Logitech
2008-12-22 19:02 . 2004-03-03 09:50 37,887 --------- c:\windows\SYSTEM32\DRIVERS\Lhidusb.sys
2008-12-22 19:02 . 2004-03-03 09:50 14,095 --------- c:\windows\SYSTEM32\DRIVERS\LCCFLTR.SYS
2008-12-22 19:02 . 2004-03-10 13:42 12,953 --a------ c:\windows\SYSTEM32\DRIVERS\itchfltr.sys
2008-12-20 14:28 . 2008-03-26 11:19 15,872 --a------ c:\windows\SYSTEM32\DRIVERS\vburner.sys
2008-12-20 14:26 . 2008-12-20 14:26 <DIR> d-------- c:\program files\Xilisoft
2008-12-16 17:18 . 2008-12-16 17:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 12:28 --------- d-----w c:\documents and settings\All Users\Application Data\Bitmeter2
2009-01-13 12:15 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-13 12:14 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-12 22:27 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-11 16:15 --------- d-----w c:\program files\Java
2009-01-10 13:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-07 22:27 --------- d-----w c:\program files\Yahoo!
2009-01-07 22:20 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-06 23:31 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-06 23:31 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-06 23:31 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-06 23:31 --------- d-----w c:\program files\Symantec
2009-01-06 04:37 --------- d-----w c:\documents and settings\Andy Jones\Application Data\uTorrent
2008-12-16 22:19 --------- d-----w c:\program files\HP
2008-12-08 21:51 --------- d-----w c:\program files\GSpot Codec
2008-12-08 21:49 --------- d-----w c:\program files\Xvid
2008-12-01 01:53 --------- d-----w c:\program files\Lavasoft
2008-12-01 01:53 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-01 01:52 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-26 01:29 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-13 21:37 --------- d-----w c:\program files\iTunes
2008-11-13 21:37 --------- d-----w c:\program files\iPod
2008-11-13 21:37 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-13 21:35 --------- d-----w c:\program files\Bonjour
2008-11-13 21:34 --------- d-----w c:\program files\DivX
2008-03-08 00:42 10,856 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
2008-09-02 20:14 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008090220080903\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-07_21.00.32.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-13 12:02:36 22,016 ----a-w c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP\WiseCustomCall.dll
- 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2007-07-12 05:22:00 135,168 ----a-w c:\windows\SYSTEM32\java.exe
+ 2009-01-11 16:15:19 144,792 ----a-w c:\windows\SYSTEM32\java.exe
- 2007-07-12 05:22:04 135,168 ----a-w c:\windows\SYSTEM32\javaw.exe
+ 2009-01-11 16:15:19 144,792 ----a-w c:\windows\SYSTEM32\javaw.exe
- 2007-07-12 06:22:38 139,264 ----a-w c:\windows\SYSTEM32\javaws.exe
+ 2009-01-11 16:15:20 148,888 ----a-w c:\windows\SYSTEM32\javaws.exe
+ 2009-01-13 12:28:09 16,384 ----atw c:\windows\temp\Perflib_Perfdata_818.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 339,968 2004-08-25 17:52:00 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 155,648 2006-01-12 20:40:44 c:\program files\Common Files\Ahead\Lib\bak\NeroCheck.exe

----a-w 180,269 2004-11-27 14:49:51 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 185,896 2008-07-16 10:17:29 c:\program files\Common Files\Real\Update_OB\realsched.exe

----a-w 110,592 2004-01-07 06:01:00 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 45,056 2002-09-30 06:00:00 c:\program files\Creative\SBAudigy2\DVDAudio\bak\CTDVDDet.EXE

----a-w 49,152 2002-10-29 14:18:24 c:\program files\Creative\SBAudigy2\Surround Mixer\bak\CTSysVol.exe

----a-w 57,344 2004-08-23 23:19:22 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 290,816 2004-04-12 01:15:14 c:\program files\Dell\Media Experience\bak\PCMService.exe

----a-w 45,056 2005-04-12 15:27:18 c:\program files\Elaborate Bytes\VirtualCloneDrive\bak\VCDDaemon.exe

----a-w 68,856 2007-07-28 02:07:53 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

----a-w 49,152 2005-02-17 03:11:42 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 54,840 2007-05-08 20:24:20 c:\program files\HP\HP Software Update\hpwuSchd2.exe

----a-w 135,168 2004-03-23 17:16:16 c:\program files\Intel\Intel Application Accelerator\bak\iaanotif.exe

----a-w 221,184 2003-09-04 01:12:44 c:\program files\Intel\Modem Event Monitor\bak\IntelMEM.exe

----a-w 256,576 2006-10-30 14:36:36 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 289,576 2008-10-01 23:57:12 c:\program files\iTunes\iTunesHelper.exe

----a-w 132,496 2007-07-12 08:00:36 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe

----a-w 282,624 2006-10-25 23:58:18 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-09-06 19:09:14 c:\program files\QuickTime\QTTask.exe

----a-w 57,344 2005-05-19 13:47:36 c:\program files\SlySoft\CloneCD\bak\CloneCDTray.exe

