Vitumonde

**Llama** · 2008-01-06, 04:19

darn that 20K character cap

ComboFix 08-01-06.4 - Joel Gibson 2008-01-06 11:45:17.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1137 [GMT 13:00]
Running from: C:\Documents and Settings\Joel Gibson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Joel Gibson\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\FOUND.003
C:\WINDOWS\popcinfot.dat
C:\WINDOWS\system32\77052A6FA7.sys
C:\WINDOWS\system32\amhnxale.ini
C:\WINDOWS\system32\bsjbwpfa.ini
C:\WINDOWS\system32\byarxcjr.ini
C:\WINDOWS\system32\cdkhmcep.ini
C:\WINDOWS\system32\clcgywad.ini
C:\WINDOWS\system32\csvroaew.ini2
C:\WINDOWS\system32\dbjhaybs.ini
C:\WINDOWS\system32\dflxrnqk.ini
C:\WINDOWS\system32\dfvwjfnu.ini
C:\WINDOWS\system32\dhuxinya.ini
C:\WINDOWS\system32\djdnjtrs.ini
C:\WINDOWS\system32\dsvjhpyc.ini
C:\WINDOWS\system32\dwqjjjkl.ini
C:\WINDOWS\system32\eboefsaf.ini
C:\WINDOWS\system32\efavoych.ini
C:\WINDOWS\system32\eixqbsef.ini
C:\WINDOWS\system32\emaflsao.ini2
C:\WINDOWS\system32\epgtmelk.dll
C:\WINDOWS\system32\etsgefsd.ini
C:\WINDOWS\system32\fsswttnt.ini2
C:\WINDOWS\system32\ftvpqxou.ini
C:\WINDOWS\system32\ggxbkxgv.ini
C:\WINDOWS\system32\gicnwgfq.ini
C:\WINDOWS\system32\goqidqfu.ini
C:\WINDOWS\system32\hlagnivr.ini
C:\WINDOWS\system32\htxmkdvb.ini
C:\WINDOWS\system32\ipshuhus.ini
C:\WINDOWS\system32\ixnkmwbo.ini
C:\WINDOWS\system32\jeptewdh.ini
C:\WINDOWS\system32\jgyhbqod.ini
C:\WINDOWS\system32\jhyuhsgj.ini
C:\WINDOWS\system32\jpirvbvj.dat
C:\WINDOWS\system32\kbpyuujh.ini
C:\WINDOWS\system32\kuyokutk.ini
C:\WINDOWS\system32\mvpvgokd.ini
C:\WINDOWS\system32\mypywocv.ini
C:\WINDOWS\system32\nacrmimk.ini
C:\WINDOWS\system32\neenoufh.ini
C:\WINDOWS\system32\nfxuerye.ini
C:\WINDOWS\system32\nlbfduvr.ini
C:\WINDOWS\system32\opjfihwl.ini
C:\WINDOWS\system32\orkxndag.ini2
C:\WINDOWS\system32\pathcuto.ini
C:\WINDOWS\system32\pdtfijws.ini
C:\WINDOWS\system32\pfsgxhdh.ini
C:\WINDOWS\system32\pqqagpjp.ini
C:\WINDOWS\system32\qmavtwkq.ini
C:\WINDOWS\system32\qnyxgbjg.ini
C:\WINDOWS\system32\rkfqwxnk.ini
C:\WINDOWS\system32\rwchxlwj.ini
C:\WINDOWS\system32\sbspyaht.ini
C:\WINDOWS\system32\sewmrqnq.ini2
C:\WINDOWS\system32\smjynmvs.ini
C:\WINDOWS\system32\smrfmhtx.ini
C:\WINDOWS\system32\tgjxtisy.ini
C:\WINDOWS\system32\trhygbxq.ini
C:\WINDOWS\system32\upfydvsg.ini
C:\WINDOWS\system32\uxhkfugi.ini
C:\WINDOWS\system32\vkdorxjy.ini
C:\WINDOWS\system32\vtacryyr.ini
C:\WINDOWS\system32\vugtedko.ini
C:\WINDOWS\system32\vwbpbgwi.dll
C:\WINDOWS\system32\winshost.exe
C:\WINDOWS\system32\wujevtak.ini
C:\WINDOWS\system32\wxmyxdjy.ini
C:\WINDOWS\system32\xknclkxi.ini
C:\WINDOWS\system32\ymxvygsb.ini
C:\WINDOWS\system32\yrqvrpss.ini
C:\WINDOWS\system32\yrtbkgiw.ini
C:\WINDOWS\system32\yselglkf.ini
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\aaknmvjq.dll.bad
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\adlsnobs.exe.bad
C:\VundoFix Backups\ahdwqato.dll.bad
C:\VundoFix Backups\ajonptpu.exe.bad
C:\VundoFix Backups\alhtvotv.exe.bad
C:\VundoFix Backups\awtsq.dll.bad
C:\VundoFix Backups\awtst.dll.bad
C:\VundoFix Backups\awvtr.dll.bad
C:\VundoFix Backups\awvts.dll.bad
C:\VundoFix Backups\axcuflob.ini.bad
C:\VundoFix Backups\bbsxcuij.dll.bad
C:\VundoFix Backups\becwkcjv.dll.bad
C:\VundoFix Backups\bolfucxa.dll.bad
C:\VundoFix Backups\bvdkmxth.dll.bad
C:\VundoFix Backups\bvqibiym.exe.bad
C:\VundoFix Backups\chglhuof.exe.bad
C:\VundoFix Backups\cwetqyra.exe.bad
C:\VundoFix Backups\cxokrsci.exe.bad
C:\VundoFix Backups\cyphjvsd.dll.bad
C:\VundoFix Backups\ddayv.dll.bad
C:\VundoFix Backups\ddayw.dll.bad
C:\VundoFix Backups\dfhkj.bak1.bad
C:\VundoFix Backups\dfhkj.bak2.bad
C:\VundoFix Backups\dfhkj.ini.bad
C:\VundoFix Backups\dmogiavb.exe.bad
C:\VundoFix Backups\dpqjsxib.exe.bad
C:\VundoFix Backups\dvlqgali.dll.bad
C:\VundoFix Backups\eayswvhm.dll.bad
C:\VundoFix Backups\elaxnhma.dll.bad
C:\VundoFix Backups\eyreuxfn.dll.bad
C:\VundoFix Backups\fasfeobe.dll.bad
C:\VundoFix Backups\fdjnrltd.exe.bad
C:\VundoFix Backups\fesbqxie.dll.bad
C:\VundoFix Backups\fklglesy.dll.bad
C:\VundoFix Backups\fsfcwhtx.exe.bad
C:\VundoFix Backups\gebcd.dll.bad
C:\VundoFix Backups\geeba.dll.bad
