PDA

View Full Version : HELP! Virtumonde, virtumonde.generic, poss others


Jollyjedi
2007-11-16, 20:29
Hi, followed instructions in 'before you post'. Tried all my spyware/malware/S+D/antivirus, but it keeps coming back, and trying to load web pages etc. The kaspersky log is so long I can't load it in, but here's the HJT log: please, please help me get rid of this!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:06:09, on 16/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\service.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.testandvote.com/tests.php?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\mojhosap.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MDNS] C:\WINDOWS\system32\service.exe
O4 - HKLM\..\Run: [c40f3146] rundll32.exe "C:\WINDOWS\system32\ofiiyqad.dll",b
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Shortcut to ashDisp.lnk = C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - ?p=ZJxdm025YYGB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?ca1c9f3b0e8243ed909ae67f686c3183
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?ca1c9f3b0e8243ed909ae67f686c3183
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\Microgaming\Poker\pokertimeMPP\MPPoker.exe
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra 'Tools' menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Poker\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Poker\Noble Poker\casino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Documents and Settings\Jules\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185658521515
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-bd41dc8beecaaa9e.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_665/webolr/OCX/FlashAX.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00660E.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9644 bytes
Jollyjedi
2007-11-17, 13:57
Please please help :sick:
steamwiz
2007-11-18, 01:06
Hi

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
1. Double-click VundoFix.exe to run it.
2. When VundoFix re-opens, click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click "YES".
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click "OK".

7. Please post the contents of C:\vundofix.txt

If vundofix cannot delete a file, it will try to delete it during a reboot, after the reboot vundofix will open again, you must run vundofix again, from "Click the Scan for Vundo button" ... and you must keep running vundofix until it does delete the file... I've known a stubborn vundo file take 5 or 6 reboots before it is deleted...

Keep running vundofix untill it gives you the message "no infected files were found"


THEN ...

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

THEN ...

Please download Combofix: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Please remember to post :-

1. C:\vundofix.txt
2. SUPERAntiSpyware Scan Log
3. C:\ComboFix.txt
4. a new hijackthis log.( run after everything else)

steam
Jollyjedi
2007-11-18, 23:03
Thanks for that. Here's all the logs. I had already ran a combofix before your reply, but followed everything through as requested. Just hope I'm clean............


VundoFix V6.6.2

Checking Java version...

Scan started at 00:37:43 18/11/2007

Listing files found while scanning....

C:\windows\system32\jryhigtj.dll

Beginning removal...

Attempting to delete C:\windows\system32\jryhigtj.dll
C:\windows\system32\jryhigtj.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 19:34:45 18/11/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/18/2007 at 09:36 PM

Application Version : 3.9.1008

Core Rules Database Version : 3346
Trace Rules Database Version: 1347

Scan type : Complete Scan
Total Scan Time : 01:43:43

Memory items scanned : 393
Memory threats detected : 2
Registry items scanned : 6094
Registry threats detected : 5
File items scanned : 103580
File threats detected : 134

Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\HABNSDUM.DLL
C:\WINDOWS\SYSTEM32\HABNSDUM.DLL
HKLM\Software\Classes\CLSID\{8a89fc8a-87de-44af-bc07-4e7d51ed6e8d}
HKCR\CLSID\{8A89FC8A-87DE-44AF-BC07-4E7D51ED6E8D}
HKCR\CLSID\{8A89FC8A-87DE-44AF-BC07-4E7D51ED6E8D}\InprocServer32
HKCR\CLSID\{8A89FC8A-87DE-44AF-BC07-4E7D51ED6E8D}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8a89fc8a-87de-44af-bc07-4e7d51ed6e8d}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFB3B03B-1D43-4A34-A969-BA18587033B8}\RP107\A0025283.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFB3B03B-1D43-4A34-A969-BA18587033B8}\RP107\A0025284.DLL
C:\WINDOWS\SYSTEM32\RBNBEART.DLL