----a-w 0 2004-02-06 16:29:17 c:\program files two\321Studios\Platinum\bak\makedir

----a-w 1,957,977 2006-07-05 13:20:08 c:\program files two\tunebite\bak\tunebite.exe

----a-w 90,112 2000-05-11 06:00:00 c:\windows\bak\UpdReg.EXE

----a-w 406,016 2003-11-10 21:06:08 c:\windows\SYSTEM32\bak\PSDrvCheck.exe
----a-w 406,016 2004-03-11 05:26:10 c:\windows\SYSTEM32\PSDrvCheck.exe

----a-w 122,939 2004-08-13 06:05:00 c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [N/A]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [N/A]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [N/A]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [N/A]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [N/A]
"UpdReg"="c:\windows\UpdReg.EXE" [N/A]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [N/A]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [N/A]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [N/A]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [N/A]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [N/A]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [N/A]
"PCLEUSBTip"="c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [N/A]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [N/A]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 1169744]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 1945688]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 149024]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-16 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-03-12 517768]
"CTHelper"="CTHELPER.EXE" [2003-02-20 c:\windows\SYSTEM32\CTHELPER.EXE]
"AsioReg"="CTASIO.DLL" [2003-02-20 c:\windows\SYSTEM32\CTASIO.DLL]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-18 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2008-06-29 1462272]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
Printkey2000.lnk - c:\program files two\PrintKey2000\Printkey2000.exe [2005-10-22 869376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2004-11-01 11:50 8704 c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
"msacm.DVACM"= DVACM.acm
"VIDC.NTN1"= NUVision.ax
"vidc.dvsd"= dvc.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe]
c:\program files two\tunebite\tunebite.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files Two\\FlexiSIGN-PRO 7\\Program\\App.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=

R0 vburner;vburner;c:\windows\SYSTEM32\DRIVERS\vburner.sys [2008-12-20 15872]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-07 99376]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\SYSTEM32\DRIVERS\LCCFLTR.SYS [2008-12-22 14095]
S3 NUVision;NUVision II Video Service;c:\windows\SYSTEM32\DRIVERS\nuvvid2.sys [2007-01-21 153760]
S4 Transbase;Transbase;c:\bmwgroup\ETKLokal\transbase\tbmux32.exe --> c:\bmwgroup\ETKLokal\transbase\tbmux32.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: idenupdate.motorola.com
Trusted Zone: www.movietickets.com
Trusted Zone: www.southcoastresponse.com

c:\windows\Downloaded Program Files\tgctlsi.dll - c:\windows\Downloaded Program Files\sprtexternal.dll
O16 -: {42D06124-98A2-47EC-8098-3778B58CE7D5}
hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab
c:\windows\Downloaded Program Files\sprtexternal.inf
FF - ProfilePath - c:\documents and settings\Andy Jones\Application Data\Mozilla\Firefox\Profiles\g67nmsn0.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 07:28:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,df,0e,d1,f9,63,
fb,98,f9,c8,28,51,af,b0,29,a3,98,71,e4,09,d8,89,70,6b,b0,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,06,ea,37,a0,f1,
05,d2,77,71,3b,04,66,8b,46,0d,96,64,52,3e,23,bc,7e,18,b9,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,26,b5,00,2f,e5,
db,fc,b2,25,da,ec,7e,55,20,c9,26,45,91,f7,d2,28,20,0c,f5,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,a4,ca,7b,51,10,
8c,c1,b5,3e,1e,9e,e0,57,5a,93,61,d9,27,4d,35,7f,54,bb,69,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,1f,35,da,4d,4d,
05,7f,53,cd,44,cd,b9,a6,33,6c,cd,53,60,a4,21,26,c3,bc,dd,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,60,c9,e7,7e,98,
83,69,55,b0,18,ed,a7,3f,8d,37,a4,bd,83,4c,c3,02,c4,84,4c,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,46,41,ab,67,17,
36,14,60,31,77,e1,ba,b1,f8,68,02,c9,a4,6c,14,11,87,92,c6,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,5f,bf,61,cd,cd,
45,61,85,83,6c,56,8b,a0,85,96,ab,0b,c0,7b,e4,6e,b1,e3,03,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,2d,5f,15,31,4e,
ff,90,3a,51,fa,6e,91,28,9e,14,cc,15,a5,3b,a0,dd,1d,7d,fc,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,e8,7e,2d,41,94,
bd,d4,1f,b1,cd,45,5a,a8,c4,f8,b9,d8,68,77,ba,5b,a9,2f,6b,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,cb,5f,12,e6,8a,
d3,a3,7f,e3,0e,66,d5,eb,bc,2f,6b,45,76,55,51,8a,58,99,3f,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,a8,93,dc,9a,89,
5a,4a,47,fa,ea,66,7f,d4,3b,6b,70,b5,30,48,e5,af,cc,75,62,6c,43,2d,1e,aa,22,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-13 7:34:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-13 12:34:48
ComboFix2.txt 2009-01-13 03:14:15
ComboFix3.txt 2009-01-09 11:05:00
ComboFix4.txt 2009-01-08 02:40:21
ComboFix5.txt 2009-01-13 12:20:52