C:\VundoFix Backups\geqqsquo.exe.bad
C:\VundoFix Backups\gjbgxynq.dll.bad
C:\VundoFix Backups\gjifoxau.exe.bad
C:\VundoFix Backups\gqvrmqup.exe.bad
C:\VundoFix Backups\gykxqafx.dll.bad
C:\VundoFix Backups\hdhxgsfp.dll.bad
C:\VundoFix Backups\hfsdbvnc.exe.bad
C:\VundoFix Backups\hfuoneen.dll.bad
C:\VundoFix Backups\hlmkucft.exe.bad
C:\VundoFix Backups\hquvjuap.exe.bad
C:\VundoFix Backups\hrollkox.dll.bad
C:\VundoFix Backups\igpibhxt.exe.bad
C:\VundoFix Backups\igufkhxu.dll.bad
C:\VundoFix Backups\jjkmp.bak1.bad
C:\VundoFix Backups\jjkmp.bak2.bad
C:\VundoFix Backups\jjkmp.ini.bad
C:\VundoFix Backups\jkhfd.dll.bad
C:\VundoFix Backups\jkkhhhh.dll.bad
C:\VundoFix Backups\jmjefleo.dll.bad
C:\VundoFix Backups\jrodkada.dll.bad
C:\VundoFix Backups\kacrvcyg.exe.bad
C:\VundoFix Backups\katvejuw.dll.bad
C:\VundoFix Backups\kmimrcan.dll.bad
C:\VundoFix Backups\kqnrxlfd.dll.bad
C:\VundoFix Backups\krxrmntp.exe.bad
C:\VundoFix Backups\ktukoyuk.dll.bad
C:\VundoFix Backups\lacfywqk.exe.bad
C:\VundoFix Backups\lgwtldka.exe.bad
C:\VundoFix Backups\lkjjjqwd.dll.bad
C:\VundoFix Backups\lsobirnp.exe.bad
C:\VundoFix Backups\lweibfwf.dll.bad
C:\VundoFix Backups\lxglswgq.exe.bad
C:\VundoFix Backups\lypgbkip.dll.bad
C:\VundoFix Backups\mecdfdko.exe.bad
C:\VundoFix Backups\mfosuqis.exe.bad
C:\VundoFix Backups\mrykioey.exe.bad
C:\VundoFix Backups\naajkicb.exe.bad
C:\VundoFix Backups\nnnolji.dll.bad
C:\VundoFix Backups\nukbqfth.dll.bad
C:\VundoFix Backups\obwmknxi.dll.bad
C:\VundoFix Backups\oddwwhvn.exe.bad
C:\VundoFix Backups\oiitldsl.exe.bad
C:\VundoFix Backups\oitqnbnw.dll.bad
C:\VundoFix Backups\ojdoqvdx.exe.bad
C:\VundoFix Backups\olqtxsad.exe.bad
C:\VundoFix Backups\otaqwdha.ini.bad
C:\VundoFix Backups\ovgvfrss.exe.bad
C:\VundoFix Backups\pecmhkdc.dll.bad
C:\VundoFix Backups\pflsjqrh.exe.bad
C:\VundoFix Backups\pjpgaqqp.dll.bad
C:\VundoFix Backups\pmkjj.dll.bad
C:\VundoFix Backups\pmnlj.dll.bad
C:\VundoFix Backups\pmnnn.dll.bad
C:\VundoFix Backups\pmnno.dll.bad
C:\VundoFix Backups\pmnyjecn.dll.bad
C:\VundoFix Backups\prjjbnuj.exe.bad
C:\VundoFix Backups\pvbsrogp.exe.bad
C:\VundoFix Backups\qbyhnxay.exe.bad
C:\VundoFix Backups\qirqllld.exe.bad
C:\VundoFix Backups\qjvmnkaa.ini.bad
C:\VundoFix Backups\qkwtvamq.dll.bad
C:\VundoFix Backups\qqstv.bak1.bad
C:\VundoFix Backups\qqstv.bak2.bad
C:\VundoFix Backups\qqstv.ini.bad
C:\VundoFix Backups\qstwa.bak1.bad
C:\VundoFix Backups\qstwa.ini.bad
C:\VundoFix Backups\qxbgyhrt.dll.bad
C:\VundoFix Backups\rdgoqilo.dll.bad
C:\VundoFix Backups\rhhgbaov.exe.bad
C:\VundoFix Backups\rnekbkav.exe.bad
C:\VundoFix Backups\rtkugord.exe.bad
C:\VundoFix Backups\rtvwa.bak1.bad
C:\VundoFix Backups\rtvwa.bak2.bad
C:\VundoFix Backups\rtvwa.ini.bad
C:\VundoFix Backups\rvudfbln.dll.bad
C:\VundoFix Backups\rxqemcmh.dll.bad
C:\VundoFix Backups\ryyrcatv.dll.bad
C:\VundoFix Backups\sniifkxi.dll.bad
C:\VundoFix Backups\sscmyuhb.dll.bad
C:\VundoFix Backups\ssqrq.dll.bad
C:\VundoFix Backups\stbkhppd.dll.bad
C:\VundoFix Backups\stvwa.bak1.bad
C:\VundoFix Backups\stvwa.ini.bad
C:\VundoFix Backups\suhuhspi.dll.bad
C:\VundoFix Backups\svmnyjms.dll.bad
C:\VundoFix Backups\swjiftdp.dll.bad
C:\VundoFix Backups\tstwa.bak1.bad
C:\VundoFix Backups\tstwa.ini.bad
C:\VundoFix Backups\ttlavuqh.exe.bad
C:\VundoFix Backups\txdbbppg.dll.bad
C:\VundoFix Backups\uexeygti.exe.bad
C:\VundoFix Backups\ufqdiqog.dll.bad
C:\VundoFix Backups\unfjwvfd.dll.bad
C:\VundoFix Backups\uoxqpvtf.dll.bad
C:\VundoFix Backups\usqetaxl.exe.bad
C:\VundoFix Backups\vaculevs.dll.bad
C:\VundoFix Backups\vcowypym.dll.bad
C:\VundoFix Backups\vgxkbxgg.dll.bad
C:\VundoFix Backups\vieoegty.exe.bad
C:\VundoFix Backups\voumqsqp.dll.bad
C:\VundoFix Backups\vtsqq.dll.bad
C:\VundoFix Backups\vyxejewr.exe.bad
C:\VundoFix Backups\wigkbtry.dll.bad
C:\VundoFix Backups\wqfutprs.exe.bad
C:\VundoFix Backups\wrbcjmtt.exe.bad
C:\VundoFix Backups\wvuutts.dll.bad
C:\VundoFix Backups\wyilrbiv.exe.bad
C:\VundoFix Backups\xljkllom.exe.bad
C:\VundoFix Backups\xlwfaeiu.exe.bad
C:\VundoFix Backups\xthmfrms.dll.bad
C:\VundoFix Backups\yayxwxy.dll.bad
C:\VundoFix Backups\yjdxymxw.dll.bad
C:\VundoFix Backups\yjxrodkv.dll.bad
C:\VundoFix Backups\yrdomwof.exe.bad
