Hit by Virtumonde... Please help - Safer-Networking Forums

Chocoa · 2008-11-14, 09:40

Hi,
Spybot tells me my pc is infected with "Virtumonde". And, despite following the removal method suggested by Spubot it appears again.

Please find below the log from hijackthis....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:52 AM, on 14/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\INTERNET\NetMeter\NetMeter.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ATITool\ATITool.exe
C:\MY PROGRAMS\DESKTOP\Process Explorer\procexp.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8010
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [20716341] rundll32.exe "C:\WINDOWS\system32\ocwagmdt.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [C:\INTERNET\NetMeter\NetMeter.exe] C:\INTERNET\NetMeter\NetMeter.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O4 - Startup: procexp.lnk = ?
O4 - Global Startup: Giganews Accelerator.lnk = C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download All by FlashGet - C:\INTERNET\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\INTERNET\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\INTERNET\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\INTERNET\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...l/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll lxwzxm.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - Unknown owner - C:\MY PROGRAMS\DESKTOP\CR2\rcp_scheduler.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 10843 bytes

Thanks in advance of your help!

**ken545** · 2008-11-14, 18:52

Hello Chocoa

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
It is advisable that you back up your personal data before starting any clean up procedure.

First let me give you a heads up on a program you have installed. This is totally your call to keep or remove it via the Add Remove Programs in the Control Panel.

NetMeter.exe
http://www.bleepingcomputer.com/star....exe-3644.html

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKLM\..\Run: [20716341] rundll32.exe "C:\WINDOWS\system32\ocwagmdt.dll",b

Please download ATF Cleaner by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.

Chocoa · 2008-11-14, 22:09

Hello and Thankyou! Ken 545

Nice to deal with a fellow Ken! You guys need a medal ( each) such swift and efficient help...

I took your suggestion and removed Netmeter.exe ( not an essential app so better safe than sorry)

I followed your procedure as described and below are the resultant logs from Hijackthis and MbAM post cleaning and a further log after a follow-up run.

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:04 PM, on 14/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ATITool\ATITool.exe
C:\MY PROGRAMS\DESKTOP\Process Explorer\procexp.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8010
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {82632E34-61CC-477E-B908-AB6766D8BCA0} - (no file)
O2 - BHO: (no name) - {89DCBF90-41FB-4BFF-9323-A3CAF71119CC} - (no file)
O2 - BHO: (no name) - {A914B081-6A42-4F4E-9A3E-CB1A16C7B858} - (no file)
O2 - BHO: (no name) - {BDA79159-0EC1-40CD-BF9F-9959B9C520C0} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - .DEFAULT User Startup: OP_CACHE.ATR (User 'Default user')
O4 - .DEFAULT User Startup: OP_CACHE.IDX (User 'Default user')
O4 - Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O4 - Startup: OP_CACHE.ATR
O4 - Startup: OP_CACHE.IDX
O4 - Startup: procexp.lnk = ?
O4 - Global Startup: Giganews Accelerator.lnk = C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: OP_CACHE.ATR
O4 - Global Startup: OP_CACHE.IDX
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download All by FlashGet - C:\INTERNET\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\INTERNET\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\INTERNET\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\INTERNET\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...l/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll etekeq.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - Unknown owner - C:\MY PROGRAMS\DESKTOP\CR2\rcp_scheduler.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 11139 bytes

Post clean Log by MbAM:

Malwarebytes' Anti-Malware 1.30
Database version: 1399
Windows 5.1.2600 Service Pack 2

14/11/2008 8:45:37 PM
mbam-log-2008-11-14 (20-45-37).txt

Scan type: Quick Scan
Objects scanned: 59236
Time elapsed: 4 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 31
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 44

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\qdnrnrvx.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xxyxWPgG.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xxyayXpP.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\etekeq.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{09268bf8-2816-4716-91ca-0b6b72460ab7} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyayxpp (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{09268bf8-2816-4716-91ca-0b6b72460ab7} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56a96899-c90b-40bd-9e71-1983fceca009} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{56a96899-c90b-40bd-9e71-1983fceca009} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b810797e-e073-4dcf-8d17-bcdaf6afb97d} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{b810797e-e073-4dcf-8d17-bcdaf6afb97d} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b810797e-e073-4dcf-8d17-bcdaf6afb97d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f7f6a171-302e-4361-9ebb-ca9b1055f2ca} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f7f6a171-302e-4361-9ebb-ca9b1055f2ca} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f9dce697-6a0c-4551-b94f-5066425b24a7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f9dce697-6a0c-4551-b94f-5066425b24a7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09268bf8-2816-4716-91ca-0b6b72460ab7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{56a96899-c90b-40bd-9e71-1983fceca009} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4cab59b4-55a3-4737-9fd5-b93c6430bf76} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4cab59b4-55a3-4737-9fd5-b93c6430bf76} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4a5a2907-dddf-4738-bef5-fd6e1dd841d4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5c9c7ba4-379d-435c-b3e5-c4ba345b0ddf} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5c9c7ba4-379d-435c-b3e5-c4ba345b0ddf} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a5fe5b5b-788a-4412-b7be-bea804980d15} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a5fe5b5b-788a-4412-b7be-bea804980d15} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ab4d851b-3a62-491a-b621-ab7d8508dc9c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ab4d851b-3a62-491a-b621-ab7d8508dc9c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e8dab872-9c11-4d10-b158-1670a8657690} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e8dab872-9c11-4d10-b158-1670a8657690} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\xprepairpro2007 (Rogue.XPRepairPro2007) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20716341 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{09268bf8-2816-4716-91ca-0b6b72460ab7} (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\xxyxwpgg -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxyxwpgg -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\xxyayXpP.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\etekeq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xxyxWPgG.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\GgPWxyxx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\GgPWxyxx.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cvybsrnk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\knrsbyvc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dhqaaoni.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inoaaqhd.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jcgmsydt.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdysmgcj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nhdirfwv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vwfridhn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nobblleq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qellbbon.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ooeemqwo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\owqmeeoo.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qdnrnrvx.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xvrnrndq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xvrnrndq.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uooasjld.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dljsaoou.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xgdpwika.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\akiwpdgx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aeexuwqq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\famtvksr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\faqqdewy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\npjovlqn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vpxcab.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\whbeinya.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uvqakz.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kiiowa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ttvfphru.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\boqenosk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hyfltw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddphmqbu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\njgcwn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xpyfdykf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayyxwwx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kriirw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\47FFK77S\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\E81A5LJ3\kb600179[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iifcBsTK.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brian\results.txt (Malware.Trace) -> Quarantined and deleted successfully.

And finally the second follow-up ( for my benefit! :

Malwarebytes' Anti-Malware 1.30
Database version: 1399
Windows 5.1.2600 Service Pack 2

14/11/2008 8:57:18 PM
mbam-log-2008-11-14 (20-57-18).txt

Scan type: Quick Scan
Objects scanned: 58916
Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Looks good - I think?!

**ken545** · 2008-11-14, 23:58

Hello Ken,

Remove these with HJT

O2 - BHO: (no name) - {82632E34-61CC-477E-B908-AB6766D8BCA0} - (no file)
O2 - BHO: (no name) - {89DCBF90-41FB-4BFF-9323-A3CAF71119CC} - (no file)
O2 - BHO: (no name) - {A914B081-6A42-4F4E-9A3E-CB1A16C7B858} - (no file)
O2 - BHO: (no name) - {BDA79159-0EC1-40CD-BF9F-9959B9C520C0} - (no file)

There may be more we can't see, this GARBAGE installs all over the place

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Chocoa · 2008-11-15, 08:15

Hi Ken

I ran HJT and then ComboFix and finally HJT again as requested. - (log below)

Couple of points:

1) The Four BHO's did not clear and re-appeared on the second run of HJT after ComboFix completed ( see below).

2) The Combofix txt file is 685 KB and too big to paste here how do you wish me to proceed. I can upload it to a link of your choice if you wish....

3) I don't know if its relevant but this pc ( the infected one your helping to clean) has the 'bug' that stops me deleting empty folders. hence you may have seen reference to "UNLOCKER.exe" Which I have to use to unlock the folders to delete them. Could the bug be causing any issues here?

