PDA

View Full Version : Please Help Virtumonde, SECToolBar Fake Alerts Popups Removal



Ruinit
2007-11-10, 18:57
Hello,

I am having terrible trouble getting rid of these files and keeping them out. They keep coming back. I have run VundoFix, ComboFix, NOD32, Superspyware etc. Hijack this log follows. Thanks


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\LClock\LClock.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Jackedup.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGet Software\ReGet Deluxe 5.1\IEBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB001" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: CloCk.lnk = C:\Program Files\LClock\LClock.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185325685096
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185325659440
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: nwtppuwv - nwtppuwv.dll (file missing)
O20 - Winlogon Notify: unhuluaa - unhuluaa.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AllSync Scheduler Service (AllSyncService) - Michael Thummerer Software Design - C:\Program Files\AllSync\AllSync.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 14525 bytes

steamwiz
2007-11-10, 21:21
Hello,

I am having terrible trouble getting rid of these files and keeping them out. They keep coming back. I have run VundoFix, ComboFix, NOD32, Superspyware etc. Hijack this log follows. Thanks

---
Hi

Just a few orphan entries in your log ...



I have run VundoFix, ComboFix, NOD32, Superspyware etc.


Please post the following logs\reports

Vundofix
Combofix
Superantispyware

I also see you have run a Kaspersky on-line scan ... please post that as well

steam

Ruinit
2007-11-10, 22:43
Thank you for reply.

Kapersky takes for ever and locks up a lot because I have 300 gig hard drives :( Here is combofix and vundofix logs.


ComboFix 07-11-08.1 - Alan 2007-11-10 12:04:23.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.20.1033.18.2815 [GMT -5:00]
Running from: C:\Documents and Settings\Alan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\Quarantine

.
((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.