C:\VundoFix Backups\ysitxjgt.dll.bad
C:\VundoFix Backups\yyfdfvip.exe.bad
C:\WINDOWS\popcinfot.dat
C:\WINDOWS\system32\77052A6FA7.sys
C:\WINDOWS\system32\amhnxale.ini
C:\WINDOWS\system32\bsjbwpfa.ini
C:\WINDOWS\system32\byarxcjr.ini
C:\WINDOWS\system32\cdkhmcep.ini
C:\WINDOWS\system32\clcgywad.ini
C:\WINDOWS\system32\csvroaew.ini2
C:\WINDOWS\system32\dbjhaybs.ini
C:\WINDOWS\system32\dflxrnqk.ini
C:\WINDOWS\system32\dfvwjfnu.ini
C:\WINDOWS\system32\dhuxinya.ini
C:\WINDOWS\system32\djdnjtrs.ini
C:\WINDOWS\system32\dsvjhpyc.ini
C:\WINDOWS\system32\dwqjjjkl.ini
C:\WINDOWS\system32\eboefsaf.ini
C:\WINDOWS\system32\efavoych.ini
C:\WINDOWS\system32\eixqbsef.ini
C:\WINDOWS\system32\emaflsao.ini2
C:\WINDOWS\system32\epgtmelk.dll
C:\WINDOWS\system32\etsgefsd.ini
C:\WINDOWS\system32\fsswttnt.ini2
C:\WINDOWS\system32\ftvpqxou.ini
C:\WINDOWS\system32\ggxbkxgv.ini
C:\WINDOWS\system32\gicnwgfq.ini
C:\WINDOWS\system32\goqidqfu.ini
C:\WINDOWS\system32\hlagnivr.ini
C:\WINDOWS\system32\htxmkdvb.ini
C:\WINDOWS\system32\ipshuhus.ini
C:\WINDOWS\system32\ixnkmwbo.ini
C:\WINDOWS\system32\jeptewdh.ini
C:\WINDOWS\system32\jgyhbqod.ini
C:\WINDOWS\system32\jhyuhsgj.ini
C:\WINDOWS\system32\jpirvbvj.dat
C:\WINDOWS\system32\kbpyuujh.ini
C:\WINDOWS\system32\kuyokutk.ini
C:\WINDOWS\system32\mvpvgokd.ini
C:\WINDOWS\system32\mypywocv.ini
C:\WINDOWS\system32\nacrmimk.ini
C:\WINDOWS\system32\neenoufh.ini
C:\WINDOWS\system32\nfxuerye.ini
C:\WINDOWS\system32\nlbfduvr.ini
C:\WINDOWS\system32\opjfihwl.ini
C:\WINDOWS\system32\orkxndag.ini2
C:\WINDOWS\system32\pathcuto.ini
C:\WINDOWS\system32\pdtfijws.ini
C:\WINDOWS\system32\pfsgxhdh.ini
C:\WINDOWS\system32\pqqagpjp.ini
C:\WINDOWS\system32\qmavtwkq.ini
C:\WINDOWS\system32\qnyxgbjg.ini
C:\WINDOWS\system32\rkfqwxnk.ini
C:\WINDOWS\system32\rwchxlwj.ini
C:\WINDOWS\system32\sbspyaht.ini
C:\WINDOWS\system32\sewmrqnq.ini2
C:\WINDOWS\system32\smjynmvs.ini
C:\WINDOWS\system32\smrfmhtx.ini
C:\WINDOWS\system32\tgjxtisy.ini
C:\WINDOWS\system32\trhygbxq.ini
C:\WINDOWS\system32\upfydvsg.ini
C:\WINDOWS\system32\uxhkfugi.ini
C:\WINDOWS\system32\vkdorxjy.ini
C:\WINDOWS\system32\vtacryyr.ini
C:\WINDOWS\system32\vugtedko.ini
C:\WINDOWS\system32\wujevtak.ini
C:\WINDOWS\system32\wxmyxdjy.ini
C:\WINDOWS\system32\xknclkxi.ini
C:\WINDOWS\system32\ymxvygsb.ini
C:\WINDOWS\system32\yrqvrpss.ini
C:\WINDOWS\system32\yrtbkgiw.ini
C:\WINDOWS\system32\yselglkf.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-05 15:16 . 2008-01-06 11:45 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-01-05 15:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 21:57 . 2007-12-30 21:57 <DIR> d--hs---- C:\FOUND.003
2007-12-29 20:39 . 2007-12-29 20:39 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Command and Conquer 3 Tiberium Wars
2007-12-29 00:06 . 2007-12-29 00:06 <DIR> d-------- C:\Games
2007-12-28 11:29 . 2007-12-28 11:29 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Winamp
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\The Chosen demo
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Frater
2007-12-26 23:00 . 2007-12-26 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-26 23:00 . 2007-12-26 23:00 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2007-12-26 23:00 . 2007-12-26 23:00 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-26 23:00 . 2007-12-26 23:00 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Program Files\COMODO
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Comodo
2007-12-26 18:26 . 2007-12-26 18:26 <DIR> dr-h----- C:\Documents and Settings\Joel Gibson\Application Data\SecuROM
2007-12-26 17:25 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-12-26 17:25 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-12-26 17:25 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-12-26 17:25 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-12-19 19:57 . 2007-12-26 21:15 1,365 --a------ C:\WINDOWS\wininit.ini
2007-12-11 21:53 . 2007-12-11 21:53 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\ATI
2007-12-11 12:54 . 2007-12-11 12:54 294 ---hs---- C:\WINDOWS\system32\bhuymcss.ini
2007-12-10 14:26 . 2007-12-10 14:27 <DIR> d-------- C:\Program Files\Aquaria