The final HJT log file is below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:13 AM, on 15/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ATITool\ATITool.exe
C:\MY PROGRAMS\DESKTOP\Process Explorer\procexp.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8010
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {82632E34-61CC-477E-B908-AB6766D8BCA0} - (no file)
O2 - BHO: (no name) - {89DCBF90-41FB-4BFF-9323-A3CAF71119CC} - (no file)
O2 - BHO: (no name) - {A914B081-6A42-4F4E-9A3E-CB1A16C7B858} - (no file)
O2 - BHO: (no name) - {BDA79159-0EC1-40CD-BF9F-9959B9C520C0} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Security Suite Pro\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O4 - Startup: procexp.lnk = ?
O4 - Global Startup: Giganews Accelerator.lnk = C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download All by FlashGet - C:\INTERNET\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\INTERNET\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Outpost Security Suite Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Security Suite Pro\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\INTERNET\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\INTERNET\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...l/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - Unknown owner - C:\MY PROGRAMS\DESKTOP\CR2\rcp_scheduler.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 11008 bytes

Let me know how you would like me to proceed. - many thanks so far for your assistance....

**ken545** · 2008-11-15, 13:44

Hello,

The reason these will not delete is because the teaTimer is Spybot may be preventing them from being removed.

O2 - BHO: (no name) - {82632E34-61CC-477E-B908-AB6766D8BCA0} - (no file)
O2 - BHO: (no name) - {89DCBF90-41FB-4BFF-9323-A3CAF71119CC} - (no file)
O2 - BHO: (no name) - {A914B081-6A42-4F4E-9A3E-CB1A16C7B858} - (no file)
O2 - BHO: (no name) - {BDA79159-0EC1-40CD-BF9F-9959B9C520C0} - (no file)

Disable the TeaTimer, leave it disabled until we're done or it will prevent fixes from taking[/b]

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect

At the bottom of this thread under the Submit Reply, you will see a link for Manage Attachments, use the browse feature and attach the Combofix report

Chocoa · 2008-11-15, 16:11

Hi there

Now got rid of the BHO's ( had to remove Spybot as despite unchecking Resident teatimer etc it still re-appeared on reboot) Can always install it again.

Anyway, the post cleaning HJT log is below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:15 PM, on 15/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ATITool\ATITool.exe
C:\MY PROGRAMS\DESKTOP\Process Explorer\procexp.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8010
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Security Suite Pro\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [NET Traffic Meter] "C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O4 - Startup: procexp.lnk = ?
O4 - Global Startup: Giganews Accelerator.lnk = C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download All by FlashGet - C:\INTERNET\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\INTERNET\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Outpost Security Suite Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Security Suite Pro\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\INTERNET\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\INTERNET\FlashGet\flashget.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...l/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - Unknown owner - C:\MY PROGRAMS\DESKTOP\CR2\rcp_scheduler.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 10363 bytes

Cant upload ComboFix log via 'manage attachments' as the file limit is too low I get the error message: "Your file of 685.9 KB bytes exceeds the forum's limit of 19.5 KB for this filetype."

What do you suggest I do?

**ken545** · 2008-11-15, 22:01

Go ahead and break the Combofix report up and take as many replies as you need to submit it all

Chocoa · 2008-11-16, 15:23

Ok Ken here goes.....

ComboFix 08-11-13.01 - Brian 2008-11-15 5:45:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.536 [GMT 0:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Brian\Application Data\inst.exe
c:\windows\system32\_005681_.tmp.dll
c:\windows\system32\_005682_.tmp.dll
c:\windows\system32\_005683_.tmp.dll
c:\windows\system32\_005684_.tmp.dll
c:\windows\system32\_005691_.tmp.dll
c:\windows\system32\_005692_.tmp.dll
c:\windows\system32\_005693_.tmp.dll
c:\windows\system32\_005694_.tmp.dll
c:\windows\system32\_005695_.tmp.dll
c:\windows\system32\_005696_.tmp.dll
c:\windows\system32\_005697_.tmp.dll
c:\windows\system32\_005698_.tmp.dll
c:\windows\system32\_005699_.tmp.dll
c:\windows\system32\_005700_.tmp.dll
c:\windows\system32\_005701_.tmp.dll
c:\windows\system32\_005702_.tmp.dll
c:\windows\system32\_005703_.tmp.dll
c:\windows\system32\_005704_.tmp.dll
c:\windows\system32\_005705_.tmp.dll
c:\windows\system32\_005706_.tmp.dll
c:\windows\system32\_005707_.tmp.dll
c:\windows\system32\_005708_.tmp.dll
c:\windows\system32\_005709_.tmp.dll
c:\windows\system32\_005710_.tmp.dll
c:\windows\system32\_005711_.tmp.dll
c:\windows\system32\_005714_.tmp.dll
c:\windows\system32\_005715_.tmp.dll
c:\windows\system32\_005716_.tmp.dll
c:\windows\system32\_005717_.tmp.dll
c:\windows\system32\_005718_.tmp.dll
c:\windows\system32\_005719_.tmp.dll
c:\windows\system32\_005720_.tmp.dll
c:\windows\system32\_005721_.tmp.dll
c:\windows\system32\_005722_.tmp.dll
c:\windows\system32\_005723_.tmp.dll
c:\windows\system32\_005724_.tmp.dll
c:\windows\system32\_005725_.tmp.dll
c:\windows\system32\_005727_.tmp.dll
c:\windows\system32\_005728_.tmp.dll
c:\windows\system32\_005729_.tmp.dll
c:\windows\system32\_005730_.tmp.dll
c:\windows\system32\_005731_.tmp.dll
c:\windows\system32\_005732_.tmp.dll
c:\windows\system32\_005733_.tmp.dll
c:\windows\system32\_005736_.tmp.dll
c:\windows\system32\_005737_.tmp.dll
c:\windows\system32\_005738_.tmp.dll
c:\windows\system32\_005739_.tmp.dll
c:\windows\system32\_005740_.tmp.dll
c:\windows\system32\_005742_.tmp.dll
c:\windows\system32\_005743_.tmp.dll
c:\windows\system32\_005744_.tmp.dll
c:\windows\system32\_005745_.tmp.dll
c:\windows\system32\_005746_.tmp.dll
c:\windows\system32\_005747_.tmp.dll
c:\windows\system32\_005748_.tmp.dll
c:\windows\system32\_005749_.tmp.dll
c:\windows\system32\_005750_.tmp.dll
c:\windows\system32\_005752_.tmp.dll
c:\windows\system32\_005753_.tmp.dll
c:\windows\system32\_005754_.tmp.dll
c:\windows\system32\_005755_.tmp.dll
c:\windows\system32\_005757_.tmp.dll
c:\windows\system32\_005759_.tmp.dll
c:\windows\system32\_005760_.tmp.dll
c:\windows\system32\_005761_.tmp.dll
c:\windows\system32\_005762_.tmp.dll
c:\windows\system32\_005763_.tmp.dll
c:\windows\system32\_005764_.tmp.dll
c:\windows\system32\_005765_.tmp.dll
c:\windows\system32\_005766_.tmp.dll
c:\windows\system32\_005768_.tmp.dll
c:\windows\system32\_005769_.tmp.dll
c:\windows\system32\_005770_.tmp.dll
c:\windows\system32\_005771_.tmp.dll
c:\windows\system32\_005772_.tmp.dll
c:\windows\system32\_005773_.tmp.dll
c:\windows\system32\_005774_.tmp.dll
c:\windows\system32\_005775_.tmp.dll
c:\windows\system32\_005777_.tmp.dll
c:\windows\system32\_005778_.tmp.dll
c:\windows\system32\_005779_.tmp.dll
c:\windows\system32\_005780_.tmp.dll
c:\windows\system32\_005783_.tmp.dll
c:\windows\system32\_005784_.tmp.dll
c:\windows\system32\_005788_.tmp.dll
c:\windows\system32\_005789_.tmp.dll
c:\windows\system32\_005791_.tmp.dll
c:\windows\system32\_005793_.tmp.dll
c:\windows\system32\_005794_.tmp.dll
c:\windows\system32\_005796_.tmp.dll
c:\windows\system32\_005797_.tmp.dll
c:\windows\system32\_005798_.tmp.dll
c:\windows\system32\_005799_.tmp.dll
c:\windows\system32\_005802_.tmp.dll
c:\windows\system32\_005803_.tmp.dll
c:\windows\system32\_005804_.tmp.dll
c:\windows\system32\_005805_.tmp.dll
c:\windows\system32\_005806_.tmp.dll
c:\windows\system32\_005811_.tmp.dll
c:\windows\system32\_005813_.tmp.dll
c:\windows\system32\_005814_.tmp.dll
c:\windows\system32\_007888_.tmp.dll
c:\windows\system32\_007889_.tmp.dll
c:\windows\system32\_007890_.tmp.dll
c:\windows\system32\_007891_.tmp.dll
c:\windows\system32\_007898_.tmp.dll
c:\windows\system32\_007899_.tmp.dll
c:\windows\system32\_007900_.tmp.dll
c:\windows\system32\_007901_.tmp.dll
c:\windows\system32\_007903_.tmp.dll
c:\windows\system32\_007904_.tmp.dll
c:\windows\system32\_007907_.tmp.dll
c:\windows\system32\_007908_.tmp.dll
c:\windows\system32\_007910_.tmp.dll
c:\windows\system32\_007911_.tmp.dll
c:\windows\system32\_007912_.tmp.dll
c:\windows\system32\_007914_.tmp.dll
c:\windows\system32\_007916_.tmp.dll
c:\windows\system32\_007917_.tmp.dll
c:\windows\system32\_007918_.tmp.dll
c:\windows\system32\_007922_.tmp.dll
c:\windows\system32\_007923_.tmp.dll
c:\windows\system32\_007925_.tmp.dll
c:\windows\system32\_007927_.tmp.dll
c:\windows\system32\_007928_.tmp.dll
c:\windows\system32\_007930_.tmp.dll
c:\windows\system32\_007931_.tmp.dll
c:\windows\system32\_007932_.tmp.dll
c:\windows\system32\_007933_.tmp.dll
c:\windows\system32\_007934_.tmp.dll
c:\windows\system32\_007937_.tmp.dll
c:\windows\system32\_007938_.tmp.dll
c:\windows\system32\_007939_.tmp.dll
c:\windows\system32\_007940_.tmp.dll
c:\windows\system32\_007941_.tmp.dll
c:\windows\system32\_007946_.tmp.dll
c:\windows\system32\_007948_.tmp.dll
c:\windows\system32\_007949_.tmp.dll
c:\windows\system32\jSrsDJlm.ini
c:\windows\system32\tdmgawco.ini
c:\windows\system32\utusdods.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSASVC
-------\Legacy_NPF
-------\Legacy_VFILT
-------\Service_MsaSvc