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\TVGAGLQM.DLL
C:\WINDOWS\SYSTEM32\TVGAGLQM.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Jules\Cookies\jules@msnservices.112.2o7[1].txt
C:\Documents and Settings\Jules\Cookies\jules@brightcove.112.2o7[2].txt
C:\Documents and Settings\Jules\Cookies\jules@partypoker[1].txt
C:\Documents and Settings\Jules\Cookies\jules@ads.monster[1].txt
C:\Documents and Settings\Jules\Cookies\jules@reduxads.valuead[1].txt
C:\Documents and Settings\Jules\Cookies\jules@msnportal.112.2o7[1].txt
C:\Documents and Settings\Jules\Cookies\jules@ad.uk.tangozebra[2].txt
C:\Documents and Settings\Jules\Cookies\jules@hornymatches[2].txt
C:\Documents and Settings\Jules\Cookies\jules@server.lon.liveperson[3].txt
C:\Documents and Settings\Jules\Cookies\jules@atdmt[3].txt
C:\Documents and Settings\Jules\Cookies\jules@www.googleadservices[1].txt
C:\Documents and Settings\Jules\Cookies\jules@2o7[1].txt
C:\Documents and Settings\Jules\Cookies\jules@server.lon.liveperson[2].txt
C:\Documents and Settings\Jules\Cookies\jules@ads.realtechnetwork[2].txt
C:\Documents and Settings\Jules\Cookies\jules@mediatraffic[1].txt
C:\Documents and Settings\Jules\Cookies\jules@ad.zanox[1].txt
C:\Documents and Settings\Jules\Cookies\jules@www.levelclick[2].txt
C:\Documents and Settings\Jules\Cookies\jules@interclick[2].txt
C:\Documents and Settings\Jules\Cookies\jules@click.medianetworksinc[2].txt
C:\Documents and Settings\Jules\Cookies\jules@ads.pointroll[2].txt
C:\Documents and Settings\Jules\Cookies\jules@rotator.its.adjuggler[2].txt
C:\Documents and Settings\Jules\Cookies\jules@precisionclick[1].txt
C:\Documents and Settings\Bethan\Cookies\bethan@4.adbrite[1].txt
C:\Documents and Settings\Bethan\Cookies\bethan@ad.yieldmanager[1].txt
C:\Documents and Settings\Bethan\Cookies\bethan@ad.zanox[1].txt
C:\Documents and Settings\Bethan\Cookies\bethan@adbrite[2].txt
C:\Documents and Settings\Bethan\Cookies\bethan@adopt.euroclick[2].txt
C:\Documents and Settings\Bethan\Cookies\bethan@adopt.euroclick[3].txt
C:\Documents and Settings\Bethan\Cookies\bethan@adrevenue[2].txt
C:\Documents and Settings\Bethan\Cookies\bethan@atdmt[2].txt
C:\Documents and Settings\Bethan\Cookies\bethan@brightcove.112.2o7[1].txt
C:\Documents and Settings\Bethan\Cookies\bethan@bs.serving-sys[2].txt
C:\Documents and Settings\Bethan\Cookies\bethan@burstnet[2].txt
C:\Documents and Settings\Bethan\Cookies\bethan@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Bethan\Cookies\bethan@fastclick[1].txt
C:\Documents and Settings\Bethan\Cookies\bethan@hitbox[2].txt
C:\Documents and Settings\Bethan\Cookies\bethan@hitbox[3].txt
C:\Documents and Settings\Bethan\Cookies\bethan@interclick[2].txt
C:\Documents and Settings\Bethan\Cookies\bethan@login.tracking101[1].txt
C:\Documents and Settings\Bethan\Cookies\bethan@mediaplex[1].txt
C:\Documents and Settings\Bethan\Cookies\bethan@msnportal.112.2o7[1].txt
C:\Documents and Settings\Bethan\Cookies\bethan@rotator.its.adjuggler[1].txt
C:\Documents and Settings\Bethan\Cookies\bethan@serving-sys[2].txt
C:\Documents and Settings\Bethan\Cookies\bethan@tradedoubler[2].txt
C:\Documents and Settings\Bethan\Cookies\bethan@www.burstnet[1].txt
C:\Documents and Settings\Bethan\Cookies\bethan@zedo[1].txt
C:\Documents and Settings\Family\Cookies\family@2o7[2].txt
C:\Documents and Settings\Family\Cookies\family@a.websponsors[1].txt
C:\Documents and Settings\Family\Cookies\family@ad.theadhost[2].txt
C:\Documents and Settings\Family\Cookies\family@ad.uk.tangozebra[1].txt
C:\Documents and Settings\Family\Cookies\family@ad.yieldmanager[1].txt
C:\Documents and Settings\Family\Cookies\family@ad.yieldmanager[2].txt
C:\Documents and Settings\Family\Cookies\family@ad.yieldmanager[3].txt
C:\Documents and Settings\Family\Cookies\family@ad.yieldmanager[4].txt
C:\Documents and Settings\Family\Cookies\family@ad.zanox[1].txt
C:\Documents and Settings\Family\Cookies\family@adecn[1].txt
C:\Documents and Settings\Family\Cookies\family@adopt.euroclick[2].txt
C:\Documents and Settings\Family\Cookies\family@adopt.euroclick[3].txt
C:\Documents and Settings\Family\Cookies\family@adrevenue[1].txt
C:\Documents and Settings\Family\Cookies\family@ads.glispa[2].txt
C:\Documents and Settings\Family\Cookies\family@ads.pointroll[2].txt
C:\Documents and Settings\Family\Cookies\family@adtech[2].txt
C:\Documents and Settings\Family\Cookies\family@atdmt[1].txt
C:\Documents and Settings\Family\Cookies\family@bluestreak[2].txt
C:\Documents and Settings\Family\Cookies\family@brightcove.112.2o7[1].txt
C:\Documents and Settings\Family\Cookies\family@bs.serving-sys[1].txt
C:\Documents and Settings\Family\Cookies\family@bs.serving-sys[2].txt
C:\Documents and Settings\Family\Cookies\family@doubleclick[2].txt
C:\Documents and Settings\Family\Cookies\family@doubleclick[3].txt
C:\Documents and Settings\Family\Cookies\family@drivecleaner[2].txt
C:\Documents and Settings\Family\Cookies\family@fastclick[2].txt
C:\Documents and Settings\Family\Cookies\family@fastclick[3].txt
C:\Documents and Settings\Family\Cookies\family@fastclick[4].txt
C:\Documents and Settings\Family\Cookies\family@i.screensavers[1].txt
C:\Documents and Settings\Family\Cookies\family@imrworldwide[2].txt
C:\Documents and Settings\Family\Cookies\family@login.tracking101[2].txt
C:\Documents and Settings\Family\Cookies\family@media.adrevolver[1].txt
C:\Documents and Settings\Family\Cookies\family@media.adrevolver[2].txt
C:\Documents and Settings\Family\Cookies\family@mediaplex[1].txt
C:\Documents and Settings\Family\Cookies\family@mediaplex[2].txt
C:\Documents and Settings\Family\Cookies\family@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\Family\Cookies\family@msnportal.112.2o7[1].txt
C:\Documents and Settings\Family\Cookies\family@mywebsearch[1].txt
C:\Documents and Settings\Family\Cookies\family@ontracks.co[2].txt
C:\Documents and Settings\Family\Cookies\family@optimost[1].txt
C:\Documents and Settings\Family\Cookies\family@overture[1].txt
C:\Documents and Settings\Family\Cookies\family@overture[2].txt
C:\Documents and Settings\Family\Cookies\family@precisionclick[2].txt
C:\Documents and Settings\Family\Cookies\family@questionmarket[2].txt
C:\Documents and Settings\Family\Cookies\family@questionmarket[3].txt
C:\Documents and Settings\Family\Cookies\family@revenue[2].txt
C:\Documents and Settings\Family\Cookies\family@screensavers[1].txt
C:\Documents and Settings\Family\Cookies\family@serving-sys[1].txt
C:\Documents and Settings\Family\Cookies\family@smileycentral[2].txt
C:\Documents and Settings\Family\Cookies\family@stats.drivecleaner[2].txt
C:\Documents and Settings\Family\Cookies\family@statse.webtrendslive[2].txt
C:\Documents and Settings\Family\Cookies\family@tracking.summitmedia.co[1].txt
C:\Documents and Settings\Family\Cookies\family@tradedoubler[1].txt
C:\Documents and Settings\Family\Cookies\family@tribalfusion[1].txt
C:\Documents and Settings\Family\Cookies\family@videoegg.adbureau[1].txt
C:\Documents and Settings\Family\Cookies\family@videoegg.adbureau[2].txt
C:\Documents and Settings\Family\Cookies\family@winantivirus[1].txt
C:\Documents and Settings\Family\Cookies\family@www.clash-media[2].txt
C:\Documents and Settings\Family\Cookies\family@www.googleadservices[1].txt
C:\Documents and Settings\Family\Cookies\family@www.screensavers[1].txt
C:\Documents and Settings\Family\Cookies\family@zedo[1].txt
C:\Documents and Settings\Jules\Cookies\jules@atdmt[1].txt