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 06:30 --------- d-----w C:\Program Files\Fredryk Phantasy
2007-11-24 02:23 1,128 ----a-w C:\Program Files\log.dat
2007-11-23 08:30 --------- d-----w C:\Documents and Settings\Joel Gibson\Application Data\mIRC
2007-11-22 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-11-08 21:14 --------- d-----w C:\Program Files\Synaesthete
2007-10-30 16:12 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-21 14:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-19 22:34 53,880,837 ----a-w C:\Program Files\LastStandInstall.exe
2007-10-19 10:14 10,752 ----a-w C:\WINDOWS\DCEBoot.exe
2007-10-10 23:56 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:56 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-24 08:18 57,992 ----a-w C:\Documents and Settings\Joel Gibson\Application Data\GDIPFONTCACHEV1.DAT
2006-12-20 01:05 35,511 ----a-w C:\Program Files\ReadMe.txt
2004-11-08 20:22 929,792 ----a-w C:\Program Files\SCZ.exe
2001-11-22 23:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-08-18 11:41 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-05_16.50.18.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-30 19:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE

**Llama** · 2008-01-06, 04:20

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\WINDOWS\htpatch.exe" [2002-12-19 16:40 28672]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-12-21 04:16 37376]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2007-12-26 23:00 1481472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a------ 2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig]
--a------ 2003-02-10 14:48 192542 C:\IME\IMJP\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-05 00:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 14:30 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 14:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-05 00:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
--a------ 2001-08-17 22:36 86016 C:\WINDOWS\system32\pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-05 00:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-05 00:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"rpcapd"=3 (0x3)
"Pctspk"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Fax"=2 (0x2)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-26 23:00]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-26 23:00]
R2 CbmDev1;CbmDev1;C:\WINDOWS\system32\drivers\CbmDev1.sys [1998-01-16 08:43]
R2 CbmDev2;CbmDev2;C:\WINDOWS\system32\drivers\CbmDev2.sys [1998-01-16 08:43]
R2 CbmDev3;CbmDev3;C:\WINDOWS\system32\drivers\CbmDev3.sys [1998-01-16 08:43]
S3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys []
S3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys []
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 13:28]
S4 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 22:36]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 12:10:18
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-06 12:11:00
ComboFix-quarantined-files.txt 2008-01-05 23:10:58
ComboFix2.txt 2008-01-05 03:50:52
.
2008-01-04 23:28:54 --- E O F ---

**ken545** · 2008-01-06, 12:32

Llama Good Morning,

It looks like the File Infector is gone and your HJT log looks fine

But we still need to do a few things to clean up the leftovers.