Chocoa · 2008-11-16, 15:24

((((((((((((((((((((((((( Files Created from 2008-10-15 to 2008-11-15 )))))))))))))))))))))))))))))))
.

2008-11-14 21:39 . 2007-10-05 16:41 1,040,561 --a------ c:\windows\system32\drivers\VBEngNT.sys
2008-11-14 21:39 . 2007-11-29 18:23 439,232 --a------ c:\windows\system32\drivers\SandBox.sys
2008-11-14 21:39 . 2007-12-03 13:40 199,696 --a------ c:\windows\system32\drivers\afw.sys
2008-11-14 21:39 . 2007-10-25 18:17 49 --a------ c:\windows\transp.gif
2008-11-14 20:32 . 2008-11-14 21:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-14 20:32 . 2008-11-14 20:32 <DIR> d-------- c:\documents and settings\Brian\Application Data\Malwarebytes
2008-11-14 20:32 . 2008-11-14 20:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-14 20:32 . 2008-11-14 20:32 1,538,702 ---hs---- c:\windows\system32\xvrnrndq.tmp
2008-11-14 20:32 . 2008-10-22 16:28 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-14 20:32 . 2008-10-22 16:28 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-14 20:31 . 2008-11-14 20:31 41,472 --a------ c:\windows\system32\enexyjyn.dll
2008-11-14 20:20 . 2008-11-14 20:20 41,472 --a------ c:\windows\system32\shrjuudl.dll
2008-11-14 17:19 . 2008-11-14 17:19 1,539,768 ---hs---- c:\windows\system32\tdysmgcj.tmp
2008-11-14 17:19 . 2008-11-14 17:19 41,472 --a------ c:\windows\system32\iaboaqno.dll
2008-11-14 17:04 . 2008-11-14 17:04 41,472 --a------ c:\windows\system32\bvkktexf.dll
2008-11-14 16:18 . 2008-11-14 16:18 41,472 --a------ c:\windows\system32\ttdpfvcl.dll
2008-11-14 15:45 . 2008-11-14 15:45 41,472 --a------ c:\windows\system32\cxxlhdrw.dll
2008-11-14 15:44 . 2008-11-14 15:44 1,537,512 ---hs---- c:\windows\system32\qellbbon.tmp
2008-11-14 15:44 . 2008-11-14 15:44 41,472 --a------ c:\windows\system32\lrbbcifa.dll
2008-11-14 15:12 . 2008-11-14 15:12 41,472 --a------ c:\windows\system32\biexovyf.dll
2008-11-14 12:41 . 2008-11-14 12:53 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-11-14 12:41 . 2008-11-14 12:41 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-11-14 12:40 . 2008-11-14 12:40 <DIR> d-------- c:\program files\Kaspersky Lab
2008-11-14 12:40 . 2008-11-14 21:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-14 12:40 . 2008-11-15 05:48 5,985,312 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-11-14 12:40 . 2008-11-15 05:51 1,015,840 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-11-14 12:40 . 2008-11-15 05:48 48,888 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-11-14 12:40 . 2008-11-15 05:53 4,552 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-11-14 12:39 . 2008-11-14 12:39 41,472 --a------ c:\windows\system32\ekiyxktf.dll
2008-11-14 12:22 . 2008-11-14 12:22 41,472 --a------ c:\windows\system32\wowjatdg.dll
2008-11-14 12:21 . 2008-11-14 12:21 41,472 --a------ c:\windows\system32\idexyswn.dll
2008-11-14 11:51 . 2008-11-14 11:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-14 08:33 . 2008-11-14 08:33 41,472 --a------ c:\windows\system32\raoevcbb.dll
2008-11-14 07:49 . 2008-11-14 07:49 <DIR> d-------- c:\program files\Trend Micro
2008-11-14 01:24 . 2008-11-14 21:42 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-14 01:24 . 2008-11-14 20:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-14 01:15 . 2008-11-14 01:15 85,504 --a------ c:\windows\system32\nmsbryqp.dll
2008-11-14 01:12 . 2008-11-14 01:12 85,504 --a------ c:\windows\system32\kusantsq.dll
2008-11-14 01:09 . 2008-11-14 01:09 85,504 --a------ c:\windows\system32\kncgswjb.dll
2008-11-13 14:07 . 2008-11-13 14:07 85,504 --a------ c:\windows\system32\ruffmgkg.dll
2008-11-13 11:27 . 2008-11-13 11:27 85,504 --a------ c:\windows\system32\qfrixqvo.dll
2008-11-13 10:47 . 2008-11-13 10:47 85,504 --a------ c:\windows\system32\vaecichb.dll
2008-11-12 07:10 . 2008-11-12 07:10 85,504 --a------ c:\windows\system32\lwqfikag.dll
2008-11-11 07:09 . 2008-11-11 07:09 85,504 --a------ c:\windows\system32\gidddmux.dll
2008-11-11 06:54 . 2007-02-01 16:50 110,128 -ra------ c:\windows\system32\drivers\SI3112r.sys
2008-11-11 06:54 . 2007-02-01 16:50 83,760 -ra------ c:\windows\system32\SilSupp.cpl
2008-11-11 06:54 . 2007-02-01 16:50 17,328 -ra------ c:\windows\system32\drivers\SiWinAcc.sys
2008-11-10 18:40 . 2008-11-10 18:40 85,504 --a------ c:\windows\system32\lrybjeym.dll
2008-11-10 18:32 . 2008-11-10 18:32 85,504 --a------ c:\windows\system32\wggangox.dll
2008-11-09 17:15 . 2008-11-14 16:01 <DIR> d--hs---- C:\USMT.TMP
2008-11-09 07:06 . 2000-03-17 09:07 11,136 --a------ c:\windows\system32\drivers\Softlok.sys
2008-11-09 07:06 . 2000-03-17 09:08 9,892 --a------ c:\windows\system32\mnxx.386
2008-11-08 21:14 . 2008-11-14 16:01 <DIR> d-------- c:\program files\AutoStreamer
2008-11-08 02:12 . 2008-11-08 02:12 1,905,517 --ahs---- c:\windows\system32\oamswgdi.tmp
2008-11-08 01:47 . 2008-04-14 05:42 354,304 --a------ c:\windows\system32\SET1EF4.tmp
2008-11-08 01:47 . 2008-04-14 05:40 177,152 --a------ c:\windows\system32\SET1F27.tmp
2008-11-08 01:47 . 2008-04-14 05:42 121,856 --a------ c:\windows\system32\SET1EEB.tmp
2008-11-08 01:47 . 2008-04-14 05:42 80,896 --a------ c:\windows\system32\SET1EEF.tmp
2008-11-08 01:47 . 2008-04-14 05:42 75,776 --a------ c:\windows\system32\SET1EFF.tmp
2008-11-08 01:47 . 2008-04-14 05:41 24,576 --a------ c:\windows\system32\SET1F4B.tmp
2008-11-08 01:47 . 2008-04-14 05:42 15,872 --a------ c:\windows\system32\SET1EF8.tmp
2008-11-08 01:46 . 2008-04-14 05:42 471,552 --a------ c:\windows\system32\SET14E2.tmp
2008-11-08 01:46 . 2008-04-14 05:41 95,744 --a------ c:\windows\system32\SET14E8.tmp
2008-11-08 01:42 . 2006-12-29 00:31 19,569 --a------ c:\windows\003854_.tmp
2008-11-08 01:40 . 2008-08-14 10:00 2,180,352 --a------ c:\windows\system32\ntoskrnl.exe
2008-11-08 01:24 . 2004-08-04 12:00 68,608 --a--c--- c:\windows\system32\dllcache\plugin.ocx
2008-11-07 19:09 . 2008-11-07 19:09 1,905,517 --ahs---- c:\windows\system32\idnywjyw.tmp
2008-11-07 18:38 . 2008-11-15 05:51 2,422 --a------ c:\windows\system32\wpa.dbl
2008-11-07 18:36 . 2008-11-15 05:48 31,056 --a------ c:\windows\system32\BMXStateBkp-{00000000-00000000-0000000A-00001102-00000004-20021102}.rfx
2008-11-07 18:36 . 2008-11-15 05:48 31,056 --a------ c:\windows\system32\BMXState-{00000000-00000000-0000000A-00001102-00000004-20021102}.rfx
