I got hit with virtumonde. I rebooted and did a SB scan in safe mode. It did detect virtumonde. I removed it and my kaspersky on reboot detected virtumonde. I tried to run an online scan but it seemed to greyed out. Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:40 AM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188054514343
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFEF4629-A2C2-4568-A4C4-7413D063E329}: NameServer = 208.67.222.222,208.67.220.220
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: jkkklkk - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\altera\72\quartus\bin\jtagserver.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 8290 bytes

perineum
Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.



I am still looking at a marker on your HJT log for Vundo, lets do a few things.


1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.




=============================================

Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.



======================================



Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall



=======================================

The thieves that have written Vundo have written it to evade a HJT scan so we need to rename it

This is important, do this before you post a HJT log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Safer.exe



Let me see the Vundofix log, the Combofix log and a New HJT log renamed please.

Vundofix log:

VundoFix V6.7.7

Checking Java version...

Scan started at 1:10:00 PM 1/4/2008

Listing files found while scanning....

No infected files were found.

combofix log:
ComboFix 08-01-04.1 - Admin 2008-01-04 13:40:57.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.652 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix(2).exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 13:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 13:10 . 2008-01-04 13:10 <DIR> d-------- C:\VundoFix Backups
2008-01-02 10:58 . 2008-01-02 11:00 1,355 --a------ C:\WINDOWS\imsins.BAK
2007-12-30 15:13 . 2007-12-30 15:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-29 00:07 . 2007-12-29 00:07 <DIR> d-------- C:\Deckard
2007-12-28 20:01 . 2007-12-28 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 20:01 . 2007-12-28 16:12 1,031,259 --ahs---- C:\WINDOWS\system32\nscdapyd.ini
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a------ C:\WINDOWS\system32\drivers\GcKernel.sys
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a--c--- C:\WINDOWS\system32\dllcache\gckernel.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a------ C:\WINDOWS\system32\drivers\HIDSwvd.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a--c--- C:\WINDOWS\system32\dllcache\hidswvd.sys
2007-12-26 09:52 . 2007-12-26 10:01 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-26 09:52 . 2007-12-26 10:01 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-26 09:50 . 2007-12-26 09:50 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-26 09:50 . 2008-01-04 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-26 09:49 . 2008-01-04 13:47 5,428,000 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-26 09:49 . 2008-01-04 13:47 85,280 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-26 09:49 . 2008-01-04 11:07 75,164 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-26 09:49 . 2008-01-04 11:07 9,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-26 09:38 . 2007-12-26 09:38 <DIR> d-------- C:\KAV
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\MSECACHE
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-23 18:15 . 2007-12-23 18:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-23 18:05 . 2007-12-23 18:05 <DIR> d-------- C:\Program Files\Comodo
2007-12-23 18:05 . 2007-12-23 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC425
2007-12-23 18:05 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2007-12-23 18:05 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-12-23 18:05 . 2004-08-03 23:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2007-12-23 18:05 . 2007-12-26 10:07 9,196 --a------ C:\WINDOWS\BOC425.INI
2007-12-22 14:47 . 2007-12-30 10:08 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 11:21 . 2007-12-22 12:36 381 --a------ C:\WINDOWS\wininit.ini
2007-12-20 11:26 . 2007-12-31 08:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 11:26 . 2007-12-20 11:26 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-19 21:59 . 2007-12-31 09:50 <DIR> d-------- C:\Program Files\QuickTime
2007-12-18 09:34 . 2007-12-19 17:32 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DAEMON Tools
2007-12-18 09:29 . 2007-12-18 09:34 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2007-12-18 09:25 . 2007-12-18 09:25 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 08:56 . 2007-12-18 08:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-18 08:50 . 2007-12-27 08:51 <DIR> d-------- C:\Program Files\LucasArts
2007-12-11 13:46 . 2007-12-11 13:46 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 13:46 . 2007-12-11 13:46 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 13:46 . 2007-12-11 13:46 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 13:45 . 2007-12-11 13:45 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 13:45 . 2007-12-11 13:45 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 13:43 . 2007-12-11 13:43 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-10 20:06 . 2007-12-10 20:06 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 02:04 --------- d-----w C:\Program Files\Last.fm
2008-01-03 21:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\uTorrent
2008-01-02 15:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-31 15:47 --------- d-----w C:\Program Files\Java
2007-12-28 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-26 15:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-26 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-25 23:25 --------- d-----w C:\Program Files\DivX
2007-12-24 01:49 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-24 00:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-20 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2007-12-18 14:56 --------- d-----w C:\Program Files\Apple Software Update
2007-12-16 18:08 --------- d-----w C:\Program Files\ShurikSoft
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-02 16:56 321 ----a-w C:\license.dat
2007-12-02 16:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\SSH
2007-12-01 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-01 23:28 --------- d-----w C:\Documents and Settings\Admin\Application Data\NewsBin
2007-11-20 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2007-11-20 03:09 --------- d-----w C:\Program Files\Electronic Arts
2007-11-18 21:35 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-18 17:27 --------- d-----w C:\Documents and Settings\Admin\Application Data\EndNote
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 01:39 429 ----a-w C:\0030BD1CDE94__0-741837788253016.dat
2007-11-04 21:10 --------- d-----w C:\Program Files\Common Files\Thraex Software
2007-11-03 17:38 363,368 ----a-w C:\WINDOWS\system32\Incinerator.dll
2007-10-30 23:43 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 15:04 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll
.

