popups (Virtumonde)

[abowlofsoda]

I'm getting random popups.. the most annoying of which seem to popup when I'm moving thru my desktop folders.. next it seems like i'm on the internet without ever clicking a browser icon

Spybot keeps asking for a reboot to get rid of the memory resident problem but it keeps popping back after ever reboot.

kbdros.dll is what Spybot keeps trying to get rid of and I see that in my HJT log also

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:48 PM, on 8/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
I:\Extensis\Suitcase 9.2\Suitcase.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {b3425a10-e832-40d2-86ba-72df0b75f203} - C:\WINDOWS\system32\kbdros.dll
O2 - BHO: (no name) - {d028f273-3fce-42a5-881a-29a58de9942d} - C:\WINDOWS\system32\FM2til.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\WINDOWS\system32\kbdros.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\WINDOWS\system32\kbdros.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\extensis\extensis suitcase 11\bonjour\mdnsnsp.dll' missing
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1179941093515
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\pmnnopp.dll
O20 - Winlogon Notify: FM2til - FM2til.dll (file missing)
O20 - Winlogon Notify: kbdros - C:\WINDOWS\SYSTEM32\kbdros.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 6934 bytes

[tashi]

Hello.

Your previous help topic was closed by Shaba 2007-08-14, due to lack of a response.

http://forums.spybot.info/showthread.php?t=16654

[abowlofsoda]

I saw that the message was closed... I was away from the computer for a week as my son was being born... spent alot of time in the hospital for my wifes C-section.

I still need help please, the problem is getting worse

[tashi]

Congratulations! I will let Shaba know you are back.

[Shaba]

Hi abowlofsoda

Delete any previous copies of combofix

After that:

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh Hijackthis log
- combofix report

[abowlofsoda]

thank you Tashi

And thank you so much Shaba for the help! I really appreciate everything you both do


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:04 AM, on 8/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\utorrent\utorrent.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\report.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {d028f273-3fce-42a5-881a-29a58de9942d} - C:\WINDOWS\system32\FM2til.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1179941093515
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: FM2til - FM2til.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6679 bytes

[abowlofsoda]

ComboFix 07-08-17.2 - "Administrator" 2007-08-24 7:33:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1438 [GMT -7:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ADMINI~1\APPLIC~1\tmp2463.tmp.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\tmp2464.tmp.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\tmp249C.tmp.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\tmpB987.tmp.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\tmpD70C.tmp.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\tmpD70D.tmp.exe
C:\WINDOWS\cbabcf.ini
C:\WINDOWS\fcbabc.dll
C:\WINDOWS\system32\dn78adb8ab.dat
C:\WINDOWS\system32\kbdros.dll
C:\WINDOWS\system32\pmnnopp.dll
C:\WINDOWS\system32\sstqo.exe
C:\WINDOWS\WebAssist.dll


((((((((((((((((((((((((( Files Created from 2007-07-24 to 2007-08-24 )))))))))))))))))))))))))))))))


2007-08-23 12:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-14 18:15 <DIR> d-------- C:\Program Files\Ace Utilities
2007-08-08 15:24 4,194,304 --a------ C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-08-07 15:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Media Player Classic
2007-08-07 15:19 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-08-07 15:19 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-08-07 15:19 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-08-07 14:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-08-07 14:53 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Comodo
2007-08-07 14:50 <DIR> d-------- C:\Program Files\Comodo
2007-08-07 08:13 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-04 09:38 <DIR> d-------- C:\VundoFix Backups
2007-08-04 09:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-04 09:11 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-01 22:52 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
2007-08-01 22:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-08-01 22:47 <DIR> d-------- C:\Program Files\Cyberlink
2007-08-01 22:46 <DIR> d-------- C:\Program Files\PowerDVD
2007-08-01 13:21 3,400 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Shorten Codec.dat
2007-08-01 12:49 2,940 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2007-08-01 12:48 652,664 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-08-01 12:48 13,004 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2007-08-01 12:48 <DIR> d-------- C:\Program Files\dBpoweramp
2007-08-01 12:34 33,540 --a------ C:\WINDOWS\system32\CoreFLACDecoder-uninstall.exe
2007-07-31 00:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-07-31 00:10 <DIR> d-------- C:\Program Files\Nero
2007-07-31 00:10 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-07-31 00:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-07-25 08:01 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-24 17:42 <DIR> d-------- C:\Program Files\Ahead
2007-07-24 16:11 <DIR> d-------- C:\Program Files\CachemanXP