2008-11-07 18:36 . 2008-11-15 05:48 30,528 --a------ c:\windows\system32\BMXCtrlState-{00000000-00000000-0000000A-00001102-00000004-20021102}.rfx
2008-11-07 18:36 . 2008-11-15 05:48 30,528 --a------ c:\windows\system32\BMXBkpCtrlState-{00000000-00000000-0000000A-00001102-00000004-20021102}.rfx
2008-11-07 18:36 . 2008-11-15 05:48 11,564 --a------ c:\windows\system32\DVCState-{00000000-00000000-0000000A-00001102-00000004-20021102}.rfx
2008-11-07 18:36 . 2008-11-15 05:48 1,080 --a------ c:\windows\system32\settingsbkup.sfm
2008-11-07 18:36 . 2008-11-15 05:48 1,080 --a------ c:\windows\system32\settings.sfm
2008-11-07 18:10 . 2008-11-07 18:10 101,045 --a------ C:\Image1.pspimage
2008-11-06 22:49 . 2008-11-07 18:25 <DIR> d-------- c:\documents and settings\Brian\Application Data\SupRip
2008-11-06 12:36 . 2008-11-06 12:36 20 --a------ C:\nodgen.ini
2008-11-06 11:34 . 2008-11-06 11:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-11-06 00:11 . 2008-04-14 05:42 354,304 --a------ c:\windows\system32\SET11BE.tmp
2008-11-06 00:11 . 2008-04-14 05:40 177,152 --a------ c:\windows\system32\SET11F1.tmp
2008-11-06 00:11 . 2008-04-14 05:42 121,856 --a------ c:\windows\system32\SET11B5.tmp
2008-11-06 00:11 . 2008-04-14 05:42 80,896 --a------ c:\windows\system32\SET11B9.tmp
2008-11-06 00:11 . 2008-04-14 05:42 75,776 --a------ c:\windows\system32\SET11C9.tmp
2008-11-06 00:11 . 2008-04-14 05:41 24,576 --a------ c:\windows\system32\SET1215.tmp
2008-11-06 00:11 . 2008-04-14 05:42 15,872 --a------ c:\windows\system32\SET11C2.tmp
2008-11-06 00:11 . 2008-04-14 05:42 6,656 --a------ c:\windows\system32\SET11B6.tmp
2008-11-06 00:09 . 2008-04-14 05:42 8,461,312 --a------ c:\windows\system32\SET2D7.tmp
2008-11-06 00:07 . 2006-12-29 00:31 19,569 --a------ c:\windows\003846_.tmp
2008-11-06 00:06 . 2004-08-03 23:00 71,040 --------- c:\windows\system32\drivers\_005674_.tmp.dll
2008-11-05 23:38 . 2008-04-14 05:42 354,304 --a------ c:\windows\system32\SET10D8.tmp
2008-11-05 23:38 . 2008-04-14 05:40 177,152 --a------ c:\windows\system32\SET110B.tmp
2008-11-05 23:38 . 2008-04-14 05:42 121,856 --a------ c:\windows\system32\SET10CF.tmp
2008-11-05 23:38 . 2008-04-14 05:42 80,896 --a------ c:\windows\system32\SET10D3.tmp
2008-11-05 23:38 . 2008-04-14 05:42 75,776 --a------ c:\windows\system32\SET10E3.tmp
2008-11-05 23:38 . 2008-04-14 05:41 24,576 --a------ c:\windows\system32\SET112F.tmp
2008-11-05 23:38 . 2008-04-14 05:42 15,872 --a------ c:\windows\system32\SET10DC.tmp
2008-11-05 23:38 . 2008-04-14 05:42 6,656 --a------ c:\windows\system32\SET10D0.tmp
2008-11-05 23:37 . 2008-04-14 05:42 471,552 --a------ c:\windows\system32\SET6C6.tmp
2008-11-05 23:37 . 2008-04-14 05:41 95,744 --a------ c:\windows\system32\SET6CC.tmp
2008-11-05 23:34 . 2006-12-29 00:31 19,569 --a------ c:\windows\003837_.tmp
2008-11-05 23:32 . 2004-08-03 23:00 71,040 --------- c:\windows\system32\drivers\_005666_.tmp.dll
2008-11-05 23:04 . 2008-04-14 05:41 1,267,200 --a------ c:\windows\system32\SET3FE.tmp
2008-11-05 23:01 . 2006-12-29 00:31 19,569 --a------ c:\windows\006044_.tmp
2008-11-05 22:59 . 2004-08-03 23:00 71,040 --------- c:\windows\system32\drivers\_005656_.tmp.dll
2008-11-03 05:50 . 2008-11-03 05:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ashampoo
2008-11-03 05:29 . 2008-11-03 05:49 <DIR> d-------- c:\program files\Ashampoo
2008-10-28 15:39 . 2008-11-14 16:01 <DIR> d-------- C:\spoolerlogs
2008-10-28 14:34 . 2008-11-14 16:01 <DIR> d-------- c:\program files\iPod
2008-10-28 14:34 . 2008-10-28 14:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-28 14:32 . 2008-10-28 14:32 <DIR> d-------- c:\program files\Common Files\Apple
2008-10-28 14:18 . 2008-10-28 14:18 <DIR> d-------- c:\program files\Amazon
2008-10-28 14:18 . 2008-10-28 14:18 <DIR> d-------- c:\documents and settings\Brian\Application Data\Amazon
2008-10-26 22:33 . 2008-10-26 22:33 <DIR> d-------- C:\Music
2008-10-23 03:27 . 2008-10-23 03:27 <DIR> d-------- c:\program files\Sky
2008-10-23 03:27 . 2008-11-14 16:01 <DIR> d-------- c:\program files\Kontiki
2008-10-23 02:48 . 2008-11-14 16:01 <DIR> d-------- c:\program files\Zattoo
2008-10-22 23:59 . 2008-11-14 21:43 <DIR> d-------- c:\program files\XP Repair Pro 2007
2008-10-22 23:40 . 2008-11-14 16:01 <DIR> d-------- c:\program files\XP Repair Pro 4.0
2008-10-22 15:07 . 2008-10-22 15:07 <DIR> d-------- c:\documents and settings\Brian\Application Data\Acronis
2008-10-22 14:59 . 2008-10-22 15:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Acronis
2008-10-22 14:59 . 2008-10-22 14:59 971,232 --a------ c:\windows\system32\drivers\tdrpm147.sys
2008-10-22 14:59 . 2008-10-22 14:59 540,000 --a------ c:\windows\system32\drivers\timntr.sys
2008-10-22 14:59 . 2008-10-22 14:59 134,272 --a------ c:\windows\system32\drivers\snman380.sys
2008-10-22 14:59 . 2008-10-22 14:59 44,704 --a------ c:\windows\system32\drivers\tifsfilt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-15 05:42 --------- d-----w c:\documents and settings\Brian\Application Data\Newsbin
2008-11-15 01:00 --------- d-----w c:\program files\ATI Multimedia
2008-11-14 22:48 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-14 21:45 --------- d-----w c:\documents and settings\Brian\Application Data\TeraCopy
2008-11-14 21:43 --------- d-----w c:\program files\XviD
2008-11-14 16:01 --------- d--h--w c:\program files\Zero G Registry
2008-11-14 14:59 --------- d-----w c:\documents and settings\Brian\Application Data\ImgBurn
2008-11-08 02:07 --------- d-----w c:\documents and settings\Brian\Application Data\IcoFX
2008-11-03 18:26 --------- d-----w c:\documents and settings\Brian\Application Data\Vso
2008-10-28 14:35 --------- d-----w c:\documents and settings\Brian\Application Data\Apple Computer
2008-10-23 03:41 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2008-10-18 01:03 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-12 10:59 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-09-24 06:07 --------- d-----w c:\documents and settings\Brian\Application Data\vlc
2008-03-01 22:25 47,360 ----a-w c:\documents and settings\Brian\Application Data\pcouffin.sys
2005-03-20 03:31 104 --sha-r c:\windows\system32\25C5867077.sys
.