Please download ATF Cleaner by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:

Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems and install the update
Java Runtime Environment Version 6 Update 3 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify

I like to to do the offline installation and save the setup file in case I may need it in the future

Please download SuperAntiSpyware
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:

Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log

It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.

Don't be alarmed when SAS finds Vundo, it will be just leftover reg entries and such that it will remove.

Let me see the SAS log and one final HJT log and let me know how you feel your system is running now??

**Llama** · 2008-01-06, 13:14

Morning, I spose 1am here in NZ can count as morning...

however, Java is now updated (the online link promped me with a save location?!?!), ATF cleaner did what ever it was sposted to do, SAS can wait untill daytime because itll take long and I wont be awake till your probably asleep anyway, HJT log as folows

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:33 a.m., on 7/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera 9\Opera.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\Safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll (file missing)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5142 bytes

Ive also re-enabled teatimer cause that usually gives me warnings when something is doing something I probably wont like (in this case it did but just couldn't do anything about it)

As far as I can tell, there are no randomly-named .dlls or .exes or registry entries that HJT can find so that must be a good thing right?

I also found it funny when one anti-spyware exe found "malicious entitys" which were the back-ups an other anti-spyware programme had made before deleting them.

**ken545** · 2008-01-06, 16:20

I also found it funny when one anti-spyware exe found "malicious entitys" which were the back-ups an other anti-spyware programme had made before deleting them.

Yep, this happens.

I will wait for the SAS log and if all is ok you will be good to go.

**Llama** · 2008-01-07, 00:10

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/07/2008 at 11:56 AM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:38:43

Memory items scanned : 446
Memory threats detected : 0
Registry items scanned : 6018
Registry threats detected : 141
File items scanned : 33642
File threats detected : 105