<pre>
----a-w 624,248 2007-12-25 19:45:53 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 90,112 2007-12-25 19:46:02 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
----a-w 48,752 2007-12-26 14:04:47 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 342,272 2007-12-26 16:03:37 C:\Program Files\Comodo\CBOClean\BOC425 .exe
----a-w 1,831,936 2007-12-25 19:45:59 C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
----a-w 286,720 2007-12-25 19:45:49 C:\Program Files\QuickTime\QTTask .exe
----a-w 1,460,560 2007-12-30 16:03:23 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 15,360 2007-12-30 16:08:50 C:\WINDOWS\system32\ctfmon .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2007-12-30_10.27.52.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-06-27 14:34:51 124,928 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\advpack.dll
+ 2006-10-17 15:57:50 214,528 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\dxtrans.dll
+ 2007-06-27 14:34:51 132,608 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\extmgr.dll
+ 2006-10-17 15:58:20 61,952 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\icardie.dll
+ 2007-06-27 08:27:04 63,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ie4uinit.exe
+ 2007-06-27 14:34:51 153,088 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakeng.dll
+ 2007-06-27 14:34:51 230,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieaksie.dll
+ 2007-06-27 07:00:33 161,792 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakui.dll
+ 2007-06-27 14:34:51 383,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieapfltr.dll
+ 2007-06-27 14:34:51 384,512 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iedkcs32.dll
+ 2007-06-27 14:34:55 6,058,496 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieframe.dll
+ 2007-06-27 14:34:55 44,544 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iernonce.dll
+ 2007-06-27 14:34:55 267,776 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iertutil.dll
+ 2007-06-27 08:27:05 13,824 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieudinit.exe
+ 2007-06-27 08:27:30 625,152 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iexplore.exe
+ 2007-06-27 14:34:56 27,648 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\jsproxy.dll
+ 2007-06-27 14:34:56 459,264 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeeds.dll
+ 2007-06-27 14:34:56 52,224 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeedsbs.dll
+ 2007-07-19 06:59:59 3,583,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtml.dll
+ 2007-06-27 14:34:57 477,696 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtmled.dll
+ 2007-06-27 14:34:58 193,024 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msrating.dll
+ 2007-06-27 14:34:58 671,232 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mstime.dll
+ 2007-06-27 14:34:58 102,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\occache.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\updspapi.dll
+ 2007-06-27 14:34:58 105,984 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\url.dll
+ 2007-06-27 14:34:58 1,152,000 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\urlmon.dll
+ 2007-06-27 14:34:59 232,960 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\webcheck.dll
+ 2007-06-27 14:34:59 823,808 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
- 2007-06-27 14:34:51 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2007-10-10 23:55:51 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-06-27 14:34:51 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2007-10-10 23:55:51 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2006-10-17 15:57:50 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-10-10 23:55:51 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-06-27 14:34:51 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-10-10 23:55:51 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-10-10 23:55:51 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2007-06-27 08:27:04 63,488 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2007-10-10 10:59:40 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-06-27 14:34:51 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2007-10-10 23:55:51 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-06-27 14:34:51 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2007-10-10 23:55:51 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-06-27 07:00:33 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2007-10-10 05:46:55 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-06-27 14:34:51 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2007-10-10 23:55:52 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2007-06-27 14:34:51 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2007-10-10 23:55:52 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-06-27 14:34:55 6,058,496 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2007-10-10 23:55:54 6,065,664 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2007-06-27 14:34:55 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2007-10-10 23:55:55 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-06-27 14:34:55 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2007-10-10 23:55:55 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-06-27 08:27:05 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2007-10-10 10:59:40 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2007-06-27 08:27:30 625,152 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2007-10-10 10:59:52 625,152 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-05-16 15:12:02 683,520 -c--a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
+ 2007-08-21 06:15:44 683,520 -c--a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
- 2007-06-27 14:34:56 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2004-08-04 03:58:22 72,960 -c--a-w C:\WINDOWS\system32\dllcache\mqac.sys
+ 2007-07-06 10:05:47 72,960 -c--a-w C:\WINDOWS\system32\dllcache\mqac.sys
- 2004-08-04 05:56:44 138,240 -c--a-w C:\WINDOWS\system32\dllcache\mqad.dll
+ 2007-07-06 12:46:59 138,240 -c--a-w C:\WINDOWS\system32\dllcache\mqad.dll
- 2004-08-04 05:56:44 47,104 -c--a-w C:\WINDOWS\system32\dllcache\mqdscli.dll
+ 2007-07-06 12:46:59 47,104 -c--a-w C:\WINDOWS\system32\dllcache\mqdscli.dll
- 2004-08-04 05:56:44 16,896 -c--a-w C:\WINDOWS\system32\dllcache\mqise.dll
+ 2007-07-06 12:46:59 16,896 -c--a-w C:\WINDOWS\system32\dllcache\mqise.dll
- 2004-08-04 05:56:44 660,992 -c--a-w C:\WINDOWS\system32\dllcache\mqqm.dll
+ 2007-07-06 12:46:59 660,992 -c--a-w C:\WINDOWS\system32\dllcache\mqqm.dll
- 2004-08-04 05:56:44 177,152 -c--a-w C:\WINDOWS\system32\dllcache\mqrt.dll
+ 2007-07-06 12:46:59 177,152 -c--a-w C:\WINDOWS\system32\dllcache\mqrt.dll
- 2004-08-04 05:56:44 95,744 -c--a-w C:\WINDOWS\system32\dllcache\mqsec.dll
+ 2007-07-06 12:46:59 95,744 -c--a-w C:\WINDOWS\system32\dllcache\mqsec.dll
- 2004-08-04 05:56:44 48,640 -c--a-w C:\WINDOWS\system32\dllcache\mqupgrd.dll
+ 2007-07-06 12:46:59 48,640 -c--a-w C:\WINDOWS\system32\dllcache\mqupgrd.dll
- 2004-08-04 05:56:44 471,552 -c--a-w C:\WINDOWS\system32\dllcache\mqutil.dll
+ 2007-07-06 12:46:59 471,552 -c--a-w C:\WINDOWS\system32\dllcache\mqutil.dll
- 2007-06-27 14:34:56 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2007-10-10 23:55:56 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2007-06-27 14:34:56 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2007-10-10 23:55:56 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2007-07-19 06:59:59 3,583,488 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-10-30 23:42:28 3,590,656 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-06-27 14:34:57 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-06-27 14:34:58 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-10-10 23:55:58 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-06-27 14:34:58 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-10-10 23:55:59 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-06-27 14:34:58 102,400 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-10-10 23:55:59 102,400 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
- 2005-08-30 03:54:26 1,287,168 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2007-10-29 22:43:03 1,287,680 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
- 2004-08-04 05:56:46 581,120 -c--a-w C:\WINDOWS\system32\dllcache\rpcrt4.dll
+ 2007-07-09 13:16:16 582,656 -c--a-w C:\WINDOWS\system32\dllcache\rpcrt4.dll
- 2006-12-19 21:52:18 8,453,632 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
- 2007-06-27 14:34:58 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2007-10-10 23:55:59 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2007-06-27 14:34:58 1,152,000 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-10-10 23:56:00 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-06-27 14:34:59 232,960 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2007-10-10 23:56:00 232,960 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-06-27 14:34:59 823,808 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-10-10 23:56:00 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2005-01-28 17:44:28 224,768 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2007-10-27 23:40:06 227,328 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2004-08-04 03:58:22 72,960 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
+ 2007-07-06 10:05:47 72,960 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
- 2006-10-17 15:57:50 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-10-10 23:55:51 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-06-27 14:34:51 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-10-10 23:55:51 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2006-10-17 15:58:20 61,952 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2007-10-10 23:55:51 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-06-27 08:27:04 63,488 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2007-10-10 10:59:40 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-06-27 14:34:51 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2007-10-10 23:55:51 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-06-27 14:34:51 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2007-10-10 23:55:51 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-06-27 07:00:33 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2007-10-10 05:46:55 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-06-27 14:34:51 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2007-10-10 23:55:52 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-06-27 14:34:51 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2007-10-10 23:55:52 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-06-27 14:34:55 6,058,496 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2007-10-10 23:55:54 6,065,664 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-06-27 14:34:55 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2007-10-10 23:55:55 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-06-27 14:34:55 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2007-10-10 23:55:55 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-06-27 08:27:05 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2007-10-10 10:59:40 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
+ 2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
- 2007-06-27 14:34:56 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2007-04-24 15:32:06 1,485,696 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2007-10-11 20:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
- 2006-11-09 19:20:00 2,111,096 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2007-11-21 00:52:38 2,884,992 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
- 2006-11-09 19:20:00 190,072 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-11-21 00:52:40 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-01-04 17:14:46 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
- 2004-08-04 05:56:44 138,240 ----a-w C:\WINDOWS\system32\mqad.dll
+ 2007-07-06 12:46:59 138,240 ----a-w C:\WINDOWS\system32\mqad.dll
- 2004-08-04 05:56:44 47,104 ----a-w C:\WINDOWS\system32\mqdscli.dll
+ 2007-07-06 12:46:59 47,104 ----a-w C:\WINDOWS\system32\mqdscli.dll
- 2004-08-04 05:56:44 16,896 ----a-w C:\WINDOWS\system32\mqise.dll
+ 2007-07-06 12:46:59 16,896 ----a-w C:\WINDOWS\system32\mqise.dll
- 2004-08-04 05:56:44 660,992 ----a-w C:\WINDOWS\system32\mqqm.dll
+ 2007-07-06 12:46:59 660,992 ----a-w C:\WINDOWS\system32\mqqm.dll
- 2004-08-04 05:56:44 177,152 ----a-w C:\WINDOWS\system32\mqrt.dll
+ 2007-07-06 12:46:59 177,152 ----a-w C:\WINDOWS\system32\mqrt.dll
- 2004-08-04 05:56:44 95,744 ----a-w C:\WINDOWS\system32\mqsec.dll
+ 2007-07-06 12:46:59 95,744 ----a-w C:\WINDOWS\system32\mqsec.dll
- 2004-08-04 05:56:44 48,640 ----a-w C:\WINDOWS\system32\mqupgrd.dll
+ 2007-07-06 12:46:59 48,640 ----a-w C:\WINDOWS\system32\mqupgrd.dll
- 2004-08-04 05:56:44 471,552 ----a-w C:\WINDOWS\system32\mqutil.dll
+ 2007-07-06 12:46:59 471,552 ----a-w C:\WINDOWS\system32\mqutil.dll
- 2007-06-27 14:34:56 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2007-10-10 23:55:56 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-06-27 14:34:56 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2007-10-10 23:55:56 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-07-19 06:59:59 3,583,488 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-10-30 23:42:28 3,590,656 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-06-27 14:34:57 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-06-27 14:34:58 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-10-10 23:55:58 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-06-27 14:34:58 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-10-10 23:55:59 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-06-27 14:34:58 102,400 ----a-w C:\WINDOWS\system32\occache.dll
+ 2007-10-10 23:55:59 102,400 ----a-w C:\WINDOWS\system32\occache.dll
- 2004-08-04 05:56:46 581,120 ----a-w C:\WINDOWS\system32\rpcrt4.dll
+ 2007-07-09 13:16:16 582,656 ----a-w C:\WINDOWS\system32\rpcrt4.dll
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 ----a-w C:\WINDOWS\system32\shell32.dll
- 2007-12-14 03:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 14:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
- 2007-12-04 07:00:42 136,704 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2000-08-31 14:00:00 136,704 ----a-w C:\WINDOWS\system32\swsc.exe
- 2006-12-01 11:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2000-08-31 14:00:00 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
- 2007-01-29 08:58:06 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
+ 2007-11-13 11:31:11 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
- 2007-06-27 14:34:58 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2007-10-10 23:55:59 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-06-27 14:34:58 1,152,000 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-10-10 23:56:00 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2006-11-27 08:34:46 49,152 ----a-w C:\WINDOWS\system32\VFind.exe
+ 2000-08-31 14:00:00 49,152 ----a-w C:\WINDOWS\system32\VFind.exe
- 2007-06-27 14:34:59 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2007-10-10 23:56:00 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-06-27 14:34:59 823,808 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-10-10 23:56:00 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
- 2007-03-09 11:28:00 248,320 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:04:03 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-16 20:05:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkklkk]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" -atboottime