Code:

<pre>
----a-w           940,544 2007-08-13 22:01:02  c:\my programs\HD\Evo DEmux\EVOdemux 0627 b7 .exe
</pre>

2008-11-14, 09:40	#1
Chocoa Junior Member Join Date: Nov 2008 Location: Near Bath UK Posts: 23	Hit by Virtumonde... Please help Hi, Spybot tells me my pc is infected with "Virtumonde". And, despite following the removal method suggested by Spubot it appears again. Please find below the log from hijackthis.... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:34:52 AM, on 14/11/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18241) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\CTHELPER.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\program files\powerstrip\pstrip.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\INTERNET\NetMeter\NetMeter.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\ATITool\ATITool.exe C:\MY PROGRAMS\DESKTOP\Process Explorer\procexp.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Opera\opera.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8010 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe O4 - HKLM\..\Run: [20716341] rundll32.exe "C:\WINDOWS\system32\ocwagmdt.dll",b O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [C:\INTERNET\NetMeter\NetMeter.exe] C:\INTERNET\NetMeter\NetMeter.exe O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe O4 - Startup: procexp.lnk = ? O4 - Global Startup: Giganews Accelerator.lnk = C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Download All by FlashGet - C:\INTERNET\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\INTERNET\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\INTERNET\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\INTERNET\FlashGet\flashget.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...l/LSSupCtl.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) - O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll lxwzxm.dll O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing) O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe O23 - Service: ReaConverter scheduler service (rcp_service) - Unknown owner - C:\MY PROGRAMS\DESKTOP\CR2\rcp_scheduler.exe (file missing) O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe -- End of file - 10843 bytes Thanks in advance of your help!

2008-11-14, 18:52	#2
ken545 Security Expert Join Date: Nov 2005 Location: Darien, CT Posts: 8,297	Hello Chocoa Welcome to Safer Networking. Please read Before You Post That said, All advice given by anyone volunteering here, is taken at your own risk. While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your personal data before starting any clean up procedure. First let me give you a heads up on a program you have installed. This is totally your call to keep or remove it via the Add Remove Programs in the Control Panel. NetMeter.exe http://www.bleepingcomputer.com/star....exe-3644.html Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O4 - HKLM\..\Run: [20716341] rundll32.exe "C:\WINDOWS\system32\ocwagmdt.dll",b Please download ATF Cleaner by Atribune to your desktop. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility. Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected.<-- Don't forget this When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy and Paste the entire report in your next reply along with a New Hijackthis log. __________________ Microsoft MVP Consumer Security 2007-2008-2009 ERROR MESSAGE 386 No KeyBoard Detected Press F1 To Continue

2008-11-14, 23:58	#4
ken545 Security Expert Join Date: Nov 2005 Location: Darien, CT Posts: 8,297	Hello Ken, Remove these with HJT O2 - BHO: (no name) - {82632E34-61CC-477E-B908-AB6766D8BCA0} - (no file) O2 - BHO: (no name) - {89DCBF90-41FB-4BFF-9323-A3CAF71119CC} - (no file) O2 - BHO: (no name) - {A914B081-6A42-4F4E-9A3E-CB1A16C7B858} - (no file) O2 - BHO: (no name) - {BDA79159-0EC1-40CD-BF9F-9959B9C520C0} - (no file) There may be more we can't see, this GARBAGE installs all over the place Download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See this Link for programs that need to be disabled and instruction on how to disable them. Remember to re-enable them when we're done. Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.** If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections. __________________ Microsoft MVP Consumer Security 2007-2008-2009* ERROR MESSAGE 386 No KeyBoard Detected Press F1 To Continue

2008-11-15, 13:44	#6
ken545 Security Expert Join Date: Nov 2005 Location: Darien, CT Posts: 8,297	Hello, The reason these will not delete is because the teaTimer is Spybot may be preventing them from being removed. O2 - BHO: (no name) - {82632E34-61CC-477E-B908-AB6766D8BCA0} - (no file) O2 - BHO: (no name) - {89DCBF90-41FB-4BFF-9323-A3CAF71119CC} - (no file) O2 - BHO: (no name) - {A914B081-6A42-4F4E-9A3E-CB1A16C7B858} - (no file) O2 - BHO: (no name) - {BDA79159-0EC1-40CD-BF9F-9959B9C520C0} - (no file) Disable the TeaTimer, leave it disabled until we're done or it will prevent fixes from taking[/b] Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select "Advanced Mode" On the left hand side, Click on Tools Then click on the Resident Icon in the List Uncheck "Resident TeaTimer" and OK any prompts. Restart your computer.<--You need to do this for it to take effect At the bottom of this thread under the Submit Reply, you will see a link for Manage Attachments, use the browse feature and attach the Combofix report __________________ Microsoft MVP Consumer Security 2007-2008-2009 ERROR MESSAGE 386 No KeyBoard Detected Press F1 To Continue

2008-11-15, 22:01	#8
ken545 Security Expert Join Date: Nov 2005 Location: Darien, CT Posts: 8,297	Go ahead and break the Combofix report up and take as many replies as you need to submit it all __________________ Microsoft MVP Consumer Security 2007-2008-2009 ERROR MESSAGE 386 No KeyBoard Detected Press F1 To Continue

2008-11-15, 08:15	#5
Chocoa Junior Member Join Date: Nov 2008 Location: Near Bath UK Posts: 23	Hi Ken I ran HJT and then ComboFix and finally HJT again as requested. - (log below) Couple of points: 1) The Four BHO's did not clear and re-appeared on the second run of HJT after ComboFix completed ( see below). 2) The Combofix txt file is 685 KB and too big to paste here how do you wish me to proceed. I can upload it to a link of your choice if you wish.... 3) I don't know if its relevant but this pc ( the infected one your helping to clean) has the 'bug' that stops me deleting empty folders. hence you may have seen reference to "UNLOCKER.exe" Which I have to use to unlock the folders to delete them. Could the bug be causing any issues here? The final HJT log file is below. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:51:13 AM, on 15/11/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18241) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\program files\powerstrip\pstrip.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\ATITool\ATITool.exe C:\MY PROGRAMS\DESKTOP\Process Explorer\procexp.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8010 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {82632E34-61CC-477E-B908-AB6766D8BCA0} - (no file) O2 - BHO: (no name) - {89DCBF90-41FB-4BFF-9323-A3CAF71119CC} - (no file) O2 - BHO: (no name) - {A914B081-6A42-4F4E-9A3E-CB1A16C7B858} - (no file) O2 - BHO: (no name) - {BDA79159-0EC1-40CD-BF9F-9959B9C520C0} - (no file) O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Security Suite Pro\feedback.exe" /dump:os_startup O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe O4 - Startup: procexp.lnk = ? O4 - Global Startup: Giganews Accelerator.lnk = C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Download All by FlashGet - C:\INTERNET\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\INTERNET\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Outpost Security Suite Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Security Suite Pro\ie_bar.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\INTERNET\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\INTERNET\FlashGet\flashget.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...l/LSSupCtl.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) - O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe O23 - Service: ReaConverter scheduler service (rcp_service) - Unknown owner - C:\MY PROGRAMS\DESKTOP\CR2\rcp_scheduler.exe (file missing) O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe -- End of file - 11008 bytes Let me know how you would like me to proceed. - many thanks so far for your assistance....