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{0040C830-13D7-439C-B4F7-DC7EED3FB64D}
HKCR\CLSID\{0040C830-13D7-439C-B4F7-DC7EED3FB64D}
HKCR\CLSID\{0040C830-13D7-439C-B4F7-DC7EED3FB64D}\InprocServer32
HKCR\CLSID\{0040C830-13D7-439C-B4F7-DC7EED3FB64D}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWVTQ.DLL
HKLM\Software\Classes\CLSID\{1626FC60-560E-48AA-9416-E288721D27B0}
HKCR\CLSID\{1626FC60-560E-48AA-9416-E288721D27B0}
HKCR\CLSID\{1626FC60-560E-48AA-9416-E288721D27B0}\InprocServer32
HKCR\CLSID\{1626FC60-560E-48AA-9416-E288721D27B0}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKHFG.DLL
HKLM\Software\Classes\CLSID\{1B019667-19E4-4EBF-92D6-A96427EBC5F6}
HKCR\CLSID\{1B019667-19E4-4EBF-92D6-A96427EBC5F6}
HKCR\CLSID\{1B019667-19E4-4EBF-92D6-A96427EBC5F6}\InprocServer32
HKCR\CLSID\{1B019667-19E4-4EBF-92D6-A96427EBC5F6}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEEDB.DLL
HKLM\Software\Classes\CLSID\{23B565CE-1C4D-4D24-9773-BEE90C69D20C}
HKCR\CLSID\{23B565CE-1C4D-4D24-9773-BEE90C69D20C}
HKCR\CLSID\{23B565CE-1C4D-4D24-9773-BEE90C69D20C}\InprocServer32
HKCR\CLSID\{23B565CE-1C4D-4D24-9773-BEE90C69D20C}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSTTS.DLL
HKLM\Software\Classes\CLSID\{3C62BEA8-5055-46E0-AABC-9EB694DAB9C6}
HKCR\CLSID\{3C62BEA8-5055-46E0-AABC-9EB694DAB9C6}
HKCR\CLSID\{3C62BEA8-5055-46E0-AABC-9EB694DAB9C6}\InprocServer32
HKCR\CLSID\{3C62BEA8-5055-46E0-AABC-9EB694DAB9C6}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{4E953311-1240-4E21-965D-9CD09CE7FD23}
HKCR\CLSID\{4E953311-1240-4E21-965D-9CD09CE7FD23}
HKCR\CLSID\{4E953311-1240-4E21-965D-9CD09CE7FD23}\InprocServer32
HKCR\CLSID\{4E953311-1240-4E21-965D-9CD09CE7FD23}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTUTS.DLL
HKLM\Software\Classes\CLSID\{5B9B73C3-1ADE-4B4F-AA6B-AFB87DB93DFE}
HKCR\CLSID\{5B9B73C3-1ADE-4B4F-AA6B-AFB87DB93DFE}
HKCR\CLSID\{5B9B73C3-1ADE-4B4F-AA6B-AFB87DB93DFE}\InprocServer32
HKCR\CLSID\{5B9B73C3-1ADE-4B4F-AA6B-AFB87DB93DFE}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDABB.DLL
HKLM\Software\Classes\CLSID\{5C3F0ED5-9D70-4112-A34D-1B0A87559E2A}
HKCR\CLSID\{5C3F0ED5-9D70-4112-A34D-1B0A87559E2A}
HKCR\CLSID\{5C3F0ED5-9D70-4112-A34D-1B0A87559E2A}\InprocServer32
HKCR\CLSID\{5C3F0ED5-9D70-4112-A34D-1B0A87559E2A}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEEBX.DLL
HKLM\Software\Classes\CLSID\{6794FE3E-E6EC-49FE-B308-DF3206BC46D9}
HKCR\CLSID\{6794FE3E-E6EC-49FE-B308-DF3206BC46D9}
HKCR\CLSID\{6794FE3E-E6EC-49FE-B308-DF3206BC46D9}\InprocServer32
HKCR\CLSID\{6794FE3E-E6EC-49FE-B308-DF3206BC46D9}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEBCD.DLL
HKLM\Software\Classes\CLSID\{74435086-2553-4863-8124-7899D709B090}
HKCR\CLSID\{74435086-2553-4863-8124-7899D709B090}
HKCR\CLSID\{74435086-2553-4863-8124-7899D709B090}\InprocServer32
HKCR\CLSID\{74435086-2553-4863-8124-7899D709B090}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWVVS.DLL
HKLM\Software\Classes\CLSID\{7BD67659-54F7-420A-A9F2-8E94C7F69DC4}
HKCR\CLSID\{7BD67659-54F7-420A-A9F2-8E94C7F69DC4}
HKCR\CLSID\{7BD67659-54F7-420A-A9F2-8E94C7F69DC4}\InprocServer32
HKCR\CLSID\{7BD67659-54F7-420A-A9F2-8E94C7F69DC4}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMNLM.DLL
HKLM\Software\Classes\CLSID\{8052EF7D-5E2E-4822-AA0F-0BE37505543E}
HKCR\CLSID\{8052EF7D-5E2E-4822-AA0F-0BE37505543E}
HKCR\CLSID\{8052EF7D-5E2E-4822-AA0F-0BE37505543E}\InprocServer32
HKCR\CLSID\{8052EF7D-5E2E-4822-AA0F-0BE37505543E}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLLJH.DLL
HKLM\Software\Classes\CLSID\{8172212E-1678-4294-BB9C-BDE619CA9E22}
HKCR\CLSID\{8172212E-1678-4294-BB9C-BDE619CA9E22}
HKCR\CLSID\{8172212E-1678-4294-BB9C-BDE619CA9E22}\InprocServer32
HKCR\CLSID\{8172212E-1678-4294-BB9C-BDE619CA9E22}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDCCA.DLL
HKLM\Software\Classes\CLSID\{8273E79E-772E-4D6B-9050-FAB12B654A6C}
HKCR\CLSID\{8273E79E-772E-4D6B-9050-FAB12B654A6C}
HKCR\CLSID\{8273E79E-772E-4D6B-9050-FAB12B654A6C}\InprocServer32
HKCR\CLSID\{8273E79E-772E-4D6B-9050-FAB12B654A6C}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWTQP.DLL
HKLM\Software\Classes\CLSID\{83A75906-9763-4B73-B965-FCC4AC87965E}
HKCR\CLSID\{83A75906-9763-4B73-B965-FCC4AC87965E}
HKCR\CLSID\{83A75906-9763-4B73-B965-FCC4AC87965E}\InprocServer32
HKCR\CLSID\{83A75906-9763-4B73-B965-FCC4AC87965E}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKKJH.DLL
HKLM\Software\Classes\CLSID\{96DABAFC-CCD9-4F4B-8621-81F03C689BD4}
HKCR\CLSID\{96DABAFC-CCD9-4F4B-8621-81F03C689BD4}
HKCR\CLSID\{96DABAFC-CCD9-4F4B-8621-81F03C689BD4}\InprocServer32
HKCR\CLSID\{96DABAFC-CCD9-4F4B-8621-81F03C689BD4}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTSQO.DLL
HKLM\Software\Classes\CLSID\{B8320F23-74C6-4BBF-AB48-FBD37B7BEA9E}
HKCR\CLSID\{B8320F23-74C6-4BBF-AB48-FBD37B7BEA9E}
HKCR\CLSID\{B8320F23-74C6-4BBF-AB48-FBD37B7BEA9E}\InprocServer32
HKCR\CLSID\{B8320F23-74C6-4BBF-AB48-FBD37B7BEA9E}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSQPM.DLL
HKLM\Software\Classes\CLSID\{E496DC02-1001-4CAD-B0CB-776900BEA2A2}
HKCR\CLSID\{E496DC02-1001-4CAD-B0CB-776900BEA2A2}
HKCR\CLSID\{E496DC02-1001-4CAD-B0CB-776900BEA2A2}\InprocServer32
HKCR\CLSID\{E496DC02-1001-4CAD-B0CB-776900BEA2A2}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTUTT.DLL
HKLM\Software\Classes\CLSID\{F669E745-24CE-41E9-9165-360D1F86D26B}
HKCR\CLSID\{F669E745-24CE-41E9-9165-360D1F86D26B}
HKCR\CLSID\{F669E745-24CE-41E9-9165-360D1F86D26B}\InprocServer32
HKCR\CLSID\{F669E745-24CE-41E9-9165-360D1F86D26B}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLJGF.DLL

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{10763139-E829-43E8-921F-3CCA0D0C0BD7}
HKCR\CLSID\{10763139-E829-43E8-921F-3CCA0D0C0BD7}
HKCR\CLSID\{10763139-E829-43E8-921F-3CCA0D0C0BD7}\InprocServer32
HKCR\CLSID\{10763139-E829-43E8-921F-3CCA0D0C0BD7}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWTQR.DLL
HKLM\Software\Classes\CLSID\{2CF56A97-7837-41E3-BBFF-73E2D3C02303}
HKCR\CLSID\{2CF56A97-7837-41E3-BBFF-73E2D3C02303}
HKCR\CLSID\{2CF56A97-7837-41E3-BBFF-73E2D3C02303}\InprocServer32
HKCR\CLSID\{2CF56A97-7837-41E3-BBFF-73E2D3C02303}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKHFC.DLL
HKLM\Software\Classes\CLSID\{3D53C87B-A100-4BF4-936D-8F74E1EDEE89}
HKCR\CLSID\{3D53C87B-A100-4BF4-936D-8F74E1EDEE89}
HKCR\CLSID\{3D53C87B-A100-4BF4-936D-8F74E1EDEE89}\InprocServer32
HKCR\CLSID\{3D53C87B-A100-4BF4-936D-8F74E1EDEE89}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMKHI.DLL
HKLM\Software\Classes\CLSID\{4E27F2AD-C95D-4DED-8324-410C7A24FE65}
HKCR\CLSID\{4E27F2AD-C95D-4DED-8324-410C7A24FE65}
HKCR\CLSID\{4E27F2AD-C95D-4DED-8324-410C7A24FE65}\InprocServer32
HKCR\CLSID\{4E27F2AD-C95D-4DED-8324-410C7A24FE65}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDCCB.DLL
HKLM\Software\Classes\CLSID\{549C7839-AE42-427A-9FE2-DE8D2ADED5C9}
HKCR\CLSID\{549C7839-AE42-427A-9FE2-DE8D2ADED5C9}
HKCR\CLSID\{549C7839-AE42-427A-9FE2-DE8D2ADED5C9}\InprocServer32
HKCR\CLSID\{549C7839-AE42-427A-9FE2-DE8D2ADED5C9}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMKJH.DLL
HKLM\Software\Classes\CLSID\{70E0BDB3-2986-4807-99ED-B3D91913AF26}
HKCR\CLSID\{70E0BDB3-2986-4807-99ED-B3D91913AF26}
HKCR\CLSID\{70E0BDB3-2986-4807-99ED-B3D91913AF26}\InprocServer32
HKCR\CLSID\{70E0BDB3-2986-4807-99ED-B3D91913AF26}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDAYW.DLL
HKLM\Software\Classes\CLSID\{710F47D7-611F-45A1-81E2-EFB469E5B37C}
HKCR\CLSID\{710F47D7-611F-45A1-81E2-EFB469E5B37C}
HKCR\CLSID\{710F47D7-611F-45A1-81E2-EFB469E5B37C}\InprocServer32
HKCR\CLSID\{710F47D7-611F-45A1-81E2-EFB469E5B37C}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEEDC.DLL
HKLM\Software\Classes\CLSID\{714D3CD9-D791-4841-BAFC-AE244DD4BACE}
HKCR\CLSID\{714D3CD9-D791-4841-BAFC-AE244DD4BACE}
HKCR\CLSID\{714D3CD9-D791-4841-BAFC-AE244DD4BACE}\InprocServer32
HKCR\CLSID\{714D3CD9-D791-4841-BAFC-AE244DD4BACE}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSTQP.DLL
HKLM\Software\Classes\CLSID\{8708BC28-1CE4-4B2D-A513-C5C16E50AE1F}
HKCR\CLSID\{8708BC28-1CE4-4B2D-A513-C5C16E50AE1F}
HKCR\CLSID\{8708BC28-1CE4-4B2D-A513-C5C16E50AE1F}\InprocServer32
HKCR\CLSID\{8708BC28-1CE4-4B2D-A513-C5C16E50AE1F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLJGG.DLL
HKLM\Software\Classes\CLSID\{A8AB2466-FB23-45EE-88D3-8171BA00FC50}
HKCR\CLSID\{A8AB2466-FB23-45EE-88D3-8171BA00FC50}
HKCR\CLSID\{A8AB2466-FB23-45EE-88D3-8171BA00FC50}\InprocServer32
HKCR\CLSID\{A8AB2466-FB23-45EE-88D3-8171BA00FC50}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSQRQ.DLL
HKLM\Software\Classes\CLSID\{A8F74992-CED4-4CC6-918B-862AE92AFEA3}
HKCR\CLSID\{A8F74992-CED4-4CC6-918B-862AE92AFEA3}
HKCR\CLSID\{A8F74992-CED4-4CC6-918B-862AE92AFEA3}\InprocServer32
HKCR\CLSID\{A8F74992-CED4-4CC6-918B-862AE92AFEA3}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDAYV.DLL
HKLM\Software\Classes\CLSID\{A90B98F0-E8CF-440E-B967-7332EB9B5ED3}
HKCR\CLSID\{A90B98F0-E8CF-440E-B967-7332EB9B5ED3}
HKCR\CLSID\{A90B98F0-E8CF-440E-B967-7332EB9B5ED3}\InprocServer32
HKCR\CLSID\{A90B98F0-E8CF-440E-B967-7332EB9B5ED3}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKKJI.DLL
HKLM\Software\Classes\CLSID\{B0D1F516-8C1B-4E71-8926-F017EDF3D4F7}
HKCR\CLSID\{B0D1F516-8C1B-4E71-8926-F017EDF3D4F7}
HKCR\CLSID\{B0D1F516-8C1B-4E71-8926-F017EDF3D4F7}\InprocServer32
HKCR\CLSID\{B0D1F516-8C1B-4E71-8926-F017EDF3D4F7}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMNNM.DLL
HKLM\Software\Classes\CLSID\{C99B63D6-10F3-4C85-B884-B2FDD19C7470}
HKCR\CLSID\{C99B63D6-10F3-4C85-B884-B2FDD19C7470}
HKCR\CLSID\{C99B63D6-10F3-4C85-B884-B2FDD19C7470}\InprocServer32
HKCR\CLSID\{C99B63D6-10F3-4C85-B884-B2FDD19C7470}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLJGE.DLL
HKLM\Software\Classes\CLSID\{D2089606-6D10-432A-BCD1-448136D0319C}
HKCR\CLSID\{D2089606-6D10-432A-BCD1-448136D0319C}
HKCR\CLSID\{D2089606-6D10-432A-BCD1-448136D0319C}\InprocServer32
HKCR\CLSID\{D2089606-6D10-432A-BCD1-448136D0319C}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{FB96AF35-EFA6-4FD0-8588-4DA83D74F501}
HKCR\CLSID\{FB96AF35-EFA6-4FD0-8588-4DA83D74F501}
HKCR\CLSID\{FB96AF35-EFA6-4FD0-8588-4DA83D74F501}\InprocServer32
HKCR\CLSID\{FB96AF35-EFA6-4FD0-8588-4DA83D74F501}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEBCY.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Joel Gibson\Cookies\joel_gibson@doubleclick[1].txt