R2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.sys [2000-03-29 08:26]
R2 BTTUNER;BtTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\BTTUNER.sys [2000-03-29 08:26]
R2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.sys [2000-03-29 08:26]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2005-06-10 08:01]
R3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys [2007-04-17 14:14]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 15:10]
S3 PEEK5;PEEK5 Protocol Driver;C:\DOCUME~1\Admin\Desktop\WINDOW~1\AIRSNO~1.6_W\PEEK5.SYS []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb
.
Contents of the 'Scheduled Tasks' folder
"2008-01-03 03:56:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 13:47:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 13:49:23
ComboFix-quarantined-files.txt 2008-01-04 19:49:17

HJT log from safer.exe:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:47 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\safer.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188054514343
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFEF4629-A2C2-4568-A4C4-7413D063E329}: NameServer = 208.67.222.222,208.67.220.220
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: jkkklkk - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\altera\72\quartus\bin\jtagserver.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 8190 bytes

perineum,

You are infected with a newer variant of Vundo, this one infects legitimate files. If you look at your Combofix report, all those programs in the CODE box are all infected. All the files in the SNAPSHOT with a A W next to them are infected also.

We will try out a new tool. Thank You sUbs

Download http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
to your Desktop.

Double click RenV.exe to run it
It will produce a log for you, please post it.

Ran on Fri 01/04/2008 - 19:27:32.85

----a-w 624,248 2007-12-25 19:45:53 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 90,112 2007-12-25 19:46:02 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
----a-w 48,752 2007-12-26 14:04:47 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 342,272 2007-12-26 16:03:37 C:\Program Files\Comodo\CBOClean\BOC425 .exe
----a-w 1,831,936 2007-12-25 19:45:59 C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
----a-w 286,720 2007-12-25 19:45:49 C:\Program Files\QuickTime\QTTask .exe
----a-w 1,460,560 2007-12-30 16:03:23 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 15,360 2007-12-30 16:08:50 C:\WINDOWS\system32\ctfmon .exe

Entries: 8 (8)
Directories: 0 Files: 8
Bytes: 4,699,960 Blocks: 9,182

Hello,

Your Tea Timer is still active, do this before you proceed or it can bork the fix.


1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer<------------.


Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O20 - Winlogon Notify: jkkklkk - C:\WINDOWS\




Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::



RenV::
----a-w 624,248 2007-12-25 19:45:53 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 90,112 2007-12-25 19:46:02 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
----a-w 48,752 2007-12-26 14:04:47 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 342,272 2007-12-26 16:03:37 C:\Program Files\Comodo\CBOClean\BOC425 .exe
----a-w 1,831,936 2007-12-25 19:45:59 C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
----a-w 286,720 2007-12-25 19:45:49 C:\Program Files\QuickTime\QTTask .exe
----a-w 1,460,560 2007-12-30 16:03:23 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 15,360 2007-12-30 16:08:50 C:\WINDOWS\system32\ctfmon .exe


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


You are most likely going to have to re install the programs in the Quote box so start getting your CDs in order.

ComboFix 08-01-04.1 - Admin 2008-01-04 21:01:48.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.631 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix(4).exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-04 20:57 . 2008-01-04 20:57 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-04 13:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 13:10 . 2008-01-04 13:10 <DIR> d-------- C:\VundoFix Backups
2008-01-02 10:58 . 2008-01-02 11:00 1,355 --a------ C:\WINDOWS\imsins.BAK
2007-12-30 15:13 . 2007-12-30 15:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-29 00:07 . 2007-12-29 00:07 <DIR> d-------- C:\Deckard
2007-12-28 20:01 . 2007-12-28 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 20:01 . 2007-12-28 16:12 1,031,259 --ahs---- C:\WINDOWS\system32\nscdapyd.ini
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a------ C:\WINDOWS\system32\drivers\GcKernel.sys
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a--c--- C:\WINDOWS\system32\dllcache\gckernel.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a------ C:\WINDOWS\system32\drivers\HIDSwvd.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a--c--- C:\WINDOWS\system32\dllcache\hidswvd.sys
2007-12-26 09:52 . 2007-12-26 10:01 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-26 09:52 . 2007-12-26 10:01 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-26 09:50 . 2007-12-26 09:50 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-26 09:50 . 2008-01-04 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-26 09:49 . 2008-01-04 21:03 5,517,600 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-26 09:49 . 2008-01-04 21:03 89,632 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-26 09:49 . 2008-01-04 15:57 76,196 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-26 09:49 . 2008-01-04 15:57 10,256 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-26 09:38 . 2007-12-26 09:38 <DIR> d-------- C:\KAV
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\MSECACHE
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-23 18:15 . 2007-12-23 18:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-23 18:05 . 2007-12-23 18:05 <DIR> d-------- C:\Program Files\Comodo
2007-12-23 18:05 . 2007-12-23 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC425
2007-12-23 18:05 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2007-12-23 18:05 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-12-23 18:05 . 2004-08-03 23:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2007-12-23 18:05 . 2007-12-26 10:07 9,196 --a------ C:\WINDOWS\BOC425.INI
2007-12-22 14:47 . 2007-12-30 10:08 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 11:21 . 2007-12-22 12:36 381 --a------ C:\WINDOWS\wininit.ini
2007-12-20 11:26 . 2007-12-31 08:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 11:26 . 2007-12-20 11:26 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-19 21:59 . 2007-12-31 09:50 <DIR> d-------- C:\Program Files\QuickTime
2007-12-18 09:34 . 2007-12-19 17:32 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DAEMON Tools
2007-12-18 09:29 . 2007-12-18 09:34 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2007-12-18 09:25 . 2007-12-18 09:25 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 08:56 . 2007-12-18 08:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-18 08:50 . 2007-12-27 08:51 <DIR> d-------- C:\Program Files\LucasArts
2007-12-11 13:46 . 2007-12-11 13:46 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 13:46 . 2007-12-11 13:46 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 13:46 . 2007-12-11 13:46 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 13:45 . 2007-12-11 13:45 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 13:45 . 2007-12-11 13:45 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 13:43 . 2007-12-11 13:43 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-10 20:06 . 2007-12-10 20:06 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 02:04 --------- d-----w C:\Program Files\Last.fm
2008-01-03 21:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\uTorrent
2008-01-02 15:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-31 15:47 --------- d-----w C:\Program Files\Java
2007-12-28 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-26 15:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-26 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-25 23:25 --------- d-----w C:\Program Files\DivX
2007-12-24 01:49 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-24 00:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-20 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2007-12-18 14:56 --------- d-----w C:\Program Files\Apple Software Update
2007-12-16 18:08 --------- d-----w C:\Program Files\ShurikSoft
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-02 16:56 321 ----a-w C:\license.dat
2007-12-02 16:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\SSH
2007-12-01 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-01 23:28 --------- d-----w C:\Documents and Settings\Admin\Application Data\NewsBin
2007-11-20 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2007-11-20 03:09 --------- d-----w C:\Program Files\Electronic Arts
2007-11-18 21:35 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-18 17:27 --------- d-----w C:\Documents and Settings\Admin\Application Data\EndNote
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 01:39 429 ----a-w C:\0030BD1CDE94__0-741837788253016.dat
2007-11-03 17:38 363,368 ----a-w C:\WINDOWS\system32\Incinerator.dll
2007-10-30 23:43 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 15:04 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll
.

<pre>
------w 48,752 2007-12-26 14:04:47 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 342,272 2007-12-26 16:03:37 C:\Program Files\Comodo\CBOClean\BOC425 .exe
----a-w 1,831,936 2007-12-25 19:45:59 C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
----a-w 286,720 2007-12-25 19:45:49 C:\Program Files\QuickTime\QTTask .exe
----a-w 1,460,560 2007-12-30 16:03:23 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 15,360 2007-12-30 16:08:50 C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-16 20:05:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" -atboottime

R2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.sys [2000-03-29 08:26]
R2 BTTUNER;BtTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\BTTUNER.sys [2000-03-29 08:26]
R2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.sys [2000-03-29 08:26]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2005-06-10 08:01]
R3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys [2007-04-17 14:14]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 15:10]
S3 PEEK5;PEEK5 Protocol Driver;C:\DOCUME~1\Admin\Desktop\WINDOW~1\AIRSNO~1.6_W\PEEK5.SYS []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb
.
Contents of the 'Scheduled Tasks' folder
"2008-01-03 03:56:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 21:04:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 21:05:10
ComboFix-quarantined-files.txt 2008-01-05 03:04:52
ComboFix2.txt 2008-01-04 19:49:27

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:36 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\safer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188054514343
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFEF4629-A2C2-4568-A4C4-7413D063E329}: NameServer = 208.67.222.222,208.67.220.220
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\altera\72\quartus\bin\jtagserver.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 8108 bytes

Some where not removed, do this in Safemode.

To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)


Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::



RenV::
----a-w 342,272 2007-12-26 16:03:37 C:\Program Files\Comodo\CBOClean\BOC425 .exe
----a-w 1,831,936 2007-12-25 19:45:59 C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
----a-w 286,720 2007-12-25 19:45:49 C:\Program Files\QuickTime\QTTask .exe
----a-w 1,460,560 2007-12-30 16:03:23 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 15,360 2007-12-30 16:08:50 C:\WINDOWS\system32\ctfmon .exe


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


I need to see a new HJT log also please

ComboFix 08-01-04.1 - Admin 2008-01-04 21:40:54.9 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.791 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix(2).exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-04 21:22 . 2007-12-05 14:17 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-01-04 21:21 . 2008-01-04 21:21 <DIR> d-------- C:\Program Files\ATI Technologies
2008-01-04 20:57 . 2008-01-04 20:57 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-04 13:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 13:10 . 2008-01-04 13:10 <DIR> d-------- C:\VundoFix Backups
2008-01-02 10:58 . 2008-01-02 11:00 1,355 --a------ C:\WINDOWS\imsins.BAK
2007-12-30 15:13 . 2007-12-30 15:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-29 00:07 . 2007-12-29 00:07 <DIR> d-------- C:\Deckard
2007-12-28 20:01 . 2007-12-28 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 20:01 . 2007-12-28 16:12 1,031,259 --ahs---- C:\WINDOWS\system32\nscdapyd.ini
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a------ C:\WINDOWS\system32\drivers\GcKernel.sys
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a--c--- C:\WINDOWS\system32\dllcache\gckernel.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a------ C:\WINDOWS\system32\drivers\HIDSwvd.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a--c--- C:\WINDOWS\system32\dllcache\hidswvd.sys
2007-12-26 09:52 . 2007-12-26 10:01 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-26 09:52 . 2007-12-26 10:01 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-26 09:50 . 2007-12-26 09:50 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-26 09:50 . 2008-01-04 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-26 09:49 . 2008-01-04 21:38 5,578,528 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-26 09:49 . 2008-01-04 21:38 96,032 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-26 09:49 . 2008-01-04 21:38 77,876 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-26 09:49 . 2008-01-04 21:38 11,120 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-26 09:38 . 2007-12-26 09:38 <DIR> d-------- C:\KAV
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\MSECACHE
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-23 18:15 . 2007-12-23 18:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-23 18:05 . 2007-12-23 18:05 <DIR> d-------- C:\Program Files\Comodo
2007-12-23 18:05 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2007-12-23 18:05 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-12-23 18:05 . 2004-08-03 23:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2007-12-22 14:47 . 2007-12-30 10:08 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 11:21 . 2008-01-04 21:12 381 --a------ C:\WINDOWS\wininit.ini
2007-12-20 11:26 . 2007-12-31 08:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 11:26 . 2007-12-20 11:26 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-19 21:59 . 2007-12-31 09:50 <DIR> d-------- C:\Program Files\QuickTime
2007-12-18 09:34 . 2007-12-19 17:32 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DAEMON Tools
2007-12-18 09:29 . 2007-12-18 09:34 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2007-12-18 09:25 . 2007-12-18 09:25 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 08:50 . 2007-12-27 08:51 <DIR> d-------- C:\Program Files\LucasArts
2007-12-11 13:46 . 2007-12-11 13:46 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 13:46 . 2007-12-11 13:46 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 13:46 . 2007-12-11 13:46 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 13:45 . 2007-12-11 13:45 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 13:45 . 2007-12-11 13:45 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 13:43 . 2007-12-11 13:43 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-10 20:06 . 2007-12-10 20:06 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 03:15 --------- d-----w C:\Program Files\Google
2008-01-05 03:12 --------- d-----w C:\Program Files\Apple Software Update
2008-01-04 02:04 --------- d-----w C:\Program Files\Last.fm
2008-01-03 21:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\uTorrent
2008-01-02 15:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-31 15:47 --------- d-----w C:\Program Files\Java
2007-12-28 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-26 15:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-26 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-25 23:25 --------- d-----w C:\Program Files\DivX
2007-12-24 01:49 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-24 00:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-20 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2007-12-16 18:08 --------- d-----w C:\Program Files\ShurikSoft
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 03:05 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-12-05 02:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-12-05 02:54 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-12-05 02:53 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-12-05 02:48 9,535,488 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-12-05 02:19 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-12-05 02:19 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-12-05 02:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-05 02:14 180,224 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-12-02 16:56 321 ----a-w C:\license.dat
2007-12-02 16:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\SSH
2007-12-01 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-01 23:28 --------- d-----w C:\Documents and Settings\Admin\Application Data\NewsBin
2007-11-20 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2007-11-20 03:09 --------- d-----w C:\Program Files\Electronic Arts
2007-11-18 21:35 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-18 17:27 --------- d-----w C:\Documents and Settings\Admin\Application Data\EndNote
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 01:39 429 ----a-w C:\0030BD1CDE94__0-741837788253016.dat
2007-11-03 17:38 363,368 ----a-w C:\WINDOWS\system32\Incinerator.dll
2007-10-30 23:43 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 15:04 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll
.