2008-11-15, 16:11	#7
Chocoa Junior Member Join Date: Nov 2008 Location: Near Bath UK Posts: 23	Hi there Now got rid of the BHO's ( had to remove Spybot as despite unchecking Resident teatimer etc it still re-appeared on reboot) Can always install it again. Anyway, the post cleaning HJT log is below: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:05:15 PM, on 15/11/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18241) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\program files\powerstrip\pstrip.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\ATITool\ATITool.exe C:\MY PROGRAMS\DESKTOP\Process Explorer\procexp.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Opera\opera.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8010 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Security Suite Pro\feedback.exe" /dump:os_startup O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" O4 - HKLM\..\Run: [NET Traffic Meter] "C:\Program Files\NET Traffic Meter\NET Traffic Meter.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O4 - Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe O4 - Startup: procexp.lnk = ? O4 - Global Startup: Giganews Accelerator.lnk = C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Download All by FlashGet - C:\INTERNET\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\INTERNET\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Outpost Security Suite Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Security Suite Pro\ie_bar.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\INTERNET\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\INTERNET\FlashGet\flashget.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...l/LSSupCtl.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) - O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe O23 - Service: ReaConverter scheduler service (rcp_service) - Unknown owner - C:\MY PROGRAMS\DESKTOP\CR2\rcp_scheduler.exe (file missing) O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe -- End of file - 10363 bytes Cant upload ComboFix log via 'manage attachments' as the file limit is too low I get the error message: "Your file of 685.9 KB bytes exceeds the forum's limit of 19.5 KB for this filetype." What do you suggest I do?

2008-11-16, 15:23	#9
Chocoa Junior Member Join Date: Nov 2008 Location: Near Bath UK Posts: 23	Ok Ken here goes..... ComboFix 08-11-13.01 - Brian 2008-11-15 5:45:30.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.536 [GMT 0:00] Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Brian\Application Data\inst.exe c:\windows\system32\_005681_.tmp.dll c:\windows\system32\_005682_.tmp.dll c:\windows\system32\_005683_.tmp.dll c:\windows\system32\_005684_.tmp.dll c:\windows\system32\_005691_.tmp.dll c:\windows\system32\_005692_.tmp.dll c:\windows\system32\_005693_.tmp.dll c:\windows\system32\_005694_.tmp.dll c:\windows\system32\_005695_.tmp.dll c:\windows\system32\_005696_.tmp.dll c:\windows\system32\_005697_.tmp.dll c:\windows\system32\_005698_.tmp.dll c:\windows\system32\_005699_.tmp.dll c:\windows\system32\_005700_.tmp.dll c:\windows\system32\_005701_.tmp.dll c:\windows\system32\_005702_.tmp.dll c:\windows\system32\_005703_.tmp.dll c:\windows\system32\_005704_.tmp.dll c:\windows\system32\_005705_.tmp.dll c:\windows\system32\_005706_.tmp.dll c:\windows\system32\_005707_.tmp.dll c:\windows\system32\_005708_.tmp.dll c:\windows\system32\_005709_.tmp.dll c:\windows\system32\_005710_.tmp.dll c:\windows\system32\_005711_.tmp.dll c:\windows\system32\_005714_.tmp.dll c:\windows\system32\_005715_.tmp.dll c:\windows\system32\_005716_.tmp.dll c:\windows\system32\_005717_.tmp.dll c:\windows\system32\_005718_.tmp.dll c:\windows\system32\_005719_.tmp.dll c:\windows\system32\_005720_.tmp.dll c:\windows\system32\_005721_.tmp.dll c:\windows\system32\_005722_.tmp.dll c:\windows\system32\_005723_.tmp.dll c:\windows\system32\_005724_.tmp.dll c:\windows\system32\_005725_.tmp.dll c:\windows\system32\_005727_.tmp.dll c:\windows\system32\_005728_.tmp.dll c:\windows\system32\_005729_.tmp.dll c:\windows\system32\_005730_.tmp.dll c:\windows\system32\_005731_.tmp.dll c:\windows\system32\_005732_.tmp.dll c:\windows\system32\_005733_.tmp.dll c:\windows\system32\_005736_.tmp.dll c:\windows\system32\_005737_.tmp.dll c:\windows\system32\_005738_.tmp.dll c:\windows\system32\_005739_.tmp.dll c:\windows\system32\_005740_.tmp.dll c:\windows\system32\_005742_.tmp.dll c:\windows\system32\_005743_.tmp.dll c:\windows\system32\_005744_.tmp.dll c:\windows\system32\_005745_.tmp.dll c:\windows\system32\_005746_.tmp.dll c:\windows\system32\_005747_.tmp.dll c:\windows\system32\_005748_.tmp.dll c:\windows\system32\_005749_.tmp.dll c:\windows\system32\_005750_.tmp.dll c:\windows\system32\_005752_.tmp.dll c:\windows\system32\_005753_.tmp.dll c:\windows\system32\_005754_.tmp.dll c:\windows\system32\_005755_.tmp.dll c:\windows\system32\_005757_.tmp.dll c:\windows\system32\_005759_.tmp.dll c:\windows\system32\_005760_.tmp.dll c:\windows\system32\_005761_.tmp.dll c:\windows\system32\_005762_.tmp.dll c:\windows\system32\_005763_.tmp.dll c:\windows\system32\_005764_.tmp.dll c:\windows\system32\_005765_.tmp.dll c:\windows\system32\_005766_.tmp.dll c:\windows\system32\_005768_.tmp.dll c:\windows\system32\_005769_.tmp.dll c:\windows\system32\_005770_.tmp.dll c:\windows\system32\_005771_.tmp.dll c:\windows\system32\_005772_.tmp.dll c:\windows\system32\_005773_.tmp.dll c:\windows\system32\_005774_.tmp.dll c:\windows\system32\_005775_.tmp.dll c:\windows\system32\_005777_.tmp.dll c:\windows\system32\_005778_.tmp.dll c:\windows\system32\_005779_.tmp.dll c:\windows\system32\_005780_.tmp.dll c:\windows\system32\_005783_.tmp.dll c:\windows\system32\_005784_.tmp.dll c:\windows\system32\_005788_.tmp.dll c:\windows\system32\_005789_.tmp.dll c:\windows\system32\_005791_.tmp.dll c:\windows\system32\_005793_.tmp.dll c:\windows\system32\_005794_.tmp.dll c:\windows\system32\_005796_.tmp.dll c:\windows\system32\_005797_.tmp.dll c:\windows\system32\_005798_.tmp.dll c:\windows\system32\_005799_.tmp.dll c:\windows\system32\_005802_.tmp.dll c:\windows\system32\_005803_.tmp.dll c:\windows\system32\_005804_.tmp.dll c:\windows\system32\_005805_.tmp.dll c:\windows\system32\_005806_.tmp.dll c:\windows\system32\_005811_.tmp.dll c:\windows\system32\_005813_.tmp.dll c:\windows\system32\_005814_.tmp.dll c:\windows\system32\_007888_.tmp.dll c:\windows\system32\_007889_.tmp.dll c:\windows\system32\_007890_.tmp.dll c:\windows\system32\_007891_.tmp.dll c:\windows\system32\_007898_.tmp.dll c:\windows\system32\_007899_.tmp.dll c:\windows\system32\_007900_.tmp.dll c:\windows\system32\_007901_.tmp.dll c:\windows\system32\_007903_.tmp.dll c:\windows\system32\_007904_.tmp.dll c:\windows\system32\_007907_.tmp.dll c:\windows\system32\_007908_.tmp.dll c:\windows\system32\_007910_.tmp.dll c:\windows\system32\_007911_.tmp.dll c:\windows\system32\_007912_.tmp.dll c:\windows\system32\_007914_.tmp.dll c:\windows\system32\_007916_.tmp.dll c:\windows\system32\_007917_.tmp.dll c:\windows\system32\_007918_.tmp.dll c:\windows\system32\_007922_.tmp.dll c:\windows\system32\_007923_.tmp.dll c:\windows\system32\_007925_.tmp.dll c:\windows\system32\_007927_.tmp.dll c:\windows\system32\_007928_.tmp.dll c:\windows\system32\_007930_.tmp.dll c:\windows\system32\_007931_.tmp.dll c:\windows\system32\_007932_.tmp.dll c:\windows\system32\_007933_.tmp.dll c:\windows\system32\_007934_.tmp.dll c:\windows\system32\_007937_.tmp.dll c:\windows\system32\_007938_.tmp.dll c:\windows\system32\_007939_.tmp.dll c:\windows\system32\_007940_.tmp.dll c:\windows\system32\_007941_.tmp.dll c:\windows\system32\_007946_.tmp.dll c:\windows\system32\_007948_.tmp.dll c:\windows\system32\_007949_.tmp.dll c:\windows\system32\jSrsDJlm.ini c:\windows\system32\tdmgawco.ini c:\windows\system32\utusdods.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MSASVC -------\Legacy_NPF -------\Legacy_VFILT -------\Service_MsaSvc