Pre-Run: 16,501,239,808 bytes free
Post-Run: 16,499,036,160 bytes free

339 --- E O F --- 2008-12-18 13:42:01



DDS (Ver_09-01-07.01) - NTFSx86
Run by Andy Jones at 7:35:28.25 on Tue 01/13/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.549 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files Two\PrintKey2000\Printkey2000.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Andy Jones\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [PCLEUSBTip] c:\program files\pinnacle\shared files\programs\usbtip\USBTip.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bitmet~1.lnk - c:\program files\codebox\bitmeter\BitMeter2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files two\printkey2000\Printkey2000.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: motorola.com\idenupdate
Trusted Zone: movietickets.com\www
Trusted Zone: southcoastresponse.com\www
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andyjo~1\applic~1\mozilla\firefox\profiles\g67nmsn0.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 vburner;vburner;c:\windows\system32\drivers\vburner.sys [2008-12-20 15872]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-11-17 11165]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-7 99376]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCCFLTR.SYS [2008-12-22 14095]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R4 Par1284;Par1284;c:\program files two\flexisign-pro 7\program\Par1284.sys [2004-11-19 53344]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-5 1251720]
S3 awhost32;pcAnywhere Host Service;c:\program files two\symantec\pcanywhere\awhost32.exe [2004-11-1 106496]
S3 NUVision;NUVision II Video Service;c:\windows\system32\drivers\nuvvid2.sys [2007-1-21 153760]
S4 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
S4 Transbase;Transbase;c:\bmwgroup\etklokal\transbase\tbmux32.exe --> c:\bmwgroup\etklokal\transbase\tbmux32.exe [?]

=============== Created Last 30 ================

2009-01-13 07:02 <DIR> --d----- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-01-12 22:05 161,792 a------- c:\windows\SWREG.exe
2009-01-12 22:05 98,816 a------- c:\windows\sed.exe
2009-01-11 20:40 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-11 11:15 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-11 11:15 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-11 09:13 <DIR> --d----- C:\My Backup
2009-01-11 09:10 <DIR> --d----- C:\AntiVirus Progs
2009-01-09 09:32 <DIR> --d----- c:\docume~1\andyjo~1\applic~1\Malwarebytes
2009-01-09 09:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-09 09:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 09:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-09 09:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 16:54 <DIR> --d----- c:\program files\Runtime Software
2009-01-07 20:31 <DIR> a-dshr-- C:\cmdcons
2009-01-07 19:12 <DIR> --d----- C:\FixThis
2009-01-07 17:20 446,464 a----r-- c:\windows\system32\hhactivex.dll
2009-01-07 17:20 328,480 a------- c:\windows\system32\ssa3d30.ocx
2009-01-07 17:20 176,128 a------- c:\windows\system32\RcdScan.dll
2009-01-07 17:20 89,360 a------- c:\windows\system32\VB5DB.DLL
2009-01-07 06:54 <DIR> --d----- c:\program files\CCleaner
2008-12-22 19:10 21,504 a------- c:\windows\system32\hidserv.dll
2008-12-22 19:10 21,504 a------- c:\windows\system32\dllcache\hidserv.dll
2008-12-22 19:10 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2008-12-22 19:10 12,160 a------- c:\windows\system32\dllcache\mouhid.sys
2008-12-22 19:10 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2008-12-22 19:10 14,592 a------- c:\windows\system32\dllcache\kbdhid.sys
2008-12-22 19:10 65 a------- c:\windows\iTouch.ini
2008-12-22 19:02 12,953 a------- c:\windows\system32\drivers\itchfltr.sys
2008-12-22 19:02 37,887 -------- c:\windows\system32\drivers\Lhidusb.sys
2008-12-22 19:02 14,095 -------- c:\windows\system32\drivers\LCCFLTR.SYS
2008-12-22 19:02 <DIR> --d----- c:\program files\common files\Logitech
2008-12-20 14:28 15,872 a------- c:\windows\system32\drivers\vburner.sys
2008-12-20 14:26 <DIR> --d----- c:\program files\Xilisoft

==================== Find3M ====================

2009-01-06 18:31 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-06 18:31 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-06 18:31 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-06 18:31 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-04 21:46 180,224 a------- c:\windows\system32\xvidvfw.dll
2008-12-04 21:42 815,104 a------- c:\windows\system32\xvidcore.dll
2008-10-28 17:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-28 17:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-28 17:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-28 17:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-28 17:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\SETCA.tmp
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-03-07 19:42 10,856 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-02 15:14 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090220080903\index.dat

============= FINISH: 7:35:43.40 ===============

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:46 AM

Posted 13 January 2009 - 07:45 AM

Hello Aj02719,

Your logs look fine now. :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

No more issues ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 aj02719

aj02719
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 13 January 2009 - 04:25 PM

Thunder, thank you very, very much for your knowledge and assistance. Everything seems fine. Kaspersky scan only identified items in Norton Quarantine. Everything appears normal now. You rule!!!!!!

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:46 AM

Posted 13 January 2009 - 05:32 PM

Glad we could help, Aj02719 :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users