<pre>
------w 48,752 2007-12-26 14:04:47 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 286,720 2007-12-25 19:45:49 C:\Program Files\QuickTime\QTTask .exe
----a-w 1,460,560 2007-12-30 16:03:23 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 15,360 2007-12-30 16:08:50 C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((( snapshot_2008-01-04_13.47.41.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-01-30 16:21:34 128,813 ----a-w C:\WINDOWS\system32\atiicdxx.dat
+ 2007-11-06 14:19:00 158,080 ----a-w C:\WINDOWS\system32\atiicdxx.dat
+ 2007-12-05 02:33:27 3,107,788 ----a-w C:\WINDOWS\system32\ativva5x.dat
+ 2007-12-05 02:33:27 887,724 ----a-w C:\WINDOWS\system32\ativva6x.dat
- 2007-02-02 19:40:11 3,107,788 ----a-w C:\WINDOWS\system32\ativvaxx.dat
+ 2007-12-05 02:33:27 3,107,788 ----a-w C:\WINDOWS\system32\ativvaxx.dat
- 2007-02-02 19:20:28 348,160 -c--a-w C:\WINDOWS\system32\dllcache\ati2cqag.dll
+ 2007-12-05 02:11:18 499,712 -c--a-w C:\WINDOWS\system32\dllcache\ati2cqag.dll
- 2007-02-02 20:03:43 264,704 -c--a-w C:\WINDOWS\system32\dllcache\ati2dvag.dll
+ 2007-12-05 03:04:08 269,312 -c--a-w C:\WINDOWS\system32\dllcache\ati2dvag.dll
- 2007-02-02 20:03:25 1,975,296 -c--a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
+ 2007-12-05 05:26:40 2,782,208 -c--a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
- 2007-02-02 19:46:45 2,827,968 -c--a-w C:\WINDOWS\system32\dllcache\ati3duag.dll
+ 2007-12-05 02:44:54 3,175,584 -c--a-w C:\WINDOWS\system32\dllcache\ati3duag.dll
- 2007-02-02 19:40:29 1,272,960 -c--a-w C:\WINDOWS\system32\dllcache\ativvaxx.dll
+ 2007-12-05 02:33:47 1,640,192 -c--a-w C:\WINDOWS\system32\dllcache\ativvaxx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-16 20:05:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" -atboottime

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.sys [2000-03-29 08:26]
S2 BTTUNER;BtTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\BTTUNER.sys [2000-03-29 08:26]
S2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.sys [2000-03-29 08:26]
S2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2005-06-10 08:01]
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 15:10]
S3 PEEK5;PEEK5 Protocol Driver;C:\DOCUME~1\Admin\Desktop\WINDOW~1\AIRSNO~1.6_W\PEEK5.SYS []

*Newly Created Service* - BTTUNER
*Newly Created Service* - BTXBAR
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 21:46:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 21:47:37
ComboFix-quarantined-files.txt 2008-01-05 03:47:16
ComboFix2.txt 2008-01-05 03:05:11
ComboFix3.txt 2008-01-04 19:49:27

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:08 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\safer.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188054514343
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFEF4629-A2C2-4568-A4C4-7413D063E329}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\altera\72\quartus\bin\jtagserver.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7923 bytes

Good Morning,

Your Tea Timer is still active and is most likely preventing the other entries from being removed. Its possible that since that program is infected that its preventing you from disabling it.

Go to your Add Remove Programs in the Control Panel and uninstall Spybot Search and Destroy.

Then reboot and delete the entire folder.
C:\Program Files\Spybot - Search & Destroy



Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad. Make sure there is no space above and to the left of File::



RenV::
------w 48,752 2007-12-26 14:04:47 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 286,720 2007-12-25 19:45:49 C:\Program Files\QuickTime\QTTask .exe
----a-w 1,460,560 2007-12-30 16:03:23 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 15,360 2007-12-30 16:08:50 C:\WINDOWS\system32\ctfmon .exe



Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next replytogether with a new HijackThis log.