2008-11-16, 15:24	#10
Chocoa Junior Member Join Date: Nov 2008 Location: Near Bath UK Posts: 23	((((((((((((((((((((((((( Files Created from 2008-10-15 to 2008-11-15 ))))))))))))))))))))))))))))))) . 2008-11-14 21:39 . 2007-10-05 16:41 1,040,561 --a------ c:\windows\system32\drivers\VBEngNT.sys 2008-11-14 21:39 . 2007-11-29 18:23 439,232 --a------ c:\windows\system32\drivers\SandBox.sys 2008-11-14 21:39 . 2007-12-03 13:40 199,696 --a------ c:\windows\system32\drivers\afw.sys 2008-11-14 21:39 . 2007-10-25 18:17 49 --a------ c:\windows\transp.gif 2008-11-14 20:32 . 2008-11-14 21:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-14 20:32 . 2008-11-14 20:32 <DIR> d-------- c:\documents and settings\Brian\Application Data\Malwarebytes 2008-11-14 20:32 . 2008-11-14 20:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-14 20:32 . 2008-11-14 20:32 1,538,702 ---hs---- c:\windows\system32\xvrnrndq.tmp 2008-11-14 20:32 . 2008-10-22 16:28 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-14 20:32 . 2008-10-22 16:28 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-14 20:31 . 2008-11-14 20:31 41,472 --a------ c:\windows\system32\enexyjyn.dll 2008-11-14 20:20 . 2008-11-14 20:20 41,472 --a------ c:\windows\system32\shrjuudl.dll 2008-11-14 17:19 . 2008-11-14 17:19 1,539,768 ---hs---- c:\windows\system32\tdysmgcj.tmp 2008-11-14 17:19 . 2008-11-14 17:19 41,472 --a------ c:\windows\system32\iaboaqno.dll 2008-11-14 17:04 . 2008-11-14 17:04 41,472 --a------ c:\windows\system32\bvkktexf.dll 2008-11-14 16:18 . 2008-11-14 16:18 41,472 --a------ c:\windows\system32\ttdpfvcl.dll 2008-11-14 15:45 . 2008-11-14 15:45 41,472 --a------ c:\windows\system32\cxxlhdrw.dll 2008-11-14 15:44 . 2008-11-14 15:44 1,537,512 ---hs---- c:\windows\system32\qellbbon.tmp 2008-11-14 15:44 . 2008-11-14 15:44 41,472 --a------ c:\windows\system32\lrbbcifa.dll 2008-11-14 15:12 . 2008-11-14 15:12 41,472 --a------ c:\windows\system32\biexovyf.dll 2008-11-14 12:41 . 2008-11-14 12:53 96,976 --a------ c:\windows\system32\drivers\klin.dat 2008-11-14 12:41 . 2008-11-14 12:41 87,855 --a------ c:\windows\system32\drivers\klick.dat 2008-11-14 12:40 . 2008-11-14 12:40 <DIR> d-------- c:\program files\Kaspersky Lab 2008-11-14 12:40 . 2008-11-14 21:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab 2008-11-14 12:40 . 2008-11-15 05:48 5,985,312 --ahs---- c:\windows\system32\drivers\fidbox.dat 2008-11-14 12:40 . 2008-11-15 05:51 1,015,840 --ahs---- c:\windows\system32\drivers\fidbox2.dat 2008-11-14 12:40 . 2008-11-15 05:48 48,888 --ahs---- c:\windows\system32\drivers\fidbox.idx 2008-11-14 12:40 . 2008-11-15 05:53 4,552 --ahs---- c:\windows\system32\drivers\fidbox2.idx 2008-11-14 12:39 . 2008-11-14 12:39 41,472 --a------ c:\windows\system32\ekiyxktf.dll 2008-11-14 12:22 . 2008-11-14 12:22 41,472 --a------ c:\windows\system32\wowjatdg.dll 2008-11-14 12:21 . 2008-11-14 12:21 41,472 --a------ c:\windows\system32\idexyswn.dll 2008-11-14 11:51 . 2008-11-14 11:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2008-11-14 08:33 . 2008-11-14 08:33 41,472 --a------ c:\windows\system32\raoevcbb.dll 2008-11-14 07:49 . 2008-11-14 07:49 <DIR> d-------- c:\program files\Trend Micro 2008-11-14 01:24 . 2008-11-14 21:42 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-14 01:24 . 2008-11-14 20:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-14 01:15 . 2008-11-14 01:15 85,504 --a------ c:\windows\system32\nmsbryqp.dll 2008-11-14 01:12 . 2008-11-14 01:12 85,504 --a------ c:\windows\system32\kusantsq.dll 2008-11-14 01:09 . 2008-11-14 01:09 85,504 --a------ c:\windows\system32\kncgswjb.dll 2008-11-13 14:07 . 2008-11-13 14:07 85,504 --a------ c:\windows\system32\ruffmgkg.dll 2008-11-13 11:27 . 2008-11-13 11:27 85,504 --a------ c:\windows\system32\qfrixqvo.dll 2008-11-13 10:47 . 2008-11-13 10:47 85,504 --a------ c:\windows\system32\vaecichb.dll 2008-11-12 07:10 . 2008-11-12 07:10 85,504 --a------ c:\windows\system32\lwqfikag.dll 2008-11-11 07:09 . 2008-11-11 07:09 85,504 --a------ c:\windows\system32\gidddmux.dll 2008-11-11 06:54 . 2007-02-01 16:50 110,128 -ra------ c:\windows\system32\drivers\SI3112r.sys 2008-11-11 06:54 . 2007-02-01 16:50 83,760 -ra------ c:\windows\system32\SilSupp.cpl 2008-11-11 06:54 . 2007-02-01 16:50 17,328 -ra------ c:\windows\system32\drivers\SiWinAcc.sys 2008-11-10 18:40 . 2008-11-10 18:40 85,504 --a------ c:\windows\system32\lrybjeym.dll 2008-11-10 18:32 . 2008-11-10 18:32 85,504 --a------ c:\windows\system32\wggangox.dll 2008-11-09 17:15 . 2008-11-14 16:01 <DIR> d--hs---- C:\USMT.TMP 2008-11-09 07:06 . 2000-03-17 09:07 11,136 --a------ c:\windows\system32\drivers\Softlok.sys 2008-11-09 07:06 . 2000-03-17 09:08 9,892 --a------ c:\windows\system32\mnxx.386 2008-11-08 21:14 . 2008-11-14 16:01 <DIR> d-------- c:\program files\AutoStreamer 2008-11-08 02:12 . 2008-11-08 02:12 1,905,517 --ahs---- c:\windows\system32\oamswgdi.tmp 2008-11-08 01:47 . 2008-04-14 05:42 354,304 --a------ c:\windows\system32\SET1EF4.tmp 2008-11-08 01:47 . 2008-04-14 05:40 177,152 --a------ c:\windows\system32\SET1F27.tmp 2008-11-08 01:47 . 2008-04-14 05:42 121,856 --a------ c:\windows\system32\SET1EEB.tmp 2008-11-08 01:47 . 2008-04-14 05:42 80,896 --a------ c:\windows\system32\SET1EEF.tmp 2008-11-08 01:47 . 2008-04-14 05:42 75,776 --a------ c:\windows\system32\SET1EFF.tmp 2008-11-08 01:47 . 2008-04-14 05:41 24,576 --a------ c:\windows\system32\SET1F4B.tmp 2008-11-08 01:47 . 2008-04-14 05:42 15,872 --a------ c:\windows\system32\SET1EF8.tmp 2008-11-08 01:46 . 2008-04-14 05:42 471,552 --a------ c:\windows\system32\SET14E2.tmp 2008-11-08 01:46 . 2008-04-14 05:41 95,744 --a------ c:\windows\system32\SET14E8.tmp 2008-11-08 01:42 . 2006-12-29 00:31 19,569 --a------ c:\windows\003854_.tmp 2008-11-08 01:40 . 2008-08-14 10:00 2,180,352 --a------ c:\windows\system32\ntoskrnl.exe 2008-11-08 01:24 . 2004-08-04 12:00 68,608 --a--c--- c:\windows\system32\dllcache\plugin.ocx 2008-11-07 19:09 . 2008-11-07 19:09 1,905,517 --ahs---- c:\windows\system32\idnywjyw.tmp 2008-11-07 18:38 . 2008-11-15 05:51 2,422 --a------ c:\windows\system32\wpa.dbl 2008-11-07 18:36 . 2008-11-15 05:48 31,056 --a------ c:\windows\system32\BMXStateBkp-{00000000-00000000-0000000A-00001102-00000004-20021102}.rfx 2008-11-07 18:36 . 2008-11-15 05:48 31,056 --a------ c:\windows\system32\BMXState-{00000000-00000000-0000000A-00001102-00000004-20021102}.rfx 2008-11-07 18:36 . 