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-24 07:39 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\WTablet
2007-08-24 07:37 --------- d-------- C:\Program Files\PeerGuardian2
2007-08-24 07:37 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
2007-08-23 14:37 --------- d-------- C:\Program Files\Extensis
2007-08-07 15:04 --------- d-------- C:\Program Files\DivX
2007-08-01 22:48 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-01 12:40 --------- d-------- C:\Program Files\Winamp
2007-07-31 00:13 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Ahead
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-04 09:48 132904 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys
2007-07-04 09:48 11304 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2007-07-02 08:52 --------- d-------- C:\Program Files\FriendBlasterPro
2007-06-27 19:05 972072 --a------ C:\WINDOWS\UNNeroMediaHome.exe
2007-06-27 10:57 --------- d-------- C:\Program Files\Visioneer OneTouch
2007-06-26 14:12 972072 --a------ C:\WINDOWS\UNNeroVision.exe
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:22 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-06-19 09:22 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-06-19 09:22 118056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-05-30 23:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-30 23:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-30 23:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-30 23:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-30 23:44 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-24 02:36 8972 --a------ C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
2007-05-24 02:36 2722 --a------ C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
2003-10-02 07:18 36864 --a------ C:\WINDOWS\inf\i386\Vizmicro.dll
2003-10-02 07:17 172032 --a------ C:\WINDOWS\inf\i386\viceo.dll
2003-10-02 07:02 278528 --a------ C:\WINDOWS\inf\i386\M5623_24.dll
2003-10-02 07:02 200704 --a------ C:\WINDOWS\inf\i386\rtscan.dll
2003-10-02 07:01 35118 --a------ C:\WINDOWS\inf\i386\M5623_24.bin
2001-08-03 18:29 13824 --a------ C:\WINDOWS\inf\i386\Usbscan.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d028f273-3fce-42a5-881a-29a58de9942d}]
C:\WINDOWS\system32\FM2til.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 14:48]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-07 15:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FM2til]
FM2til.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Suitcase 11.0.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Suitcase 11.0.lnk
backup=C:\WINDOWS\pss\Suitcase 11.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Suitcase Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Suitcase Startup.lnk
backup=C:\WINDOWS\pss\Suitcase Startup.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\fcbabc.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\C:\Program Files\PowerDVD\000.fcl
R2 CachemanXPService;CachemanXP;C:\PROGRA~1\CACHEM~1\CachemanXP.exe
R3 Dot4 HPH11;Dot4 HPH11;C:\WINDOWS\system32\DRIVERS\hphid411.sys
R3 Dot4Print HPH11;Print Class Driver for IEEE-1284.4 HPH11;C:\WINDOWS\system32\DRIVERS\hphipr11.sys
R3 Dot4Usb HPH11;Dot4Usb HPH11;C:\WINDOWS\system32\drivers\hphius11.sys
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys


Contents of the 'Scheduled Tasks' folder
2007-08-19 14:41:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-24 10:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job - C:\Program Files\SpywareBot\SpywareBot.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-24 07:39:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-24 7:41:28 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-24 07:41
C:\ComboFix2.txt ... 2007-08-07 08:22

--- E O F ---

[abowlofsoda]