Adware.Casino Games (Golden Palace Casino)
C:\BINGO\BLACKPOOL BINGO\CASINO.EXE
C:\POKER\BETFRED POKER\CASINO.EXE
C:\POKER\NOBLE POKER\CASINO.EXE
C:\POKER\POKER CARDOZA\CASINO.EXE
C:\POKER\TITAN POKER\CASINO.EXE
C:\WINDOWS\Prefetch\CASINO.EXE-0EF56507.pf

Adware.Mirar/NetNucleus
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WINNB58.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFB3B03B-1D43-4A34-A969-BA18587033B8}\RP108\A0025444.DLL

Adware.webHancer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFB3B03B-1D43-4A34-A969-BA18587033B8}\RP103\A0021103.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFB3B03B-1D43-4A34-A969-BA18587033B8}\RP103\A0021106.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFB3B03B-1D43-4A34-A969-BA18587033B8}\RP96\A0015155.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFB3B03B-1D43-4A34-A969-BA18587033B8}\RP96\A0015195.EXE

Trojan.Downloader-Gen/BundleBase
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFB3B03B-1D43-4A34-A969-BA18587033B8}\RP107\A0024086.EXE

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFB3B03B-1D43-4A34-A969-BA18587033B8}\RP107\A0025410.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFB3B03B-1D43-4A34-A969-BA18587033B8}\RP108\A0025454.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFB3B03B-1D43-4A34-A969-BA18587033B8}\RP108\A0025458.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFB3B03B-1D43-4A34-A969-BA18587033B8}\RP110\A0026642.DLL

Trojan.Downloader-Gen/FotoMoto
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFB3B03B-1D43-4A34-A969-BA18587033B8}\RP108\A0025441.DLL

Trojan.TrafficNinjaBiz
C:\SYSTEM VOLUME INFORMATION\_RESTORE{FFB3B03B-1D43-4A34-A969-BA18587033B8}\RP96\A0015196.DLL

Adware.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\EFCBYAX.DLL
C:\WINDOWS\SYSTEM32\TUVUURS.DLL

Adware.AdRotator/RightOnz
C:\WINDOWS\SYSTEM32\GZMROTATE.DLL
Jollyjedi
2007-11-18, 23:05
ComboFix 07-11-08.1 - Jules 2007-11-18 21:49:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.527 [GMT 0:00]
Running from: C:\Documents and Settings\Jules\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.