2007-11-09 09:17 <DIR> d-------- C:\Program Files\iTunes
2007-11-09 09:17 <DIR> d-------- C:\Program Files\iPod
2007-11-08 15:09 <DIR> d-------- C:\Program Files\jv16 PowerTools 2007
2007-11-07 22:48 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-07 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-07 22:48 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\SUPERAntiSpyware.com
2007-11-07 18:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2007-11-07 13:56 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-11-07 13:56 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-11-07 13:56 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-11-07 11:49 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-07 11:26 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-11-07 11:26 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-11-06 17:13 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 16:53 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-11-06 15:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 13:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-11-06 13:51 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\Sunbelt Software
2007-11-06 13:51 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2007-11-06 13:49 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-11-06 13:07 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-11-06 12:37 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-11-06 12:37 <DIR> d-------- C:\WINDOWS\srchasst
2007-11-06 12:37 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-11-05 19:28 <DIR> d-------- C:\VundoFix Backups
2007-11-05 19:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-05 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-05 14:04 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\ESET
2007-11-05 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2007-11-05 13:17 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-05 13:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-05 13:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-02 15:32 <DIR> d-------- C:\Program Files\Xvid
2007-11-02 12:52 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\Nero
2007-11-02 12:49 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-02 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-10-11 13:10 <DIR> d-------- C:\Program Files\DAP
2007-10-11 13:10 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-09 14:15 --------- d-----w C:\Program Files\QuickTime
2007-11-08 20:14 --------- d-----w C:\Documents and Settings\Alan\Application Data\ReGet Software
2007-11-08 18:48 --------- d-----w C:\Program Files\FlashGet
2007-11-07 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-04 15:16 --------- d-----w C:\Program Files\Common Files\ReGet Shared
2007-11-02 17:49 --------- d-----w C:\Program Files\Nero
2007-11-02 17:41 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-17 22:26 --------- d-----w C:\Program Files\Java
2007-10-13 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-10 07:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-05 19:36 --------- d-----w C:\Program Files\Trillian
2007-09-29 20:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\AllSync
2007-09-29 20:26 --------- d-----w C:\Program Files\AllSync
2007-09-29 20:10 --------- d-----w C:\Program Files\eMule
2007-09-29 19:51 --------- d-----w C:\Program Files\Laplink
2007-09-29 18:29 --------- d-----w C:\Program Files\Beyond Compare 2
2007-09-29 18:28 --------- d-----w C:\Program Files\Simply Track
2007-09-29 18:28 --------- d-----w C:\Documents and Settings\Alan\Application Data\Scooter Software
2007-09-29 02:14 --------- d-----w C:\Program Files\UltraIso
2007-09-29 02:14 --------- d-----w C:\Program Files\ImgBurn
2007-09-24 13:05 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-24 13:05 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-20 13:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 13:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 13:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-09-19 15:49 --------- d-----w C:\Program Files\LimeWire
2007-09-14 16:12 --------- d-----w C:\Documents and Settings\Alan\Application Data\LimeWire
2007-09-13 19:25 --------- d-----w C:\Documents and Settings\Alan\Application Data\Notepad++
2007-09-13 19:24 --------- d-----w C:\Program Files\Notepad++
2007-09-12 17:32 --------- d-----w C:\Program Files\Apple Software Update
2007-08-27 16:26 27,120 ----a-w C:\WINDOWS\system32\SBBD.exe
2007-08-21 06:25 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-07_18.37.52.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-01-31 20:11:00 685,120 ----a-w C:\WINDOWS\Downloaded Program Files\ppctl.dll
+ 2007-11-08 04:16:31 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 14:38:18 581,632 ----a-w C:\WINDOWS\gmer.exe
+ 2007-11-08 03:48:29 34,304 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF1.exe
+ 2007-11-08 03:48:29 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-09 14:17:39 102,400 ----a-r C:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe
- 2007-07-27 19:17:26 34,308 ----a-w C:\WINDOWS\system32\BASSMOD.dll
+ 2007-11-08 20:10:18 9,728 ----a-w C:\WINDOWS\system32\BASSMOD.dll
+ 2007-11-08 04:16:31 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2007-10-31 19:09:14 30,464 -c--a-w C:\WINDOWS\system32\DRVSTORE\usbaapl_4351B7DAFF62FD33510D77DFAE3CF8CC82517571\usbaapl.sys
- 2007-09-28 05:19:39 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-09-28 03:19:40 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 05:26]
"nwiz"="nwiz.exe" [2007-04-19 05:26 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 05:26]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 09:05]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 14:46]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 08:40]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 16:47]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 17:22]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [2006-11-15 20:57]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [2006-11-14 09:55]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-11-14 09:53]
"SoundMan"="SOUNDMAN.EXE" [2003-10-08 04:41 C:\WINDOWS\SOUNDMAN.EXE]
"EPSON Stylus Photo RX620 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.exe" [2004-05-19 19:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [2007-04-09 03:41]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 08:51]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-11-07 13:56]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 12:39]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-25 22:52]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\Alan\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 12:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CloCk.lnk - C:\Program Files\LClock\LClock.exe [2007-07-24 22:25:09]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-06-10 03:09:14]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-06-06 03:10:02]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-07-24 15:58:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"NoResolveTrack"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"NoResolveTrack"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwtppuwv]
nwtppuwv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\unhuluaa]
unhuluaa.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
R3 SBAPIFS;SBAPIFS;\??\C:\WINDOWS\system32\drivers\sbapifs.sys
S2 AllSyncService;AllSync Scheduler Service;C:\Program Files\AllSync\AllSync.exe -NTD
S2 QuickBooksDB17;QuickBooksDB17;C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17
S3 FRIdrv;FRIdrv;C:\WINDOWS\system32\drivers\FRIdrv.sys

*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 02:03:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-10 05:25:58 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 12:09:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-10 12:10:31
C:\ComboFix2.txt ... 2007-11-08 21:47
.
--- E O F ---


VundoFix V6.5.11

Checking Java version...

Scan started at 1:10:16 PM 11/8/2007

Listing files found while scanning....

No infected files were found.

steamwiz
2007-11-10, 23:31
Hi

Did you know these restrictions were enabled in the registry ?

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"NoResolveTrack"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
"NoResolveTrack"=1 (0x1)

"NoSharedDocuments" speaks for itself ...

Here is some info on "NoResolveTrack"

http://www.microsoft.com.nsatc.net/technet/prodtechnol/windows2000serv/reskit/regentry/93176.mspx?mfr=true

The default value is NOT to have it enabled ...

In fact you don't need either of the keys ...

-
There is no sign of any "Virtumonde, SECToolBar, Fake Alerts Popups" malware ...

I will give to a script to drop into Combofix, to remove what there is, let me know if you want the registry restrictions removed as well ?