ComboFix 07-08-04.3 - "Administrator" 2007-08-07 8:14:14.1 [GMT -7:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ADMINI~1\APPLIC~1\tmp138.tmp.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\tmp140.tmp.exe
C:\WINDOWS\system32\0o8rBILt.exe
C:\WINDOWS\system32\dn78adb8ab.dat
C:\WINDOWS\system32\ipcase.dll
C:\WINDOWS\system32\tmp140.tmp.dll
C:\WINDOWS\system32\vtstt.exe
C:\WINDOWS\Tasks.\At1.job
C:\WINDOWS\Tasks.\At10.job
C:\WINDOWS\Tasks.\At11.job
C:\WINDOWS\Tasks.\At12.job
C:\WINDOWS\Tasks.\At13.job
C:\WINDOWS\Tasks.\At14.job
C:\WINDOWS\Tasks.\At15.job
C:\WINDOWS\Tasks.\At16.job
C:\WINDOWS\Tasks.\At17.job
C:\WINDOWS\Tasks.\At18.job
C:\WINDOWS\Tasks.\At19.job
C:\WINDOWS\Tasks.\At2.job
C:\WINDOWS\Tasks.\At20.job
C:\WINDOWS\Tasks.\At21.job
C:\WINDOWS\Tasks.\At22.job
C:\WINDOWS\Tasks.\At23.job
C:\WINDOWS\Tasks.\At24.job
C:\WINDOWS\Tasks.\At3.job
C:\WINDOWS\Tasks.\At4.job
C:\WINDOWS\Tasks.\At5.job
C:\WINDOWS\Tasks.\At6.job
C:\WINDOWS\Tasks.\At7.job
C:\WINDOWS\Tasks.\At8.job
C:\WINDOWS\Tasks.\At9.job
C:\WINDOWS\xhelper.dll
C:\WINDOWS\xmlhelper.dll
C:\WINDOWS\xmlhelper2.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-07 08:13 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-06 13:26 131,421 --a------ C:\WINDOWS\fcbabc.dll
2007-08-04 09:38 <DIR> d-------- C:\VundoFix Backups
2007-08-04 09:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-04 09:11 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-03 22:10 13,380 --a------ C:\WINDOWS\system32\pmnnopp.dll
2007-08-01 22:52 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
2007-08-01 22:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-08-01 22:47 <DIR> d-------- C:\Program Files\Cyberlink
2007-08-01 22:46 <DIR> d-------- C:\Program Files\PowerDVD
2007-08-01 13:21 3,400 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Shorten Codec.dat
2007-08-01 12:49 2,940 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2007-08-01 12:48 652,664 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-08-01 12:48 13,004 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2007-08-01 12:48 <DIR> d-------- C:\Program Files\dBpoweramp
2007-08-01 12:34 33,540 --a------ C:\WINDOWS\system32\CoreFLACDecoder-uninstall.exe
2007-07-31 00:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-07-31 00:10 <DIR> d-------- C:\Program Files\Nero
2007-07-31 00:10 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-07-31 00:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-07-30 13:12 84,992 --a------ C:\WINDOWS\WebAssist.dll
2007-07-25 08:01 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-24 17:42 <DIR> d-------- C:\Program Files\Ahead
2007-07-24 16:11 <DIR> d-------- C:\Program Files\CachemanXP
2007-07-20 13:50 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Ahead
2007-07-11 00:32 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-11 00:32 118,056 --------- C:\WINDOWS\system32\pxcpyi64.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 08:20 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\WTablet
2007-08-05 23:29 --------- d-------- C:\Program Files\PeerGuardian2
2007-08-05 23:29 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
2007-08-01 22:48 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-01 12:40 --------- d-------- C:\Program Files\Winamp
2007-07-04 09:48 132904 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys
2007-07-04 09:48 11304 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2007-07-02 08:52 --------- d-------- C:\Program Files\FriendBlasterPro
2007-06-27 19:05 972072 --a------ C:\WINDOWS\UNNeroMediaHome.exe
2007-06-27 10:57 --------- d-------- C:\Program Files\Visioneer OneTouch
2007-06-26 14:12 972072 --a------ C:\WINDOWS\UNNeroVision.exe
2007-06-19 09:22 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-06-17 09:28 --------- d-------- C:\Program Files\Encore
2007-06-12 16:41 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Extensis
2007-06-12 16:39 --------- d-------- C:\Program Files\Extensis
2007-06-11 20:45 --------- d-------- C:\Program Files\MagicDisc
2007-06-10 08:32 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-06-10 07:53 --------- d-------- C:\Program Files\Apple Software Update
2007-06-04 00:52 1156 --a------ C:\WINDOWS\mozver.dat
2007-06-01 16:02 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-30 23:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-30 23:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-30 23:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-30 23:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-30 23:44 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-23 02:28 0 -rahs---- C:\MSDOS.SYS
2007-05-23 02:28 0 -rahs---- C:\IO.SYS
2007-05-23 02:28 0 --a------ C:\CONFIG.SYS
2007-05-23 02:28 0 --a------ C:\AUTOEXEC.BAT
2007-05-23 02:25 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-05-16 09:18 95864 --a------ C:\WINDOWS\system32\NeroCo.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d028f273-3fce-42a5-881a-29a58de9942d}]
C:\WINDOWS\system32\FM2til.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 14:48]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 15:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FM2til]
FM2til.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\pmnnopp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Suitcase 11.0.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Suitcase 11.0.lnk
backup=C:\WINDOWS\pss\Suitcase 11.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Suitcase Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Suitcase Startup.lnk
backup=C:\WINDOWS\pss\Suitcase Startup.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\fcbabc.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