2007-11-18 19:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-18 19:44 <DIR> d-------- C:\Documents and Settings\Jules\Application Data\SUPERAntiSpyware.com
2007-11-18 19:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-18 00:37 <DIR> d-------- C:\VundoFix Backups
2007-11-17 15:55 <DIR> d-------- C:\Program Files\Sun
2007-11-17 13:51 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-16 19:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-16 16:45 30,760 --a------ C:\WINDOWS\system32\tfwmxgwc.exe
2007-11-16 14:54 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-16 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-16 13:34 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-11-16 09:48 <DIR> d-------- C:\Documents and Settings\Jules\Application Data\MailFrontier
2007-11-16 09:45 3,242,016 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-16 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-16 09:42 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-11-16 09:42 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-11-16 09:42 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-11-15 12:34 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-15 12:31 <DIR> d-------- C:\WINDOWS\system32\re3
2007-11-15 12:31 120 --a------ C:\n.bat
2007-11-15 12:31 0 --a------ C:\z.dat
2007-11-15 12:31 0 --a------ C:\x.dat
2007-11-15 12:30 <DIR> d-------- C:\WINDOWS\system32\rMa18yy
2007-11-15 12:30 <DIR> d-------- C:\temp\abW9
2007-11-13 20:46 <DIR> d-------- C:\Program Files\D-Tools
2007-11-13 20:46 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2007-11-13 20:46 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2007-11-12 18:48 16,963 --a------ C:\WINDOWS\system32\drivers\gizmodrv.sys
2007-11-08 06:58 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Leadertech
2007-11-05 12:35 65,024 --a------ C:\WINDOWS\system32\spads.dll
2007-11-05 11:54 <DIR> d-------- C:\Program Files\PKR
2007-10-31 19:37 <DIR> d-------- C:\Documents and Settings\Jules\Application Data\DAEMON Tools Pro
2007-10-31 19:21 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-29 15:28 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-10-29 15:28 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-10-29 15:28 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-10-29 15:28 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-29 15:28 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-29 15:28 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-10-29 15:28 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-29 15:28 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-10-25 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Recisio
2007-10-23 10:32 <DIR> d-------- C:\Program Files\Hasbro Interactive
2007-10-23 10:32 45,568 --a------ C:\WINDOWS\UniFish3.exe
2007-10-20 14:22 40,733 --a------ C:\WINDOWS\system32\rightonadz-uninst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-18 21:42 38,924 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-18 19:44 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 19:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-18 15:36 --------- d-----w C:\Program Files\CarbonPoker
2007-11-18 11:23 --------- d-----w C:\Documents and Settings\Jules\Application Data\Microgaming
2007-11-17 17:25 --------- d-----w C:\Program Files\EA GAMES
2007-11-17 15:55 --------- d-----w C:\Program Files\Java
2007-11-17 12:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 10:50 --------- d-----w C:\Program Files\Morpheus
2007-11-16 09:47 --------- d-----w C:\Program Files\MSN Messenger
2007-11-15 23:57 --------- d-----w C:\Program Files\e-texaspoker client
2007-11-13 09:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-11-11 13:36 --------- d-----w C:\Program Files\Fish Tycoon
2007-11-10 13:41 --------- d-----w C:\Program Files\PokerStars
2007-10-29 00:29 --------- d-----w C:\Program Files\SunPoker.com
2007-10-25 19:33 --------- d-----w C:\Program Files\KaraFun
2007-10-25 17:13 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-25 17:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-25 17:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-25 17:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-25 17:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-25 16:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-25 16:24 815,480 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-10-25 16:14 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-10-25 13:15 --------- d-----w C:\Program Files\NCH Software
2007-10-25 13:14 --------- d-----w C:\Program Files\NCH Swift Sound
2007-10-25 12:54 --------- d-----w C:\Program Files\Picasa2
2007-10-25 12:34 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-10-23 20:14 --------- d-----w C:\Program Files\PartyGaming
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2007-10-10 14:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2007-10-10 14:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-10 14:16 --------- d-----w C:\Program Files\IVT Corporation
2007-10-08 13:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-08 13:33 --------- d-----w C:\Program Files\Yahoo!
2007-10-01 22:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-09-30 22:49 --------- d-----w C:\Program Files\SimCity 4 Deluxe
2007-09-29 10:35 1,146,766 ----a-w C:\WINDOWS\SCTUninstaller.exe
2007-09-29 10:34 --------- d-----w C:\Program Files\Deep Silver
2007-09-29 01:16 --------- d-----w C:\Program Files\EvilLyrics
2007-09-28 10:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-28 09:32 --------- d-----w C:\Program Files\eBay
2007-09-28 09:31 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-22 15:23 --------- d-----w C:\Program Files\Lavasoft
2007-09-22 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-06 16:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-09-03 14:25 745,547 ----a-w C:\WINDOWS\system32\Magentic Screensaver.scr
2007-09-01 14:01 24,192 ----a-w C:\Documents and Settings\Jules\usbsermptxp.sys
2007-09-01 14:01 22,768 ----a-w C:\Documents and Settings\Jules\usbsermpt.sys
2007-08-29 15:32 49,152 ----a-r C:\WINDOWS\system32\inetwh32.dll
2007-08-29 15:32 1,044,480 ----a-r C:\WINDOWS\system32\roboex32.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-17_14.03.58.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-18 19:44:40 34,304 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF1.exe
+ 2007-11-18 19:44:40 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
- 2007-07-12 00:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-24 22:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-12 00:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-24 22:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-12 01:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-24 23:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2007-11-17 12:20:21 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-18 21:49:19 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-17 12:20:21 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-18 21:49:19 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-18 21:45:07 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_78c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{786D13B5-D704-4F33-90B4-A6D2C10A4D3B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-12 05:19]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 05:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 05:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-10-25 12:34]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 00:13]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\Jules\Start Menu\Programs\Startup\
Shortcut to ashDisp.lnk - C:\Program Files\Alwil Software\Avast4\ashDisp.exe [2007-07-28 20:05:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mojhosap]
mojhosap.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk
backup=C:\WINDOWS\pss\NaturalColorLoad.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\Program Files\IncrediMail\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Manager]
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Monitor]
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
"C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
"C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R1 GizmoDrv;Gizmo Virtual Drive Device Driver;C:\WINDOWS\system32\drivers\GizmoDrv.sys
R1 vcdrom;Virtual CD-ROM Device Driver;\??\C:\Documents and Settings\Jules\My Documents\Installers\VCdRom.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\Setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-23 00:49:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 21:53:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-18 21:54:07
C:\ComboFix2.txt ... 2007-11-17 14:04
.
--- E O F ---
Jollyjedi
2007-11-18, 23:06
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:56:32, on 18/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bzzagent.co.uk/member/MemberHome.do
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {786D13B5-D704-4F33-90B4-A6D2C10A4D3B} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Shortcut to ashDisp.lnk = C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - ?p=ZJxdm025YYGB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?ca1c9f3b0e8243ed909ae67f686c3183
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?ca1c9f3b0e8243ed909ae67f686c3183
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\Microgaming\Poker\pokertimeMPP\MPPoker.exe
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra 'Tools' menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Poker\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Poker\Noble Poker\casino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Documents and Settings\Jules\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185658521515
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-bd41dc8beecaaa9e.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_665/webolr/OCX/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C56400E-6AFF-40A8-BA9F-9A14B0D88311}: NameServer = 212.139.132.4 212.139.132.5
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: mojhosap - mojhosap.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12143 bytes