& post the logs\reports which show the malware you want removing ... including file names & locations (if you have them)

steam

Ruinit
2007-11-11, 00:33
Hmmmm,

How would those restrictions get like that? Yes fix that as well. There may be no Virtumonde in there because I ran all these things after cleaning it out again. The problem is they keep coming back?


Time Module Object Name Threat Action User Information
11/10/2007 11:48 AMON file C:\WINDOWS\system32\xfofenvx.dll Win32/Adware.SecToolbar application deleted Event occurred at an attempt to access the file by the application: C:\WINDOWS\system32\wbem\wmiprvse.exe.
11/10/2007 11:48 AMON file C:\WINDOWS\system32\iklsuues.dll Win32/Adware.SecToolbar application deleted Event occurred at an attempt to access the file by the application: C:\WINDOWS\system32\wbem\wmiprvse.exe.
11/10/2007 11:48 AMON file C:\WINDOWS\system32\genmgcex.dll Win32/Adware.Virtumonde application deleted Event occurred at an attempt to access the file by the application: C:\WINDOWS\system32\wbem\wmiprvse.exe.

Ruinit
2007-11-11, 18:02
Hi,

This is the latest Counterspy log also. This keeps showing up in registry also no matter how man times I run scans and delete them.

Scan History Details
Start Date: 11/11/2007 2:00:02 AM
End Date: 11/11/2007 3:34:12 AM
Total Time: 94 Min 10 Sec
Detected security risks

Bifrost Backdoor more information...
Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
Status: Deleted

Registry entries detected
HKEY_USERS\S-1-5-21-2025429265-1801674531-1417001333-1003\SOFTWARE\WGET

Ruinit
2007-11-11, 23:07
I ran this scan again after rebooting in safe mode. Everything seems to be ok I just don't know if this stuff will stay out.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/11/2007 at 12:30 PM

Application Version : 3.9.1008

Core Rules Database Version : 3342
Trace Rules Database Version: 1343

Scan type : Complete Scan
Total Scan Time : 00:55:33

Memory items scanned : 209
Memory threats detected : 0
Registry items scanned : 7774
Registry threats detected : 0
File items scanned : 35333
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Alan\Cookies\alan@msnportal.112.2o7[1].txt
C:\Documents and Settings\Alan\Cookies\alan@msnportalbeetoffice2007.112.2o7[1].txt
C:\Documents and Settings\Alan\Cookies\alan@atdmt[2].txt

steamwiz
2007-11-11, 23:23
HI

RE:

11/10/2007 11:48 AMON file C:\WINDOWS\system32\xfofenvx.dll Win32/Adware.SecToolbar application deleted Event occurred at an attempt to access the file by the application: C:\WINDOWS\system32\wbem\wmiprvse.exe.

forget the "an attempt to access the file by the application: C:\WINDOWS\system32\wbem\wmiprvse.exe." ... that's legit ...

these files :-

C:\WINDOWS\system32\xfofenvx.dll
C:\WINDOWS\system32\iklsuues.dll
C:\WINDOWS\system32\genmgcex.dll

are\were the malware ...

First ... do you have any more of these random named files in your system32 folder ? that you are aware of ? don't delete anything ... something which may look random may well be legit & needed ...

If you look back at the Combofix log, you will see a section ...

((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))

this should show any malware files created in the last 30 days ... your log shows none ...

I don't run Counterspy, so I don't know what your options are ... but if you can

next time you run a scan & it shows something like these :-

Time Module Object Name Threat Action User Information
11/10/2007 11:48 AMON file C:\WINDOWS\system32\xfofenvx.dll Win32/Adware.SecToolbar application deleted Event occurred at an attempt to access the file by the application: C:\WINDOWS\system32\wbem\wmiprvse.exe.
11/10/2007 11:48 AMON file C:\WINDOWS\system32\iklsuues.dll Win32/Adware.SecToolbar application deleted Event occurred at an attempt to access the file by the application: C:\WINDOWS\system32\wbem\wmiprvse.exe.
11/10/2007 11:48 AMON file C:\WINDOWS\system32\genmgcex.dll Win32/Adware.Virtumonde application deleted Event occurred at an attempt to access the file by the application: C:\WINDOWS\system32\wbem\wmiprvse.exe.

Don't let it delete any files .... run Combofix instead & let's see if it shows any newly created files ?