R0 a347bus;a347bus;C:\WINDOWS\system32\DRIVERS\a347bus.sys
R0 a347scsi;a347scsi;C:\WINDOWS\system32\Drivers\a347scsi.sys
R0 gagp30kx;Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms;C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\C:\Program Files\PowerDVD\000.fcl
R2 CachemanXPService;CachemanXP;C:\PROGRA~1\CACHEM~1\CachemanXP.exe
R3 Dot4 HPH11;Dot4 HPH11;C:\WINDOWS\system32\DRIVERS\hphid411.sys
R3 Dot4Print HPH11;Print Class Driver for IEEE-1284.4 HPH11;C:\WINDOWS\system32\DRIVERS\hphipr11.sys
R3 Dot4Usb HPH11;Dot4Usb HPH11;C:\WINDOWS\system32\drivers\hphius11.sys
R3 mcdbus;Driver for MagicISO SCSI Host Controller;C:\WINDOWS\system32\DRIVERS\mcdbus.sys
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service;"C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe"
S3 odserv;Microsoft Office Diagnostics Service;"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE"


Contents of the 'Scheduled Tasks' folder
2007-08-05 14:41:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-07 10:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job - C:\Program Files\SpywareBot\SpywareBot.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 08:20:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120
orporate"

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-07 8:22:26 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-07 08:21

--- E O F ---

[abowlofsoda]

Code:

2007-06-14 17:10      122880    --a------    C:\Qoobox\Quarantine\C\WINDOWS\xmlhelper.dll.vir
2007-06-14 17:10      19520    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\0o8rBILt.exe.vir
2007-06-28 20:12      122880    --a------    C:\Qoobox\Quarantine\C\WINDOWS\xmlhelper2.dll.vir
2007-07-19 07:38      126976    --a------    C:\Qoobox\Quarantine\C\WINDOWS\xhelper.dll.vir
2007-07-31 05:11      84992    --a------    C:\Qoobox\Quarantine\C\WINDOWS\WebAssist.dll.vir
2007-08-03 22:10      13380    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnnopp.dll.vir
2007-08-04 22:16      105477    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\vtstt.exe.vir
2007-08-04 22:16      92634    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ipcase.dll.vir
2007-08-06 09:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At10.job.vir
2007-08-06 10:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At11.job.vir
2007-08-06 11:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At12.job.vir
2007-08-06 12:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At13.job.vir
2007-08-06 13:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At14.job.vir
2007-08-06 13:26      124774    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ADMINI~1\APPLIC~1\tmp138.tmp.exe.vir
2007-08-06 13:28      63525    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp140.tmp.dll.vir
2007-08-06 13:28      78541    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ADMINI~1\APPLIC~1\tmp140.tmp.exe.vir
2007-08-06 14:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At15.job.vir
2007-08-06 15:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At16.job.vir
2007-08-06 16:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At17.job.vir
2007-08-06 17:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At18.job.vir
2007-08-06 18:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At19.job.vir
2007-08-06 19:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At20.job.vir
2007-08-06 20:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At21.job.vir
2007-08-06 21:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At22.job.vir
2007-08-06 22:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At23.job.vir
2007-08-06 23:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At24.job.vir
2007-08-07 00:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At1.job.vir
2007-08-07 01:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At2.job.vir
2007-08-07 02:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At3.job.vir
2007-08-07 03:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At4.job.vir
2007-08-07 04:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At5.job.vir
2007-08-07 05:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At6.job.vir
2007-08-07 06:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At7.job.vir
2007-08-07 07:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At8.job.vir
2007-08-07 08:00      350    --a------    C:\Qoobox\Quarantine\C\WINDOWS\Tasks\At9.job.vir
2007-08-07 08:13      1190879    --a------    C:\Qoobox\Quarantine\C\WINDOWS\cbabcf.ini.vir
2007-08-07 08:18      1164    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.cf
2007-08-07 08:18      90563    --a------    C:\Qoobox\Quarantine\catchme2007-08-07_ 82029.46.zip
2007-08-07 09:20      105482    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\sstqo.exe.vir
2007-08-07 09:20      92691    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\kbdros.dll.vir
2007-08-16 13:51      32768    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ADMINI~1\APPLIC~1\tmp2463.tmp.exe.vir
2007-08-16 13:51      32768    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ADMINI~1\APPLIC~1\tmp249C.tmp.exe.vir
2007-08-16 13:51      65536    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ADMINI~1\APPLIC~1\tmp2464.tmp.exe.vir
2007-08-22 08:48      32768    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ADMINI~1\APPLIC~1\tmpB987.tmp.exe.vir
2007-08-23 08:48      32768    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ADMINI~1\APPLIC~1\tmpD70C.tmp.exe.vir
2007-08-23 08:48      32768    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ADMINI~1\APPLIC~1\tmpD70D.tmp.exe.vir
2007-08-24 07:37      1204545    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\dn78adb8ab.dat.vir
2007-08-24 07:37      308    --a------    C:\Qoobox\Quarantine\catchme.log
2007-08-24 07:37      90614    --a------    C:\Qoobox\Quarantine\catchme2007-08-24_ 73940.84.zip