Fingers crossed :)
steamwiz
2007-11-19, 00:40
HI

Before you do anything, please post the scan report from the first run of Combofix ... C:\ComboFix2.txt

THEN ...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)


File::
C:\WINDOWS\system32\tfwmxgwc.exe
C:\WINDOWS\system32\vbzip10.dll
C:\n.bat
C:\z.dat
C:\x.dat
C:\WINDOWS\system32\service.exe

Folder::
C:\WINDOWS\system32\re3
C:\WINDOWS\system32\rMa18yy
C:\temp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{786D13B5-D704-4F33-90B4-A6D2C10A4D3B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mojhosap]




Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

There's still another couple of programs I want you to run ... later

steam
Jollyjedi
2007-11-19, 12:03
ok here's the result from 1st combofix run:


ComboFix 07-11-08.1 - Jules 2007-11-17 13:53:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.339 [GMT 0:00]
Running from: C:\Documents and Settings\Jules\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Bethan\Desktop\internet.lnk
C:\Documents and Settings\Family\Desktop\internet.lnk
C:\Documents and Settings\Jules\Desktop\internet.lnk
C:\Documents and Settings\Jules\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Jules\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Jules\Favorites\Online Security Guide.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\mojhosap.dllbox
C:\WINDOWS\system32\n5
C:\WINDOWS\system32\n5\bemwdll3.exe
C:\WINDOWS\system32\nse2B1.dll
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\orutv.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\v2
C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\winnb58.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-17 13:51 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-17 11:15 82,496 --a------ C:\WINDOWS\system32\tvgaglqm.dll
2007-11-17 11:12 85,056 --a------ C:\WINDOWS\system32\habnsdum.dll
2007-11-17 10:15 82,496 --a------ C:\WINDOWS\system32\rbnbeart.dll
2007-11-16 19:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-16 16:45 30,760 --a------ C:\WINDOWS\system32\tfwmxgwc.exe
2007-11-16 14:54 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-16 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-16 13:34 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-11-16 09:48 <DIR> d-------- C:\Documents and Settings\Jules\Application Data\MailFrontier
2007-11-16 09:45 2,961,440 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-16 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-16 09:42 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-11-16 09:42 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-11-16 09:42 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2007-11-16 09:07 145,984 --a------ C:\WINDOWS\system32\jryhigtj.dll
2007-11-15 12:34 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-15 12:31 <DIR> d-------- C:\WINDOWS\system32\re3
2007-11-15 12:31 36,352 --a------ C:\WINDOWS\system32\tuvuurs.dll
2007-11-15 12:31 36,352 --a------ C:\WINDOWS\system32\efcbyax.dll
2007-11-15 12:31 120 --a------ C:\n.bat
2007-11-15 12:31 0 --a------ C:\z.dat
2007-11-15 12:31 0 --a------ C:\x.dat
2007-11-15 12:30 <DIR> d-------- C:\WINDOWS\system32\rMa18yy
2007-11-15 12:30 <DIR> d-------- C:\temp\abW9
2007-11-15 11:52 <DIR> d-------- C:\Program Files\ContextTool
2007-11-13 20:46 <DIR> d-------- C:\Program Files\D-Tools
2007-11-13 20:46 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2007-11-13 20:46 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2007-11-12 18:48 16,963 --a------ C:\WINDOWS\system32\drivers\gizmodrv.sys
2007-11-08 06:58 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Leadertech
2007-11-05 12:35 65,024 --a------ C:\WINDOWS\system32\spads.dll
2007-11-05 11:54 <DIR> d-------- C:\Program Files\PKR
2007-10-31 19:37 <DIR> d-------- C:\Documents and Settings\Jules\Application Data\DAEMON Tools Pro
2007-10-31 19:21 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-29 15:28 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-10-29 15:28 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-10-29 15:28 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-10-29 15:28 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-29 15:28 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-29 15:28 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-10-29 15:28 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-29 15:28 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-10-25 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Recisio
2007-10-23 12:37 46,592 --a------ C:\WINDOWS\system32\gzmrotate.dll
2007-10-23 10:32 <DIR> d-------- C:\Program Files\Hasbro Interactive
2007-10-23 10:32 45,568 --a------ C:\WINDOWS\UniFish3.exe
2007-10-20 14:22 40,733 --a------ C:\WINDOWS\system32\rightonadz-uninst.exe
2007-10-17 17:23 10,752 --a------ C:\WINDOWS\system32\WhoisCL.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 14:00 35,732 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-17 12:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-17 10:15 --------- d-----w C:\Program Files\CarbonPoker
2007-11-16 23:54 --------- d-----w C:\Documents and Settings\Jules\Application Data\Microgaming