2008-11-15 05:48 30,528 --a------ c:\windows\system32\BMXCtrlState-{00000000-00000000-0000000A-00001102-00000004-20021102}.rfx 2008-11-07 18:36 . 2008-11-15 05:48 30,528 --a------ c:\windows\system32\BMXBkpCtrlState-{00000000-00000000-0000000A-00001102-00000004-20021102}.rfx 2008-11-07 18:36 . 2008-11-15 05:48 11,564 --a------ c:\windows\system32\DVCState-{00000000-00000000-0000000A-00001102-00000004-20021102}.rfx 2008-11-07 18:36 . 2008-11-15 05:48 1,080 --a------ c:\windows\system32\settingsbkup.sfm 2008-11-07 18:36 . 2008-11-15 05:48 1,080 --a------ c:\windows\system32\settings.sfm 2008-11-07 18:10 . 2008-11-07 18:10 101,045 --a------ C:\Image1.pspimage 2008-11-06 22:49 . 2008-11-07 18:25 <DIR> d-------- c:\documents and settings\Brian\Application Data\SupRip 2008-11-06 12:36 . 2008-11-06 12:36 20 --a------ C:\nodgen.ini 2008-11-06 11:34 . 2008-11-06 11:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET 2008-11-06 00:11 . 2008-04-14 05:42 354,304 --a------ c:\windows\system32\SET11BE.tmp 2008-11-06 00:11 . 2008-04-14 05:40 177,152 --a------ c:\windows\system32\SET11F1.tmp 2008-11-06 00:11 . 2008-04-14 05:42 121,856 --a------ c:\windows\system32\SET11B5.tmp 2008-11-06 00:11 . 2008-04-14 05:42 80,896 --a------ c:\windows\system32\SET11B9.tmp 2008-11-06 00:11 . 2008-04-14 05:42 75,776 --a------ c:\windows\system32\SET11C9.tmp 2008-11-06 00:11 . 2008-04-14 05:41 24,576 --a------ c:\windows\system32\SET1215.tmp 2008-11-06 00:11 . 2008-04-14 05:42 15,872 --a------ c:\windows\system32\SET11C2.tmp 2008-11-06 00:11 . 2008-04-14 05:42 6,656 --a------ c:\windows\system32\SET11B6.tmp 2008-11-06 00:09 . 2008-04-14 05:42 8,461,312 --a------ c:\windows\system32\SET2D7.tmp 2008-11-06 00:07 . 2006-12-29 00:31 19,569 --a------ c:\windows\003846_.tmp 2008-11-06 00:06 . 2004-08-03 23:00 71,040 --------- c:\windows\system32\drivers\_005674_.tmp.dll 2008-11-05 23:38 . 2008-04-14 05:42 354,304 --a------ c:\windows\system32\SET10D8.tmp 2008-11-05 23:38 . 2008-04-14 05:40 177,152 --a------ c:\windows\system32\SET110B.tmp 2008-11-05 23:38 . 2008-04-14 05:42 121,856 --a------ c:\windows\system32\SET10CF.tmp 2008-11-05 23:38 . 2008-04-14 05:42 80,896 --a------ c:\windows\system32\SET10D3.tmp 2008-11-05 23:38 . 2008-04-14 05:42 75,776 --a------ c:\windows\system32\SET10E3.tmp 2008-11-05 23:38 . 2008-04-14 05:41 24,576 --a------ c:\windows\system32\SET112F.tmp 2008-11-05 23:38 . 2008-04-14 05:42 15,872 --a------ c:\windows\system32\SET10DC.tmp 2008-11-05 23:38 . 2008-04-14 05:42 6,656 --a------ c:\windows\system32\SET10D0.tmp 2008-11-05 23:37 . 2008-04-14 05:42 471,552 --a------ c:\windows\system32\SET6C6.tmp 2008-11-05 23:37 . 2008-04-14 05:41 95,744 --a------ c:\windows\system32\SET6CC.tmp 2008-11-05 23:34 . 2006-12-29 00:31 19,569 --a------ c:\windows\003837_.tmp 2008-11-05 23:32 . 2004-08-03 23:00 71,040 --------- c:\windows\system32\drivers\_005666_.tmp.dll 2008-11-05 23:04 . 2008-04-14 05:41 1,267,200 --a------ c:\windows\system32\SET3FE.tmp 2008-11-05 23:01 . 2006-12-29 00:31 19,569 --a------ c:\windows\006044_.tmp 2008-11-05 22:59 . 2004-08-03 23:00 71,040 --------- c:\windows\system32\drivers\_005656_.tmp.dll 2008-11-03 05:50 . 2008-11-03 05:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ashampoo 2008-11-03 05:29 . 2008-11-03 05:49 <DIR> d-------- c:\program files\Ashampoo 2008-10-28 15:39 . 2008-11-14 16:01 <DIR> d-------- C:\spoolerlogs 2008-10-28 14:34 . 2008-11-14 16:01 <DIR> d-------- c:\program files\iPod 2008-10-28 14:34 . 2008-10-28 14:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-10-28 14:32 . 2008-10-28 14:32 <DIR> d-------- c:\program files\Common Files\Apple 2008-10-28 14:18 . 2008-10-28 14:18 <DIR> d-------- c:\program files\Amazon 2008-10-28 14:18 . 2008-10-28 14:18 <DIR> d-------- c:\documents and settings\Brian\Application Data\Amazon 2008-10-26 22:33 . 2008-10-26 22:33 <DIR> d-------- C:\Music 2008-10-23 03:27 . 2008-10-23 03:27 <DIR> d-------- c:\program files\Sky 2008-10-23 03:27 . 2008-11-14 16:01 <DIR> d-------- c:\program files\Kontiki 2008-10-23 02:48 . 2008-11-14 16:01 <DIR> d-------- c:\program files\Zattoo 2008-10-22 23:59 . 2008-11-14 21:43 <DIR> d-------- c:\program files\XP Repair Pro 2007 2008-10-22 23:40 . 2008-11-14 16:01 <DIR> d-------- c:\program files\XP Repair Pro 4.0 2008-10-22 15:07 . 2008-10-22 15:07 <DIR> d-------- c:\documents and settings\Brian\Application Data\Acronis 2008-10-22 14:59 . 2008-10-22 15:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Acronis 2008-10-22 14:59 . 2008-10-22 14:59 971,232 --a------ c:\windows\system32\drivers\tdrpm147.sys 2008-10-22 14:59 . 2008-10-22 14:59 540,000 --a------ c:\windows\system32\drivers\timntr.sys 2008-10-22 14:59 . 2008-10-22 14:59 134,272 --a------ c:\windows\system32\drivers\snman380.sys 2008-10-22 14:59 . 2008-10-22 14:59 44,704 --a------ c:\windows\system32\drivers\tifsfilt.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-15 05:42 --------- d-----w c:\documents and settings\Brian\Application Data\Newsbin 2008-11-15 01:00 --------- d-----w c:\program files\ATI Multimedia 2008-11-14 22:48 --------- d-----w c:\program files\Mozilla Thunderbird 2008-11-14 21:45 --------- d-----w c:\documents and settings\Brian\Application Data\TeraCopy 2008-11-14 21:43 --------- d-----w c:\program files\XviD 2008-11-14 16:01 --------- d--h--w c:\program files\Zero G Registry 2008-11-14 14:59 --------- d-----w c:\documents and settings\Brian\Application Data\ImgBurn 2008-11-08 02:07 --------- d-----w c:\documents and settings\Brian\Application Data\IcoFX 2008-11-03 18:26 --------- d-----w c:\documents and settings\Brian\Application Data\Vso 2008-10-28 14:35 --------- d-----w c:\documents and settings\Brian\Application Data\Apple Computer 2008-10-23 03:41 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki 2008-10-18 01:03 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2008-10-12 10:59 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-09-24 06:07 --------- d-----w c:\documents and settings\Brian\Application Data\vlc 2008-03-01 22:25 47,360 ----a-w c:\documents and settings\Brian\Application Data\pcouffin.sys 2005-03-20 03:31 104 --sha-r c:\windows\system32\25C5867077.sys . Code: <pre> ----a-w 940,544 2007-08-13 22:01:02 c:\my programs\HD\Evo DEmux\EVOdemux 0627 b7 .exe </pre>

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode