PDA

View Full Version : Having some difficulty getting rid of virtumonde.



timeforserious
2008-02-07, 01:47
I have run countless scans, went through recovery and immunization all to no avail. Any idea why virtumonde keeps showing back up everytime I do another scan? It also might help to mention that I've been getting Dll errors but I guess that comes with the virtumonde territory. Any help would be greatly appreciated. Thanks.

PS Here is the log from HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:35 PM, on 2/6/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Users\Sal\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5E85C971-F9E7-4F4D-A059-14FA00220C7A} - C:\Users\Sal\AppData\Local\Temp\mlljj.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Sal\AppData\Local\Temp\tuvss.dll,c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MS Juan] rundll32 "C:\Users\Sal\AppData\Local\Temp\pkogpdnq.dll",run
O4 - HKCU\..\Run: [6453e4eb] rundll32.exe "C:\Users\Sal\AppData\Local\Temp\tswocoje.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9724 bytes

timeforserious
2008-02-07, 20:55
I saw that someone had a similar problem in another thread and ran vundo fix and combo fix. After scanning with vundo fix and no viruses were found I ran combo fix. Here is the log: ComboFix 08-02.05.3 - Sal 2008-02-07 13:37:06.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1217 [GMT -5:00]
Running from: C:\Users\Sal\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\drivers\npf.sys
C:\Windows\system32\packet.dll
C:\Windows\system32\pthreadVC.dll
C:\Windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\NPF


((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-07 00:44 . 2008-02-07 00:47 <DIR> d-------- C:\Halfwayto Hell Club
2008-02-07 00:22 . 2008-02-07 00:22 <DIR> d-------- C:\Users\Sal\AppData\Roaming\PCF-VLC
2008-02-07 00:00 . 2004-02-27 00:00 962,612 --a------ C:\Windows\System32\MFC42D.DLL
2008-02-07 00:00 . 2004-02-17 00:00 434,252 --a------ C:\Windows\System32\MSVCRTD.DLL
2008-02-07 00:00 . 2004-02-27 00:00 61,493 --a------ C:\Windows\System32\MFCN42D.DLL
2008-02-06 23:39 . 2008-02-07 00:02 <DIR> d-------- C:\Program Files\WinPcap
2008-02-06 23:39 . 2008-02-07 00:02 <DIR> d-------- C:\Program Files\Net Tools
2008-02-06 18:29 . 2008-02-06 18:30 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-02-06 18:29 . 2008-02-06 18:30 <DIR> d-------- C:\ProgramData\Lavasoft
2008-02-06 18:29 . 2008-02-06 18:29 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-06 18:29 . 2008-02-06 18:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-06 18:28 . 2008-02-06 20:19 524,288 --ahs---- C:\ntuser.dat{a7dcdf0e-d503-11dc-b0a4-0015c57f2bc2}.TMContainer00000000000000000002.regtrans-ms
2008-02-06 18:28 . 2008-02-06 20:19 524,288 --ahs---- C:\ntuser.dat{a7dcdf0e-d503-11dc-b0a4-0015c57f2bc2}.TMContainer00000000000000000001.regtrans-ms
2008-02-06 18:28 . 2008-02-06 20:19 65,536 --ahs---- C:\ntuser.dat{a7dcdf0e-d503-11dc-b0a4-0015c57f2bc2}.TM.blf
2008-02-06 17:32 . 2008-02-06 17:32 691,545 --a------ C:\Windows\unins000.exe
2008-02-06 17:32 . 2008-02-06 17:32 3,436 --a------ C:\Windows\unins000.dat
2008-02-05 17:46 . 2008-02-06 20:19 262,144 --a------ C:\ntuser.dat
2008-02-05 17:46 . 2008-02-06 20:19 5,120 --ah----- C:\ntuser.dat.LOG1
2008-02-05 17:46 . 2008-02-06 18:28 0 --ah----- C:\ntuser.dat.LOG2
2008-02-05 15:53 . 2008-02-05 15:53 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-05 13:34 . 2008-02-05 13:34 <DIR> d-------- C:\VundoFix Backups
2008-02-04 23:50 . 2008-02-07 00:20 <DIR> d-------- C:\Users\Sal\AppData\Roaming\U3
2008-02-04 22:53 . 2008-02-06 21:59 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-02-04 22:53 . 2008-02-06 21:59 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-02-04 22:53 . 2008-02-06 18:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-28 18:13 . 2008-01-30 21:30 <DIR> d-------- C:\Users\Sal\AppData\Roaming\HP
2008-01-28 18:13 . 2008-01-28 18:13 <DIR> d-------- C:\Users\All Users\WEBREG
2008-01-28 18:13 . 2008-01-28 18:13 <DIR> d-------- C:\ProgramData\WEBREG
2008-01-28 18:06 . 2008-01-28 18:06 <DIR> d-------- C:\Users\Sal\AppData\Roaming\Printer Info Cache
2008-01-28 18:06 . 2008-01-29 18:07 <DIR> d-------- C:\Users\Sal\AppData\Roaming\Image Zone Express
2008-01-28 18:03 . 2008-01-28 18:03 <DIR> d-------- C:\Users\All Users\HPSSUPPLY
2008-01-28 18:03 . 2008-01-28 18:03 <DIR> d-------- C:\ProgramData\HPSSUPPLY
2008-01-28 18:00 . 2008-01-28 18:00 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-01-28 18:00 . 2008-01-28 18:02 <DIR> d-------- C:\Program Files\Common Files\HP
2008-01-28 18:00 . 2008-01-28 18:00 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-01-28 17:57 . 2008-01-28 18:03 <DIR> d-------- C:\Program Files\HP
2008-01-28 17:56 . 2008-01-28 18:15 <DIR> d-------- C:\Users\All Users\HP
2008-01-28 17:56 . 2008-01-28 18:15 <DIR> d-------- C:\ProgramData\HP
2008-01-28 17:56 . 2006-12-16 01:19 675,840 --a------ C:\Windows\System32\SET2AE0.tmp
2008-01-28 17:56 . 2006-12-16 01:19 573,440 --a------ C:\Windows\System32\SET2F27.tmp
2008-01-28 17:56 . 2006-12-16 01:19 303,104 --a------ C:\Windows\System32\hpovst01.dll
2008-01-28 17:56 . 2006-11-20 16:36 258,048 --a------ C:\Windows\System32\hpzids01.dll
2008-01-28 17:56 . 2008-01-28 18:13 148,903 --a------ C:\Windows\hpoins19.dat
2008-01-28 17:56 . 2007-03-13 14:52 26,952 --a------ C:\Windows\hpomdl19.dat
2008-01-27 18:45 . 2008-01-28 13:23 <DIR> d-------- C:\Templates
2008-01-27 18:10 . 2008-01-27 18:10 <DIR> d-------- C:\Users\All Users\FLEXnet
2008-01-27 18:10 . 2008-01-27 18:10 <DIR> d-------- C:\ProgramData\FLEXnet
2008-01-27 18:00 . 2008-01-27 18:00 <DIR> d-------- C:\Program Files\Bonjour
2008-01-27 17:48 . 2008-01-27 17:48 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-20 03:56 . 2008-01-20 03:56 <DIR> d-------- C:\Program Files\iPod
2008-01-20 03:56 . 2008-01-20 03:56 54,156 --ah----- C:\Windows\QTFont.qfn
2008-01-20 03:56 . 2008-01-20 03:56 1,409 --a------ C:\Windows\QTFont.for
2008-01-20 03:55 . 2008-01-20 03:56 <DIR> d-------- C:\Program Files\iTunes
2008-01-19 12:22 . 2008-01-20 09:21 <DIR> d-------- C:\Users\All Users\NVIDIA
2008-01-19 12:22 . 2008-01-20 09:21 <DIR> d-------- C:\ProgramData\NVIDIA
2008-01-18 17:22 . 2008-01-18 17:22 <DIR> d-------- C:\Windows\nvtmpinst
2008-01-18 17:20 . 2008-01-18 17:20 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-18 17:20 . 2008-01-18 17:20 216,760 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-18 17:20 . 2008-01-18 17:20 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-18 17:20 . 2008-01-18 17:20 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-18 17:20 . 2008-01-18 17:20 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-18 17:19 . 2008-01-18 17:19 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-18 17:19 . 2008-01-18 17:19 1,686,016 --a------ C:\Windows\System32\gameux.dll
2008-01-18 17:19 . 2008-01-18 17:19 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-01-18 17:18 . 2008-01-18 17:18 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-01-18 17:18 . 2008-01-18 17:18 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-01-18 17:18 . 2008-01-18 17:18 110,136 --a------ C:\Windows\System32\drivers\ataport.sys
2008-01-18 17:18 . 2008-01-18 17:18 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-01-18 17:18 . 2008-01-18 17:18 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-01-18 17:18 . 2008-01-18 17:18 15,928 --a------ C:\Windows\System32\drivers\pciide.sys
2008-01-18 17:18 . 2008-01-18 17:18 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-01-17 16:29 . 2008-01-17 16:29 <DIR> d-------- C:\Users\Sal\AppData\Roaming\tmp
2008-01-17 16:29 . 2008-01-17 16:29 <DIR> d-------- C:\Users\Sal\AppData\Roaming\Reallusion
2008-01-17 14:11 . 2008-01-17 14:11 <DIR> dr------- C:\Windows\System32\config\systemprofile\Music
2008-01-17 13:49 . 2008-01-19 13:30 <DIR> d-------- C:\Program Files\Mediafour
2008-01-17 13:28 . 1998-10-29 16:45 306,688 --a------ C:\Windows\IsUninst.exe
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\Windows\System32\QuickTime.qts