2007-11-16 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-16 10:50 --------- d-----w C:\Program Files\Morpheus
2007-11-16 10:10 --------- d-----w C:\Program Files\EA GAMES
2007-11-16 09:47 --------- d-----w C:\Program Files\MSN Messenger
2007-11-15 23:57 --------- d-----w C:\Program Files\e-texaspoker client
2007-11-13 09:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-11-11 13:36 --------- d-----w C:\Program Files\Fish Tycoon
2007-11-10 13:41 --------- d-----w C:\Program Files\PokerStars
2007-10-29 00:29 --------- d-----w C:\Program Files\SunPoker.com
2007-10-25 19:33 --------- d-----w C:\Program Files\KaraFun
2007-10-25 17:13 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-25 17:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-25 17:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-25 17:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-25 17:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-25 16:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-25 13:15 --------- d-----w C:\Program Files\NCH Software
2007-10-25 13:14 --------- d-----w C:\Program Files\NCH Swift Sound
2007-10-25 12:54 --------- d-----w C:\Program Files\Picasa2
2007-10-23 20:14 --------- d-----w C:\Program Files\PartyGaming
2007-10-10 14:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2007-10-10 14:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-10 14:16 --------- d-----w C:\Program Files\IVT Corporation
2007-10-08 13:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-08 13:33 --------- d-----w C:\Program Files\Yahoo!
2007-10-01 22:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-09-30 22:49 --------- d-----w C:\Program Files\SimCity 4 Deluxe
2007-09-29 10:35 1,146,766 ----a-w C:\WINDOWS\SCTUninstaller.exe
2007-09-29 10:34 --------- d-----w C:\Program Files\Deep Silver
2007-09-29 01:16 --------- d-----w C:\Program Files\EvilLyrics
2007-09-28 10:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-28 09:32 --------- d-----w C:\Program Files\eBay
2007-09-28 09:31 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-22 15:23 --------- d-----w C:\Program Files\Lavasoft
2007-09-22 15:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-22 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-01 14:01 24,192 ----a-w C:\Documents and Settings\Jules\usbsermptxp.sys
2007-09-01 14:01 22,768 ----a-w C:\Documents and Settings\Jules\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]
2007-06-27 20:27 1044480 --a------ C:\Program Files\ContextTool\ContextTool-2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{786D13B5-D704-4F33-90B4-A6D2C10A4D3B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8a89fc8a-87de-44af-bc07-4e7d51ed6e8d}]
2007-11-17 11:15 82496 --a------ C:\WINDOWS\system32\tvgaglqm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-12 05:19]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"c40f3146"="C:\WINDOWS\system32\habnsdum.dll" [2007-11-17 11:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-10-25 12:34]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 00:13]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB2401"=command /c del "C:\WINDOWS\system32\mojhosap.dllbox"
"SpybotDeletingD3749"=cmd /c del "C:\WINDOWS\system32\mojhosap.dllbox"
"SpybotDeletingB5968"=command /c del "C:\WINDOWS\system32\mojhosap.dll_old"
"SpybotDeletingD2079"=cmd /c del "C:\WINDOWS\system32\mojhosap.dll_old"
"SpybotDeletingB9970"=command /c del "C:\WINDOWS\system32\mojhosap.dll"
"SpybotDeletingD7067"=cmd /c del "C:\WINDOWS\system32\mojhosap.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA7040"=command /c del "C:\WINDOWS\system32\mojhosap.dllbox"
"SpybotDeletingC8829"=cmd /c del "C:\WINDOWS\system32\mojhosap.dllbox"
"SpybotDeletingA1302"=command /c del "C:\WINDOWS\system32\mojhosap.dll_old"
"SpybotDeletingC9363"=cmd /c del "C:\WINDOWS\system32\mojhosap.dll_old"
"SpybotDeletingA9841"=command /c del "C:\WINDOWS\system32\mojhosap.dll"
"SpybotDeletingC6386"=cmd /c del "C:\WINDOWS\system32\mojhosap.dll"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\Jules\Start Menu\Programs\Startup\
Shortcut to ashDisp.lnk - C:\Program Files\Alwil Software\Avast4\ashDisp.exe [2007-07-28 20:05:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mojhosap]
mojhosap.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vturo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk
backup=C:\WINDOWS\pss\NaturalColorLoad.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\Program Files\IncrediMail\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Manager]
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Monitor]
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
"C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
"C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R1 GizmoDrv;Gizmo Virtual Drive Device Driver;C:\WINDOWS\system32\drivers\GizmoDrv.sys
R1 vcdrom;Virtual CD-ROM Device Driver;\??\C:\Documents and Settings\Jules\My Documents\Installers\VCdRom.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\Setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-23 00:49:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 14:01:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 14:04:36 - machine was rebooted
.
--- E O F ---
Jollyjedi
2007-11-19, 12:04
And the latest combofix:

ComboFix 07-11-08.3 - Jules 2007-11-19 10:47:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.582 [GMT 0:00]
Running from: C:\Documents and Settings\Jules\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jules\Desktop\Virtu info\CFScript.txt
* Created a new restore point

FILE
C:\n.bat
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\tfwmxgwc.exe
C:\WINDOWS\system32\vbzip10.dll
C:\x.dat
C:\z.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\n.bat
C:\temp
C:\temp\abW9\tPho.log
C:\temp\Avex.elf
C:\temp\Avex.elog
C:\temp\debug.txt
C:\temp\EnhancedDataOutput.txt
C:\WINDOWS\system32\re3
C:\WINDOWS\system32\rMa18yy
C:\WINDOWS\system32\tfwmxgwc.exe
C:\WINDOWS\system32\vbzip10.dll
C:\x.dat
C:\z.dat

.
((((((((((((((((((((((((( Files Created from 2007-10-19 to 2007-11-19 )))))))))))))))))))))))))))))))
.

2007-11-18 19:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-18 19:44 <DIR> d-------- C:\Documents and Settings\Jules\Application Data\SUPERAntiSpyware.com
2007-11-18 19:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-17 15:55 <DIR> d-------- C:\Program Files\Sun
2007-11-17 13:51 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-16 19:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-16 14:54 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-16 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-16 13:34 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-11-16 09:48 <DIR> d-------- C:\Documents and Settings\Jules\Application Data\MailFrontier
2007-11-16 09:45 3,309,600 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-16 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-16 09:42 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-11-16 09:42 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-11-16 09:42 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-11-13 20:46 <DIR> d-------- C:\Program Files\D-Tools
2007-11-13 20:46 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2007-11-13 20:46 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2007-11-12 18:48 16,963 --a------ C:\WINDOWS\system32\drivers\gizmodrv.sys
2007-11-08 06:58 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Leadertech
2007-11-05 12:35 65,024 --a------ C:\WINDOWS\system32\spads.dll
2007-11-05 11:54 <DIR> d-------- C:\Program Files\PKR
2007-10-31 19:37 <DIR> d-------- C:\Documents and Settings\Jules\Application Data\DAEMON Tools Pro
2007-10-31 19:21 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-29 15:28 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-10-29 15:28 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-10-29 15:28 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-10-29 15:28 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-29 15:28 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-29 15:28 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-10-29 15:28 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-29 15:28 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-10-25 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Recisio
2007-10-23 10:32 <DIR> d-------- C:\Program Files\Hasbro Interactive
2007-10-23 10:32 45,568 --a------ C:\WINDOWS\UniFish3.exe
2007-10-20 14:22 40,733 --a------ C:\WINDOWS\system32\rightonadz-uninst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-19 10:51 39,836 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-18 19:44 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 19:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-18 15:36 --------- d-----w C:\Program Files\CarbonPoker
2007-11-18 11:23 --------- d-----w C:\Documents and Settings\Jules\Application Data\Microgaming
2007-11-17 17:25 --------- d-----w C:\Program Files\EA GAMES
2007-11-17 15:55 --------- d-----w C:\Program Files\Java
2007-11-17 12:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 10:50 --------- d-----w C:\Program Files\Morpheus
2007-11-16 09:47 --------- d-----w C:\Program Files\MSN Messenger
2007-11-15 23:57 --------- d-----w C:\Program Files\e-texaspoker client
2007-11-13 09:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-11-11 13:36 --------- d-----w C:\Program Files\Fish Tycoon
2007-11-10 13:41 --------- d-----w C:\Program Files\PokerStars
2007-10-29 00:29 --------- d-----w C:\Program Files\SunPoker.com
2007-10-25 19:33 --------- d-----w C:\Program Files\KaraFun
2007-10-25 17:13 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-25 17:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-25 17:05 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-25 17:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-25 17:01 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-25 16:58 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-25 13:15 --------- d-----w C:\Program Files\NCH Software
2007-10-25 13:14 --------- d-----w C:\Program Files\NCH Swift Sound
2007-10-25 12:54 --------- d-----w C:\Program Files\Picasa2
2007-10-23 20:14 --------- d-----w C:\Program Files\PartyGaming
2007-10-10 14:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2007-10-10 14:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-10 14:16 --------- d-----w C:\Program Files\IVT Corporation
2007-10-08 13:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-08 13:33 --------- d-----w C:\Program Files\Yahoo!
2007-10-01 22:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-09-30 22:49 --------- d-----w C:\Program Files\SimCity 4 Deluxe
2007-09-29 10:35 1,146,766 ----a-w C:\WINDOWS\SCTUninstaller.exe
2007-09-29 10:34 --------- d-----w C:\Program Files\Deep Silver
2007-09-29 01:16 --------- d-----w C:\Program Files\EvilLyrics
2007-09-28 10:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-28 09:32 --------- d-----w C:\Program Files\eBay
2007-09-28 09:31 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-22 15:23 --------- d-----w C:\Program Files\Lavasoft
2007-09-22 15:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-01 14:01 24,192 ----a-w C:\Documents and Settings\Jules\usbsermptxp.sys
2007-09-01 14:01 22,768 ----a-w C:\Documents and Settings\Jules\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-12 05:19]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 05:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 05:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-10-25 12:34]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 00:13]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\Jules\Start Menu\Programs\Startup\
Shortcut to ashDisp.lnk - C:\Program Files\Alwil Software\Avast4\ashDisp.exe [2007-07-28 20:05:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk
backup=C:\WINDOWS\pss\NaturalColorLoad.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\Program Files\IncrediMail\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Manager]
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X73 Button Monitor]
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
"C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
"C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R1 GizmoDrv;Gizmo Virtual Drive Device Driver;C:\WINDOWS\system32\drivers\GizmoDrv.sys
R1 vcdrom;Virtual CD-ROM Device Driver;\??\C:\Documents and Settings\Jules\My Documents\Installers\VCdRom.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\Setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-23 00:49:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-19 10:53:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-19 10:56:13 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-18 21:54
C:\ComboFix3.txt ... 2007-11-17 14:04
.
--- E O F ---
Jollyjedi
2007-11-19, 12:05
And here's the last HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:24, on 19/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bzzagent.co.uk/member/MemberHome.do
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Shortcut to ashDisp.lnk = C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - ?p=ZJxdm025YYGB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?ca1c9f3b0e8243ed909ae67f686c3183
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?ca1c9f3b0e8243ed909ae67f686c3183
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\Microgaming\Poker\pokertimeMPP\MPPoker.exe
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra 'Tools' menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Poker\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Poker\Noble Poker\casino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Documents and Settings\Jules\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185658521515
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-bd41dc8beecaaa9e.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_665/webolr/OCX/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C56400E-6AFF-40A8-BA9F-9A14B0D88311}: NameServer = 212.139.132.41 212.139.132.42
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11838 bytes
steamwiz
2007-11-19, 21:39
HI