ComboFix 08-01-04.1 - Admin 2008-01-05 10:06:29.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.671 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix(2).exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-04 21:22 . 2007-12-05 14:17 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-01-04 21:21 . 2008-01-04 21:21 <DIR> d-------- C:\Program Files\ATI Technologies
2008-01-04 20:57 . 2008-01-04 20:57 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-04 13:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 13:10 . 2008-01-04 13:10 <DIR> d-------- C:\VundoFix Backups
2008-01-02 10:58 . 2008-01-02 11:00 1,355 --a------ C:\WINDOWS\imsins.BAK
2007-12-30 15:13 . 2007-12-30 15:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-29 00:07 . 2007-12-29 00:07 <DIR> d-------- C:\Deckard
2007-12-28 20:01 . 2007-12-28 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 20:01 . 2007-12-28 16:12 1,031,259 --ahs---- C:\WINDOWS\system32\nscdapyd.ini
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a------ C:\WINDOWS\system32\drivers\GcKernel.sys
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a--c--- C:\WINDOWS\system32\dllcache\gckernel.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a------ C:\WINDOWS\system32\drivers\HIDSwvd.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a--c--- C:\WINDOWS\system32\dllcache\hidswvd.sys
2007-12-26 09:52 . 2007-12-26 10:01 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-26 09:52 . 2007-12-26 10:01 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-26 09:50 . 2007-12-26 09:50 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-26 09:50 . 2008-01-05 10:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-26 09:49 . 2008-01-05 10:12 5,643,040 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-26 09:49 . 2008-01-05 10:12 99,616 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-26 09:49 . 2008-01-05 10:01 78,452 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-26 09:49 . 2008-01-05 10:01 11,288 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-26 09:38 . 2007-12-26 09:38 <DIR> d-------- C:\KAV
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\MSECACHE
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-23 18:15 . 2007-12-23 18:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-23 18:05 . 2007-12-23 18:05 <DIR> d-------- C:\Program Files\Comodo
2007-12-23 18:05 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2007-12-23 18:05 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-12-23 18:05 . 2004-08-03 23:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2007-12-22 14:47 . 2007-12-30 10:08 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 11:21 . 2008-01-04 21:12 381 --a------ C:\WINDOWS\wininit.ini
2007-12-20 11:26 . 2007-12-31 08:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 11:26 . 2007-12-20 11:26 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-19 21:59 . 2007-12-31 09:50 <DIR> d-------- C:\Program Files\QuickTime
2007-12-18 09:34 . 2007-12-19 17:32 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DAEMON Tools
2007-12-18 09:29 . 2007-12-18 09:34 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2007-12-18 09:25 . 2007-12-18 09:25 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 08:50 . 2007-12-27 08:51 <DIR> d-------- C:\Program Files\LucasArts
2007-12-11 13:46 . 2007-12-11 13:46 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 13:46 . 2007-12-11 13:46 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 13:46 . 2007-12-11 13:46 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 13:45 . 2007-12-11 13:45 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 13:45 . 2007-12-11 13:45 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 13:43 . 2007-12-11 13:43 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-10 20:06 . 2007-12-10 20:06 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 16:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-05 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-05 03:15 --------- d-----w C:\Program Files\Google
2008-01-05 03:12 --------- d-----w C:\Program Files\Apple Software Update
2008-01-04 02:04 --------- d-----w C:\Program Files\Last.fm
2008-01-03 21:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\uTorrent
2008-01-02 15:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-31 15:47 --------- d-----w C:\Program Files\Java
2007-12-26 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-25 23:25 --------- d-----w C:\Program Files\DivX
2007-12-24 01:49 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-24 00:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-20 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2007-12-16 18:08 --------- d-----w C:\Program Files\ShurikSoft
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 03:05 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-12-05 02:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-12-05 02:54 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-12-05 02:53 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-12-05 02:48 9,535,488 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-12-05 02:19 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-12-05 02:19 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-12-05 02:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-05 02:14 180,224 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-12-02 16:56 321 ----a-w C:\license.dat
2007-12-02 16:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\SSH
2007-12-01 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-01 23:28 --------- d-----w C:\Documents and Settings\Admin\Application Data\NewsBin
2007-11-20 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2007-11-20 03:09 --------- d-----w C:\Program Files\Electronic Arts
2007-11-18 21:35 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-18 17:27 --------- d-----w C:\Documents and Settings\Admin\Application Data\EndNote
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 01:39 429 ----a-w C:\0030BD1CDE94__0-741837788253016.dat
2007-11-03 17:38 363,368 ----a-w C:\WINDOWS\system32\Incinerator.dll
2007-10-30 23:43 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 15:04 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll
.

<pre>
----a-w 286,720 2007-12-25 19:45:49 C:\Program Files\QuickTime\QTTask .exe
----a-w 15,360 2007-12-30 16:08:50 C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((( snapshot_2008-01-04_13.47.41.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-01-30 16:21:34 128,813 ----a-w C:\WINDOWS\system32\atiicdxx.dat
+ 2007-11-06 14:19:00 158,080 ----a-w C:\WINDOWS\system32\atiicdxx.dat
+ 2007-12-05 02:33:27 3,107,788 ----a-w C:\WINDOWS\system32\ativva5x.dat
+ 2007-12-05 02:33:27 887,724 ----a-w C:\WINDOWS\system32\ativva6x.dat
- 2007-02-02 19:40:11 3,107,788 ----a-w C:\WINDOWS\system32\ativvaxx.dat
+ 2007-12-05 02:33:27 3,107,788 ----a-w C:\WINDOWS\system32\ativvaxx.dat
- 2007-02-02 19:20:28 348,160 -c--a-w C:\WINDOWS\system32\dllcache\ati2cqag.dll
+ 2007-12-05 02:11:18 499,712 -c--a-w C:\WINDOWS\system32\dllcache\ati2cqag.dll
- 2007-02-02 20:03:43 264,704 -c--a-w C:\WINDOWS\system32\dllcache\ati2dvag.dll
+ 2007-12-05 03:04:08 269,312 -c--a-w C:\WINDOWS\system32\dllcache\ati2dvag.dll
- 2007-02-02 20:03:25 1,975,296 -c--a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
+ 2007-12-05 05:26:40 2,782,208 -c--a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
- 2007-02-02 19:46:45 2,827,968 -c--a-w C:\WINDOWS\system32\dllcache\ati3duag.dll
+ 2007-12-05 02:44:54 3,175,584 -c--a-w C:\WINDOWS\system32\dllcache\ati3duag.dll
- 2007-02-02 19:40:29 1,272,960 -c--a-w C:\WINDOWS\system32\dllcache\ativvaxx.dll
+ 2007-12-05 02:33:47 1,640,192 -c--a-w C:\WINDOWS\system32\dllcache\ativvaxx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-16 20:05:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" -atboottime

R2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.sys [2000-03-29 08:26]
R2 BTTUNER;BtTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\BTTUNER.sys [2000-03-29 08:26]
R2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.sys [2000-03-29 08:26]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2005-06-10 08:01]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 15:10]
S3 PEEK5;PEEK5 Protocol Driver;C:\DOCUME~1\Admin\Desktop\WINDOW~1\AIRSNO~1.6_W\PEEK5.SYS []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 10:12:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 10:13:48
ComboFix-quarantined-files.txt 2008-01-05 16:13:38
ComboFix2.txt 2008-01-05 03:47:37
ComboFix3.txt 2008-01-05 03:05:11
ComboFix4.txt 2008-01-04 19:49:27

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:01 AM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\safer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188054514343
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFEF4629-A2C2-4568-A4C4-7413D063E329}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\altera\72\quartus\bin\jtagserver.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7462 bytes

This is a relatively new infection so we are still working on a complete fix.

Go to your Add Remove Programs in the Control Panel and uninstall C:\Program Files\QuickTime

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


Boot back into Safemode and run this script again.

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::



RenV::
----a-w 286,720 2007-12-25 19:45:49 C:\Program Files\QuickTime\QTTask .exe
----a-w 15,360 2007-12-30 16:08:50 C:\WINDOWS\system32\ctfmon .exe


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


Run this scanner from Nod32
ESET Online Scanner

Please go to the following link ESET Online Scanner Link (http://www.eset.com/onlinescan/)
Tick the box YES, I accept the Terms Of Use
Click the Start button
Now click the Install button
Click Start

The scanner engine will initialise and update

Do Not tick the box Remove found threats
Click the Scan button

The scan will now run, please be patient

When the scan finishes click the Details tab
Copy and paste the contents of the :\Program Files\EsetOnlineScanner\log.txt back here.