.

timeforserious
2008-02-07, 20:56
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 01:15 171,189 ----a-w C:\Users\Sal\AppData\Roaming\nvModes.dat
2008-02-07 00:10 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-02-07 00:10 103,736 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-02-02 01:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-31 03:56 --------- d-----w C:\Users\Sal\AppData\Roaming\Digidesign
2008-01-27 23:00 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-21 20:26 --------- d-----w C:\Program Files\Participatory Culture Foundation
2008-01-20 14:24 --------- d-----w C:\Program Files\Windows Mail
2008-01-20 08:54 --------- d-----w C:\Program Files\QuickTime
2008-01-18 22:19 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-18 22:19 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-18 22:19 2,144,768 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-18 22:19 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-18 22:18 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-08 07:59 --------- d-----w C:\Users\Sal\AppData\Roaming\CyberLink
2007-12-20 04:07 66,872 ----a-w C:\Windows\System32\PnkBstrA.exe
2007-12-19 23:16 --------- d-----w C:\Program Files\Logitech
2007-12-19 23:16 --------- d-----w C:\Program Files\Common Files\Logitech
2007-12-18 22:25 22,328 ----a-w C:\Users\Sal\AppData\Roaming\PnkBstrK.sys
2007-12-18 22:07 --------- d-----w C:\Program Files\Activision
2007-12-16 21:22 --------- d-----w C:\Users\Sal\AppData\Roaming\PACE Anti-Piracy
2007-12-16 21:22 --------- d-----w C:\ProgramData\PACE Anti-Piracy
2007-12-16 21:22 --------- d-----w C:\Program Files\Common Files\PACE Anti-Piracy
2007-12-16 21:16 --------- d-----w C:\Program Files\InterLok
2007-12-16 21:15 --------- d-----w C:\Program Files\Digidesign
2007-12-16 21:13 --------- d-----w C:\Program Files\Common Files\Digidesign
2007-12-16 20:57 --------- d-----w C:\Program Files\Microsoft Virtual PC
2007-12-16 20:08 --------- d-----w C:\Program Files\iLok
2007-12-16 19:20 60,968 ----a-w C:\Users\Sal\GoToAssistDownloadHelper.exe
2007-12-16 19:20 --------- d-----w C:\ProgramData\Citrix
2007-12-16 19:20 --------- d-----w C:\Program Files\Citrix
2007-12-16 18:07 --------- d-----w C:\Program Files\Initio
2007-12-16 17:38 --------- d-----w C:\Users\Sal\AppData\Roaming\InstallShield
2007-12-16 17:38 --------- d-----w C:\Program Files\M-Audio
2007-12-14 16:32 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2007-12-14 00:21 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-14 00:17 --------- d-----w C:\ProgramData\Nero
2007-12-13 00:05 --------- d-----w C:\Users\Sal\AppData\Roaming\Creative
2007-12-12 08:07 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-12 08:07 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-12 08:07 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-12 08:05 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-12 08:05 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-12 08:05 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-12 08:05 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-12 08:05 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-12 08:05 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-12 08:05 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-12 08:05 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-12 08:02 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-12 08:02 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-10 03:36 --------- d-----w C:\Users\Sal\AppData\Roaming\acccore
2007-12-10 03:36 --------- d-----w C:\ProgramData\AOL OCP
2007-12-10 03:35 --------- d-----w C:\ProgramData\AOL
2007-12-10 03:35 --------- d-----w C:\Program Files\AIM6
2007-12-10 03:28 --------- d-----w C:\Program Files\Viewpoint
2007-12-10 03:26 --------- d-----w C:\ProgramData\Viewpoint
2007-12-10 03:25 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-09 18:42 --------- d-----w C:\ProgramData\Microsoft Help
2007-12-09 18:40 --------- d-----w C:\Program Files\Microsoft Works
2007-12-09 18:39 --------- d-----w C:\Program Files\MSBuild
2007-12-09 18:37 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-09 18:35 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-12-09 08:11 --------- d--h--w C:\Program Files\Creative Installation Information
2007-12-08 19:19 --------- d-----w C:\Program Files\MagicDisc
2007-12-08 08:08 --------- d-----w C:\Users\Sal\AppData\Roaming\Talkback
2007-12-08 01:54 --------- d-----w C:\ProgramData\Creative
2007-12-08 00:15 --------- d-----w C:\Users\Sal\AppData\Roaming\Nero
2007-12-08 00:11 --------- d-----w C:\Program Files\Nero
2007-12-08 00:01 --------- d-----w C:\Program Files\AskTBar
2007-12-07 23:57 --------- d-----w C:\Program Files\MagicISO
2007-12-07 17:53 --------- d-----w C:\ProgramData\Dell
2007-12-07 01:47 --------- d-----w C:\ProgramData\SupportSoft
2007-12-07 01:46 --------- d-----w C:\Program Files\Dell Support Center
2007-12-07 01:46 --------- d-----w C:\Program Files\Common Files\supportsoft
2007-12-07 01:34 --------- d-----w C:\Program Files\PowerISO
2007-12-04 06:05 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-12-04 06:05 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-12-04 06:05 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-12-04 06:05 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-12-04 06:05 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-12-04 06:05 299,008 ----a-w C:\Windows\System32\wlansec.dll
2007-12-04 06:05 289,280 ----a-w C:\Windows\System32\wlanmsm.dll
2007-12-04 06:05 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-12-04 06:05 2,923,520 ----a-w C:\Windows\explorer.exe