Looking good ... but you had a pretty nasty trojan on there & I want to be sure it's all gone ...

1. Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

3. Reboot into Safe Mode`:-

Reboot into >>>safe mode (http://www.computerhope.com/issues/chsafe.htm)

4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum

THEN ...

Go here to run an online scannner from ESET.

http://www.eset.eu/online-scanner

Note: You will need to use Internet explorer for this scan
Files\EsetOnlineScanner\log.txt
9. Copy and paste the log into your next reply
1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is checkmarked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program

steam
Jollyjedi
2007-11-20, 17:00
Ok, here's the log reports:

SDFix:

SDFix: Version 1.115

Run by Jules on 20/11/2007 at 13:01

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found

C:\WINDOWS\Fonts\*.zip - 1 File(s) 113,240 bytes - Deleted
C:\WINDOWS\Fonts\'\*.zip - 20835 File(s) 2,359,376,235 bytes - Deleted



Folder C:\WINDOWS\Fonts\' - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-20 13:07:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,97,3a,45,d7,6c,c1,03,e8,5b,38,ec,b6,fa,0e,97,73,67,..
"hj34z0"=hex:22,3d,dc,27,e4,64,fa,c2,f2,59,80,07,f3,78,22,79,61,d1,3e,3b,02,..
"hj34z1"=hex:bf,3c,dc,80,86,65,fa,71,f9,59,81,b9,f8,78,22,b7,6b,d1,3e,e2,c2,..
"hj34z2"=hex:ac,3c,dc,69,95,65,fa,9b,ea,59,81,77,eb,78,22,ee,78,d1,3e,95,d1,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"h0"=dword:00000000
"hdf12"=hex:f6,4d,d8,a4,e3,89,c1,58,18,27,f7,f0,5d,9c,f5,ed,12,99,16,e3,a6,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"h0"=dword:00000000
"hdf12"=hex:f6,4d,d8,a4,e3,89,c1,58,18,27,f7,f0,5d,9c,f5,ed,12,99,16,e3,a6,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Magentic\\bin\\Magentic.exe"="C:\\Program Files\\Magentic\\bin\\Magentic.exe:*:Enabled:Magentic"
"C:\\Program Files\\Magentic\\bin\\MgApp.exe"="C:\\Program Files\\Magentic\\bin\\MgApp.exe:*:Enabled:Magentic"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"="C:\\Program Files\\IncrediMail\\bin\\ImApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Mon 10 Nov 2003 532 A.SH. --- "C:\MSSYS.SYS"
Thu 25 Oct 2007 5,903,928 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Sat 17 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

And Eset:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2672 (20071120)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=693b170d469b6747b8778d032f7dcdef
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2007-11-20 03:53:17
# local_time=2007-11-20 03:53:17 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=718616
# found=1
# scan_time=9525
C:\WINDOWS\system32\spads.dll Win32/Adware.TrafficSol application (unable to clean - deleted) 00000000000000000000000000000000


thanks for this ......
steamwiz
2007-11-21, 22:50
Hi

You're welcome...

Did you notice this in the SDFix log ?

C:\WINDOWS\Fonts\'\*.zip - 20835 File(s) 2,359,376,235 bytes - Deleted

That's over 2 gigs of space recovered from your drive ...

The logs look good now ...

Last 2 things I want you to do are run a general cleaner & purge system restore :-

Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

THEN ...

This will clear all your infected restore points...

Turn off (Disable) System Restore in XP :-

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

Then...

Turn on (enable) System Restore :-

Follow the same procedure, but this time uncheck Turn off System Restore

if you have any problem with this... here's a link to instructions :-


Disabling or enabling Windows XP System Restore >

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

steam
Jollyjedi
2007-11-22, 13:30
Yes I noticed all those files when I was trying to clean the system - none of my programs picked up on it though. I thought I was fairly well protected, but I suppose these trojans etc are getting smarter - will definitely have to learn more :)
Thank you for all your help, it's great to have my computer back!
steamwiz
2007-11-22, 22:36
You're very welcome :)

Happy surfing

steam