Let me see the new Combofix log, the ESET log and a New HJT log please

ComboFix 08-01-04.1 - Admin 2008-01-05 11:10:39.11 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.789 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix(2).exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-04 21:22 . 2007-12-05 14:17 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-01-04 21:21 . 2008-01-04 21:21 <DIR> d-------- C:\Program Files\ATI Technologies
2008-01-04 20:57 . 2008-01-04 20:57 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-04 13:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 13:10 . 2008-01-04 13:10 <DIR> d-------- C:\VundoFix Backups
2008-01-02 10:58 . 2008-01-02 11:00 1,355 --a------ C:\WINDOWS\imsins.BAK
2007-12-30 15:13 . 2007-12-30 15:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-29 00:07 . 2007-12-29 00:07 <DIR> d-------- C:\Deckard
2007-12-28 20:01 . 2007-12-28 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 20:01 . 2007-12-28 16:12 1,031,259 --ahs---- C:\WINDOWS\system32\nscdapyd.ini
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a------ C:\WINDOWS\system32\drivers\GcKernel.sys
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a--c--- C:\WINDOWS\system32\dllcache\gckernel.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a------ C:\WINDOWS\system32\drivers\HIDSwvd.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a--c--- C:\WINDOWS\system32\dllcache\hidswvd.sys
2007-12-26 09:52 . 2007-12-26 10:01 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-26 09:52 . 2007-12-26 10:01 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-26 09:50 . 2007-12-26 09:50 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-26 09:50 . 2008-01-05 10:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-26 09:49 . 2008-01-05 11:08 5,653,792 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-26 09:49 . 2008-01-05 11:08 100,128 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-26 09:49 . 2008-01-05 11:08 78,884 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-26 09:49 . 2008-01-05 11:08 11,504 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-26 09:38 . 2007-12-26 09:38 <DIR> d-------- C:\KAV
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\MSECACHE
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-23 18:15 . 2007-12-23 18:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-23 18:05 . 2007-12-23 18:05 <DIR> d-------- C:\Program Files\Comodo
2007-12-23 18:05 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2007-12-23 18:05 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-12-23 18:05 . 2004-08-03 23:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2007-12-22 14:47 . 2007-12-30 10:08 15,360 --------- C:\WINDOWS\system32\ctfmon .exe
2007-12-22 11:21 . 2008-01-04 21:12 381 --a------ C:\WINDOWS\wininit.ini
2007-12-20 11:26 . 2007-12-31 08:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 11:26 . 2007-12-20 11:26 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-19 21:59 . 2007-12-31 09:50 <DIR> d-------- C:\Program Files\QuickTime
2007-12-18 09:34 . 2007-12-19 17:32 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DAEMON Tools
2007-12-18 09:29 . 2007-12-18 09:34 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2007-12-18 09:25 . 2007-12-18 09:25 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 08:50 . 2007-12-27 08:51 <DIR> d-------- C:\Program Files\LucasArts
2007-12-11 13:46 . 2007-12-11 13:46 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 13:46 . 2007-12-11 13:46 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 13:46 . 2007-12-11 13:46 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 13:45 . 2007-12-11 13:45 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 13:45 . 2007-12-11 13:45 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 13:43 . 2007-12-11 13:43 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-10 20:06 . 2007-12-10 20:06 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 16:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-05 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-05 03:15 --------- d-----w C:\Program Files\Google
2008-01-05 03:12 --------- d-----w C:\Program Files\Apple Software Update
2008-01-04 02:04 --------- d-----w C:\Program Files\Last.fm
2008-01-03 21:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\uTorrent
2008-01-02 15:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-31 15:47 --------- d-----w C:\Program Files\Java
2007-12-26 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-25 23:25 --------- d-----w C:\Program Files\DivX
2007-12-24 01:49 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-24 00:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-20 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2007-12-16 18:08 --------- d-----w C:\Program Files\ShurikSoft
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 03:05 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-12-05 02:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-12-05 02:54 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-12-05 02:53 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-12-05 02:48 9,535,488 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-12-05 02:19 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-12-05 02:19 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-12-05 02:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-05 02:14 180,224 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-12-02 16:56 321 ----a-w C:\license.dat
2007-12-02 16:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\SSH
2007-12-01 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-01 23:28 --------- d-----w C:\Documents and Settings\Admin\Application Data\NewsBin
2007-11-20 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2007-11-20 03:09 --------- d-----w C:\Program Files\Electronic Arts
2007-11-18 21:35 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-18 17:27 --------- d-----w C:\Documents and Settings\Admin\Application Data\EndNote
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 01:39 429 ----a-w C:\0030BD1CDE94__0-741837788253016.dat
2007-11-03 17:38 363,368 ----a-w C:\WINDOWS\system32\Incinerator.dll
2007-10-30 23:43 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 15:04 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll
.

<pre>
----a-w 286,720 2007-12-25 19:45:49 C:\Program Files\QuickTime\QTTask .exe
------w 15,360 2007-12-30 16:08:50 C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((( snapshot_2008-01-04_13.47.41.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-01-30 16:21:34 128,813 ----a-w C:\WINDOWS\system32\atiicdxx.dat
+ 2007-11-06 14:19:00 158,080 ----a-w C:\WINDOWS\system32\atiicdxx.dat
+ 2007-12-05 02:33:27 3,107,788 ----a-w C:\WINDOWS\system32\ativva5x.dat
+ 2007-12-05 02:33:27 887,724 ----a-w C:\WINDOWS\system32\ativva6x.dat
- 2007-02-02 19:40:11 3,107,788 ----a-w C:\WINDOWS\system32\ativvaxx.dat
+ 2007-12-05 02:33:27 3,107,788 ----a-w C:\WINDOWS\system32\ativvaxx.dat
- 2007-02-02 19:20:28 348,160 -c--a-w C:\WINDOWS\system32\dllcache\ati2cqag.dll
+ 2007-12-05 02:11:18 499,712 -c--a-w C:\WINDOWS\system32\dllcache\ati2cqag.dll
- 2007-02-02 20:03:43 264,704 -c--a-w C:\WINDOWS\system32\dllcache\ati2dvag.dll
+ 2007-12-05 03:04:08 269,312 -c--a-w C:\WINDOWS\system32\dllcache\ati2dvag.dll
- 2007-02-02 20:03:25 1,975,296 -c--a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
+ 2007-12-05 05:26:40 2,782,208 -c--a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
- 2007-02-02 19:46:45 2,827,968 -c--a-w C:\WINDOWS\system32\dllcache\ati3duag.dll
+ 2007-12-05 02:44:54 3,175,584 -c--a-w C:\WINDOWS\system32\dllcache\ati3duag.dll
- 2007-02-02 19:40:29 1,272,960 -c--a-w C:\WINDOWS\system32\dllcache\ativvaxx.dll
+ 2007-12-05 02:33:47 1,640,192 -c--a-w C:\WINDOWS\system32\dllcache\ativvaxx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-16 20:05:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" -atboottime

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.sys [2000-03-29 08:26]
S2 BTTUNER;BtTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\BTTUNER.sys [2000-03-29 08:26]
S2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.sys [2000-03-29 08:26]
S2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2005-06-10 08:01]
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 15:10]
S3 PEEK5;PEEK5 Protocol Driver;C:\DOCUME~1\Admin\Desktop\WINDOW~1\AIRSNO~1.6_W\PEEK5.SYS []

*Newly Created Service* - BTTUNER
*Newly Created Service* - BTXBAR
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 11:16:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 11:17:39
ComboFix-quarantined-files.txt 2008-01-05 17:17:18
ComboFix2.txt 2008-01-05 16:13:48
ComboFix3.txt 2008-01-05 03:47:37
ComboFix4.txt 2008-01-05 03:05:11
ComboFix5.txt 2008-01-04 19:49:27

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:06 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\safer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188054514343
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFEF4629-A2C2-4568-A4C4-7413D063E329}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\altera\72\quartus\bin\jtagserver.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7608 bytes

Win32/Adware.Virtumonde.FP application
C:\QooBox\Quarantine\catchme2007-1230_102617.15.zip>ZIP>mllmn.dll

Win32/Adware.Virtumonde.FP application
C:\QooBox\Quarantine\catchme2007-1230_102617.15.zip

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2766 (20080104)
# vers_arch_module=1.060 (20071228)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=a7f08374f2c31948b3fc055621eb1d66
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2008-01-05 06:45:33
# local_time=2008-01-05 12:45:33 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=499771
# found=2
# scan_time=4841
C:\QooBox\Quarantine\catchme2007-12-30_102617.15.zip Win32/Adware.Virtumonde.FP application 9F0BAA88099723C5BA614737C5B7FC47
C:\QooBox\Quarantine\catchme2007-12-30_102617.15.zip »ZIP »mllmn.dll Win32/Adware.Virtumonde.FP application 00000000000000000000000000000000

Hello,

Again drag Combofix to the trash, a new version was just posted . What you want to do is shut down any Anti spyware or Anti Virus programs for running.