-
RE:

Bifrost Backdoor more information...
Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
Status: Deleted

Registry entries detected
HKEY_USERS\S-1-5-21-2025429265-1801674531-1417001333-1003\SOFTWARE\WGET

-
Have a look at this :-

http://vil.nai.com/vil/content/v_140646.htm

You don't have the run key or the service installed ...

see if you have these files :-

• %windir%\svchost.exe
Size: 1,280,709 bytes

• %windir%\plugin1.dat
Size: 51,733 bytes

• %windir%\system32\drivers\oreans32.sys

---
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word Folder:: is on the first line of the text file you save (no blank line above it, & no space in front of it)


Folder::
C:\VundoFix Backups

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=-
"NoResolveTrack"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=-
"NoResolveTrack"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwtppuwv]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\unhuluaa]


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam

Ruinit
2007-11-12, 01:37
Hello,

RE:

You don't have the run key or the service installed ...

see if you have these files :-

• %windir%\svchost.exe
Size: 1,280,709 bytes

• %windir%\plugin1.dat
Size: 51,733 bytes

• %windir%\system32\drivers\oreans32.sys

None of this appears to be in my computer. Also I have looked at the system32 files and they appear to be normal but I am not really clear on what is supposed to be in there and what is not :( Logs follow.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:34, on 2007-11-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\Jackedup.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\findstr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGet Software\ReGet Deluxe 5.1\IEBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo RX620 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.EXE /P31 "EPSON Stylus Photo RX620 Series" /O6 "USB001" /M "Stylus Photo RX620"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: CloCk.lnk = C:\Program Files\LClock\LClock.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185325685096
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185325659440
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: nwtppuwv - nwtppuwv.dll (file missing)
O20 - Winlogon Notify: unhuluaa - unhuluaa.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AllSync Scheduler Service (AllSyncService) - Michael Thummerer Software Design - C:\Program Files\AllSync\AllSync.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 14645 bytes