Folder PATH listing
Volume serial number is 78AD-B8AB
C:\QOOBOX
\---Quarantine
    |   catchme.log
    |   catchme2007-08-07_ 82029.46.zip
    |   catchme2007-08-24_ 73940.84.zip
    |   
    +---C
    |   +---DOCUME~1
    |   |   \---ADMINI~1
    |   |       \---APPLIC~1
    |   |               tmp138.tmp.exe.vir
    |   |               tmp140.tmp.exe.vir
    |   |               tmp2463.tmp.exe.vir
    |   |               tmp2464.tmp.exe.vir
    |   |               tmp249C.tmp.exe.vir
    |   |               tmpB987.tmp.exe.vir
    |   |               tmpD70C.tmp.exe.vir
    |   |               tmpD70D.tmp.exe.vir
    |   |               
    |   \---WINDOWS
    |       |   cbabcf.ini.vir
    |       |   WebAssist.dll.vir
    |       |   xhelper.dll.vir
    |       |   xmlhelper.dll.vir
    |       |   xmlhelper2.dll.vir
    |       |   
    |       +---system32
    |       |       0o8rBILt.exe.vir
    |       |       dn78adb8ab.dat.vir
    |       |       ipcase.dll.vir
    |       |       kbdros.dll.vir
    |       |       pmnnopp.dll.vir
    |       |       sstqo.exe.vir
    |       |       tmp140.tmp.dll.vir
    |       |       vtstt.exe.vir
    |       |       
    |       \---Tasks
    |               At1.job.vir
    |               At10.job.vir
    |               At11.job.vir
    |               At12.job.vir
    |               At13.job.vir
    |               At14.job.vir
    |               At15.job.vir
    |               At16.job.vir
    |               At17.job.vir
    |               At18.job.vir
    |               At19.job.vir
    |               At2.job.vir
    |               At20.job.vir
    |               At21.job.vir
    |               At22.job.vir
    |               At23.job.vir
    |               At24.job.vir
    |               At3.job.vir
    |               At4.job.vir
    |               At5.job.vir
    |               At6.job.vir
    |               At7.job.vir
    |               At8.job.vir
    |               At9.job.vir
    |               
    \---Registry_backups
            LEGACY_DOMAINSERVICE.reg.cf

[Shaba]

Hi

SpywareBot is considered as a rogue, see here

"SpywareBot spywarebot.com exploits name "Spybot Search & Destroy"; same app as AdwareAlert [A: 5-14-06 / U: 1-9-07]"

So I recommend to uninstall it via add/remove programs

If you decide to do so, please delete these, too:

C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job
C:\Program Files\SpywareBot\SpywareBot.exe

Create own folder for report.exe to desktop and moved it to that folder

After that:

Open HijackThis, click do a system scan only and checkmark these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {d028f273-3fce-42a5-881a-29a58de9942d} - C:\WINDOWS\system32\FM2til.dll (file missing)
O20 - Winlogon Notify: FM2til - FM2til.dll (file missing)

Close all windows including browser and press fix checked.

Reboot

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  
  o Scan using the following Anti-Virus database:
  
  + Extended (If available otherwise Standard)
  
  o Scan Options:
  
  + Scan Archives
  + Scan Mail Bases
  
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button
• Save the file to your desktop.
• Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report