2007-12-04 06:05 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-12-04 06:03 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2007-12-04 06:03 7,680 ----a-w C:\Windows\System32\spwmp.dll
2007-12-04 06:03 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2007-12-04 06:03 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2007-12-04 06:01 84,480 ----a-w C:\Windows\System32\INETRES.dll
2007-12-04 06:01 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2007-12-04 06:01 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2007-12-04 06:01 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-12-04 05:55 53,080 ----a-w C:\Windows\System32\wuauclt.exe
2007-12-04 05:55 43,352 ----a-w C:\Windows\System32\wups2.dll
2007-12-04 05:55 1,712,984 ----a-w C:\Windows\System32\wuaueng.dll
2007-12-04 05:55 1,524,224 ----a-w C:\Windows\System32\wucltux.dll
2007-12-04 05:54 80,896 ----a-w C:\Windows\System32\wudriver.dll
2007-12-04 05:54 549,720 ----a-w C:\Windows\System32\wuapi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 07:35 125440]
"Aim6"="" []
"Start WingMan Profiler"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-11-27 14:33 1006264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-10 02:00 857648]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 11:22 221184]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 04:45 222208]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 00:35 77824]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-10-04 21:24 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-10-04 21:24 8497696]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-10-04 21:24 86016]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe [2007-07-20 19:13:26 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\Windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\6453e4eb]
--------- 2008-02-01 18:36 92224 C:\Users\Sal\AppData\Local\Temp\hhpusejj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-10-04 10:20 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-10-23 14:18 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
--------- 2007-07-27 17:43 118784 C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 13:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2007-11-15 09:23 202544 C:\Program Files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 09:24 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
--a------ 2007-05-25 01:03 17920 C:\Dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-11-27 07:15 1838592 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 21:52 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2006-10-03 12:35 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-10-03 12:37 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAFWTaskbarApp]
--a------ 2007-06-28 09:36 184320 C:\Windows\system32\MAFWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MS Juan]
--------- 2008-02-01 12:35 92736 C:\Users\Sal\AppData\Local\Temp\byeoituj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
C:\Users\Sal\AppData\Local\Temp\mlljj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-09-20 08:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-10-04 21:24 81920 C:\Windows\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
--a------ 2007-08-29 00:54 36864 C:\Windows\OEM02Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
--a------ 2007-08-27 04:21 1807696 C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2007-04-16 17:10 184320 C:\Program Files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 19:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2007-09-07 13:23 405504 C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
--a------ 2008-01-23 14:48 344064 C:\Program Files\Enigma Software Group\SpyHunter\SHStartup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\Windows\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
--------- 2006-11-27 09:14 180224 C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe

R1 DLARTL_M;DLARTL_M;C:\Windows\system32\Drivers\DLARTL_M.SYS [2007-02-08 20:05]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot []
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []
R2 SpyHunter3 Service;SpyHunter3 Service;"C:\Program Files\Enigma Software Group\SpyHunter\SHService.exe" [2008-01-23 14:48]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-05-24 07:35]
R3 NETw4v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-08-13 04:44]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-10-10 17:03]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-08-29 00:55]
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []
S3 iLokDrvr;iLok;C:\Windows\system32\DRIVERS\iLokDrvr.sys [2007-09-05 12:05]
S3 MAFW;%FW.SvcDesc%;C:\Windows\system32\DRIVERS\mafw.sys [2007-06-28 09:35]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 02:36]
S4 AESTFilters;Andrea ST Filters Service;C:\Windows\system32\aestsrv.exe [2007-08-29 16:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 13:45:09
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.EXE [6.00.6000.16549]
-> C:\Windows\system32\DLAAPI_W.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Windows\system32\CTsvcCDA.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Windows\system32\msiexec.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe
.
**************************************************************************
.
Completion time: 2008-02-07 13:48:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-07 18:48:35
.
2008-01-20 14:24:26 --- E O F ---