Ruinit
2007-11-12, 01:38
ComboFix 07-11-08.1 - Alan 2007-11-11 18:33:13.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.20.1033.18.2965 [GMT -5:00]
Running from: C:\Documents and Settings\Alan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-11 16:12 34,360 --a------ C:\WINDOWS\system32\drivers\sbapifs.sys
2007-11-09 09:17 <DIR> d-------- C:\Program Files\iTunes
2007-11-09 09:17 <DIR> d-------- C:\Program Files\iPod
2007-11-08 15:09 <DIR> d-------- C:\Program Files\jv16 PowerTools 2007
2007-11-07 22:48 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-07 22:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-07 22:48 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\SUPERAntiSpyware.com
2007-11-07 18:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2007-11-07 13:56 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-11-07 13:56 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-11-07 13:56 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-11-07 11:49 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-07 11:26 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-11-07 11:26 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-11-06 17:13 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 16:53 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-11-06 15:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 13:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-11-06 13:51 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\Sunbelt Software
2007-11-06 13:51 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2007-11-06 13:49 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-11-06 13:07 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-11-06 12:37 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-11-06 12:37 <DIR> d-------- C:\WINDOWS\srchasst
2007-11-06 12:37 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-11-05 19:28 <DIR> d-------- C:\VundoFix Backups
2007-11-05 19:21 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-05 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-05 14:04 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\ESET
2007-11-05 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2007-11-05 13:17 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-05 13:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-05 13:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-02 12:52 <DIR> d-------- C:\Documents and Settings\Alan\Application Data\Nero
2007-11-02 12:49 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-02 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-10-11 13:10 <DIR> d-------- C:\Program Files\DAP
2007-10-11 13:10 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 18:18 --------- d-----w C:\Documents and Settings\Alan\Application Data\ReGet Software
2007-11-09 14:15 --------- d-----w C:\Program Files\QuickTime
2007-11-08 18:48 --------- d-----w C:\Program Files\FlashGet
2007-11-07 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-04 15:16 --------- d-----w C:\Program Files\Common Files\ReGet Shared
2007-11-02 17:49 --------- d-----w C:\Program Files\Nero
2007-11-02 17:41 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-17 22:26 --------- d-----w C:\Program Files\Java
2007-10-13 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-10 07:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-05 19:36 --------- d-----w C:\Program Files\Trillian
2007-09-29 20:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\AllSync
2007-09-29 20:26 --------- d-----w C:\Program Files\AllSync
2007-09-29 20:10 --------- d-----w C:\Program Files\eMule
2007-09-29 19:51 --------- d-----w C:\Program Files\Laplink
2007-09-29 18:29 --------- d-----w C:\Program Files\Beyond Compare 2
2007-09-29 18:28 --------- d-----w C:\Program Files\Simply Track
2007-09-29 18:28 --------- d-----w C:\Documents and Settings\Alan\Application Data\Scooter Software
2007-09-29 02:14 --------- d-----w C:\Program Files\UltraIso
2007-09-29 02:14 --------- d-----w C:\Program Files\ImgBurn
2007-09-24 13:05 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-24 13:05 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-20 13:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 13:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 13:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-09-19 15:49 --------- d-----w C:\Program Files\LimeWire
2007-09-14 16:12 --------- d-----w C:\Documents and Settings\Alan\Application Data\LimeWire
2007-09-13 19:25 --------- d-----w C:\Documents and Settings\Alan\Application Data\Notepad++
2007-09-13 19:24 --------- d-----w C:\Program Files\Notepad++
2007-09-12 17:32 --------- d-----w C:\Program Files\Apple Software Update
2007-08-27 16:26 27,120 ----a-w C:\WINDOWS\system32\SBBD.exe
2007-08-21 06:25 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-07_18.37.52.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-01-31 20:11:00 685,120 ----a-w C:\WINDOWS\Downloaded Program Files\ppctl.dll
+ 2007-11-08 04:16:31 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 14:38:18 581,632 ----a-w C:\WINDOWS\gmer.exe
+ 2007-11-08 03:48:29 34,304 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF1.exe
+ 2007-11-08 03:48:29 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-09 14:17:39 102,400 ----a-r C:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe
- 2007-07-27 19:17:26 34,308 ----a-w C:\WINDOWS\system32\BASSMOD.dll
+ 2007-11-08 20:10:18 9,728 ----a-w C:\WINDOWS\system32\BASSMOD.dll
+ 2007-11-08 04:16:31 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
+ 2007-10-31 19:09:14 30,464 -c--a-w C:\WINDOWS\system32\DRVSTORE\usbaapl_4351B7DAFF62FD33510D77DFAE3CF8CC82517571\usbaapl.sys
- 2007-09-28 05:19:39 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-09-28 03:19:40 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 05:26]
"nwiz"="nwiz.exe" [2007-04-19 05:26 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 05:26]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 09:05]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 14:46]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 08:40]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 16:47]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 17:22]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [2006-11-15 20:57]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [2006-11-14 09:55]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-11-14 09:53]
"SoundMan"="SOUNDMAN.EXE" [2003-10-08 04:41 C:\WINDOWS\SOUNDMAN.EXE]
"EPSON Stylus Photo RX620 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9HA.exe" [2004-05-19 19:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [2007-04-09 03:41]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 08:51]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-11-07 13:56]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 12:39]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-25 22:52]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\Alan\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 12:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CloCk.lnk - C:\Program Files\LClock\LClock.exe [2007-07-24 22:25:09]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-06-10 03:09:14]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-06-06 03:10:02]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-07-24 15:58:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwtppuwv]
nwtppuwv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\unhuluaa]
unhuluaa.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
S2 AllSyncService;AllSync Scheduler Service;C:\Program Files\AllSync\AllSync.exe -NTD
S2 QuickBooksDB17;QuickBooksDB17;C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17
S3 FRIdrv;FRIdrv;C:\WINDOWS\system32\drivers\FRIdrv.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 02:03:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-11 13:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 18:34:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 18:34:53
C:\ComboFix2.txt ... 2007-11-10 12:10
.
--- E O F ---

steamwiz
2007-11-12, 20:09
Hi

Well we have mixed results from Combofix ... no new malware showing ...

The restrictions in the registry are no longer showing, but other keys which should have been removed with the script are still there .. + the log does not show that the script has been run ...

We'll remove the registry keys with hijackthis this time ...

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O20 - Winlogon Notify: nwtppuwv - nwtppuwv.dll (file missing)
O20 - Winlogon Notify: unhuluaa - unhuluaa.dll (file missing)


steam

tashi
2007-11-25, 05:21
This topic has been archived due to inactivity.

If you need it re-opened, please send me a private message (pm) and provide a link to the closed topic.
Applies only to the original poster, anyone else with similar problems please start a new thread.

Thank you steamwiz.