I am looking at Ad Aware and Kaspersky.

You need to Disable AdWatch in Ad-Aware Se Personal as it can stop our fix.

To Disable AdWatch

Open Ad-Aware SE Personal
Go to the AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options
Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically
Uncheck both options.
You should enable these after resolving your problem.

You should be able to right click on Kaspersky in the System Tray and shut it down or disable it


C:\QooBox <-- Delete this folder


Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Check the version number , it should be 08-01-05.8.



Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::



File::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\nscdapyd.ini

Folder::
C:\VundoFix Backups

RenV::
----a-w 286,720 2007-12-25 19:45:49 C:\Program Files\QuickTime\QTTask .exe
------w 15,360 2007-12-30 16:08:50 C:\WINDOWS\system32\ctfmon .exe


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:07 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\safer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188054514343
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFEF4629-A2C2-4568-A4C4-7413D063E329}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\altera\72\quartus\bin\jtagserver.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7468 bytes

ComboFix 08-01-04.1 - Admin 2008-01-05 15:53:14.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.570 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\nscdapyd.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\nscdapyd.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-05 15:53 . 2007-12-30 10:08 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-05 15:53 . 2007-12-30 10:08 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-05 11:23 . 2008-01-05 12:45 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-04 21:22 . 2007-12-05 14:17 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-01-04 21:21 . 2008-01-04 21:21 <DIR> d-------- C:\Program Files\ATI Technologies
2008-01-04 20:57 . 2008-01-04 20:57 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-04 13:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 15:13 . 2007-12-30 15:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-29 00:07 . 2007-12-29 00:07 <DIR> d-------- C:\Deckard
2007-12-28 20:01 . 2007-12-28 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a------ C:\WINDOWS\system32\drivers\GcKernel.sys
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a--c--- C:\WINDOWS\system32\dllcache\gckernel.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a------ C:\WINDOWS\system32\drivers\HIDSwvd.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a--c--- C:\WINDOWS\system32\dllcache\hidswvd.sys
2007-12-26 09:52 . 2007-12-26 10:01 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-26 09:52 . 2007-12-26 10:01 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-26 09:50 . 2007-12-26 09:50 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-26 09:50 . 2008-01-05 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-26 09:49 . 2008-01-05 15:58 16,056,352 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-26 09:49 . 2008-01-05 15:58 103,456 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-26 09:49 . 2008-01-05 11:08 78,884 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-26 09:49 . 2008-01-05 11:08 11,504 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-26 09:38 . 2007-12-26 09:38 <DIR> d-------- C:\KAV
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\MSECACHE
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-23 18:15 . 2007-12-23 18:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-23 18:05 . 2007-12-23 18:05 <DIR> d-------- C:\Program Files\Comodo
2007-12-23 18:05 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2007-12-23 18:05 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-12-23 18:05 . 2004-08-03 23:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2007-12-22 11:21 . 2008-01-04 21:12 381 --a------ C:\WINDOWS\wininit.ini
2007-12-20 11:26 . 2007-12-31 08:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 11:26 . 2007-12-20 11:26 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-18 09:34 . 2007-12-19 17:32 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DAEMON Tools
2007-12-18 09:29 . 2007-12-18 09:34 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2007-12-18 09:25 . 2007-12-18 09:25 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 08:50 . 2007-12-27 08:51 <DIR> d-------- C:\Program Files\LucasArts
2007-12-11 13:46 . 2007-12-11 13:46 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 13:46 . 2007-12-11 13:46 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 13:46 . 2007-12-11 13:46 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 13:45 . 2007-12-11 13:45 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 13:45 . 2007-12-11 13:45 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 13:43 . 2007-12-11 13:43 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-10 20:06 . 2007-12-10 20:06 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 16:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-05 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-05 03:15 --------- d-----w C:\Program Files\Google
2008-01-05 03:12 --------- d-----w C:\Program Files\Apple Software Update
2008-01-04 02:04 --------- d-----w C:\Program Files\Last.fm
2008-01-03 21:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\uTorrent
2008-01-02 15:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-31 15:47 --------- d-----w C:\Program Files\Java
2007-12-26 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-25 23:25 --------- d-----w C:\Program Files\DivX
2007-12-24 01:49 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-24 00:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-20 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2007-12-16 18:08 --------- d-----w C:\Program Files\ShurikSoft
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 03:05 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-12-05 02:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-12-05 02:54 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-12-05 02:53 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-12-05 02:48 9,535,488 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-12-05 02:19 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-12-05 02:19 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-12-05 02:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-05 02:14 180,224 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-12-02 16:56 321 ----a-w C:\license.dat
2007-12-02 16:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\SSH
2007-12-01 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-01 23:28 --------- d-----w C:\Documents and Settings\Admin\Application Data\NewsBin
2007-11-20 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2007-11-20 03:09 --------- d-----w C:\Program Files\Electronic Arts
2007-11-18 21:35 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-18 17:27 --------- d-----w C:\Documents and Settings\Admin\Application Data\EndNote
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 01:39 429 ----a-w C:\0030BD1CDE94__0-741837788253016.dat
2007-11-03 17:38 363,368 ----a-w C:\WINDOWS\system32\Incinerator.dll
2007-10-30 23:43 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 15:04 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-16 20:05:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" -atboottime

R2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.sys [2000-03-29 08:26]
R2 BTTUNER;BtTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\BTTUNER.sys [2000-03-29 08:26]
R2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.sys [2000-03-29 08:26]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2005-06-10 08:01]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 15:10]
S3 PEEK5;PEEK5 Protocol Driver;C:\DOCUME~1\Admin\Desktop\WINDOW~1\AIRSNO~1.6_W\PEEK5.SYS []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 15:59:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 16:00:35
ComboFix-quarantined-files.txt 2008-01-05 22:00:28
ComboFix2.txt 2008-01-05 17:17:39

Just FYI I didn't know Adware and Kaspersky was running. They were not in my system tray. I downloaded both versions of combofix and both were version 4.1.

By Jove...you've done it :bigthumb:

C:\Program Files\QuickTime <-- Delete this entire folder, if you use it just redownload and install it.

If you can be seated where I am and saw all the new threats coming down the pike, it would make you lose the rest of your hair, some threats are so bad that the only alternative is to reformat and install a fresh copy of windows. You don't want to do that do you ????????

You need to be extremely careful on what you download and the email attachments that you open, also you need to be more careful of the sites you access. Porn and File Sharing are disasters waiting to happen.

How is your system running now ?????

Everything is running great. Kaspersky isn't popping up when I get to the desktop. I really did not want to reinstall but I was afraid I was going to have to go there. I could just imagine how much worse it is going to get. At least we got people like you and others who are putting up the good fight. Thank you so much for your help!!

Your very welcome :bigthumb:


Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.


How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0.0.6 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.


Glad we could help

Safe Surfn
Ken