Adware.IEPlugin
HKCR\Remove

Trojan.Downloader-CREW
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20080105-142537-477.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100807.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100819.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100834.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100840.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100847.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100858.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100860.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100870.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100892.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100898.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100903.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100910.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100916.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100920.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101087.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101088.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101089.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101090.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101091.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101092.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101093.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101094.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101095.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101096.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101097.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101098.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101099.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101100.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101101.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101102.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101103.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP252\A0101562.DLL
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ANWVSMQN.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\BFXUYHHP.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DGFXSYUL.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRHVRKPM.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FVJFRQKT.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IDJVJVIF.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IJCTCDSO.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JEWVWJOA.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JLEAHHWF.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\KEOTFDCX.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LBNLVMOM.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LROGOXWN.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\NWHLEHED.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QFPRBBEB.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SNQIYYFQ.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\UCVIDIOR.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WJLDNUSV.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EPGTMELK.DLL.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\BECWKCJV.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\DVLQGALI.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\GYKXQAFX.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\HROLLKOX.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\JRODKADA.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\LWEIBFWF.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\LYPGBKIP.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\OITQNBNW.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\RDGOQILO.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\RXQEMCMH.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\STBKHPPD.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\TXDBBPPG.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\VACULEVS.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\VOUMQSQP.DLL.BAD.VIR

Adware.WhenU
C:\PROGRAM FILES\DAEMON TOOLS\SETUPDTSB.EXE

Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP249\A0099848.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100845.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100865.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100926.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100931.DLL

Cheers!

**ken545** · 2008-01-07, 00:24

WOW !! You had a ton of bad stuff it removed. You have to be careful of what you download and the sites you go in, the threats out there now are real nasty, some going around that can't be cleaned, a reformat of windows is the only option, so watch yourself.

All the entries we removed are backed up in System Restore, we need to flush it all out.
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.

Reboot your computer

Turn ON System Restore.

Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.

Create a new Restore Point <-- Very Important

Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point

System Restore Tutorial <-- If you need it

Post one last HJT log for review and let me know how your system is running now ???

**Llama** · 2008-01-07, 01:58

System restore turned off, then on the created a restore point:Check

HJT log: Check

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:11 p.m., on 7/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Opera 9\Opera.exe
C:\Program Files\Trend Micro\HijackThis\Safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089BB353-5ED8-4C9B-866C-31605CFD2EFF} - (no file)
O2 - BHO: (no name) - {0F13071E-0B38-4324-839C-CA20E1C8C27C} - (no file)
O2 - BHO: (no name) - {153E1C77-992C-47A7-884D-04C89AF8E73F} - (no file)
O2 - BHO: (no name) - {203f3bcc-2e8e-4b41-ba05-16210261dcfd} - (no file)
O2 - BHO: (no name) - {2B380D9A-61A6-4D9F-97C0-4916CC7003EA} - (no file)
O2 - BHO: (no name) - {2F626105-5DC9-4623-A85B-67E64503249B} - (no file)
O2 - BHO: (no name) - {2F7A9AF9-2277-4C31-B19E-7B09931AC99F} - (no file)
O2 - BHO: (no name) - {31B2E6EC-2CAF-42F2-8A69-D5208B13D3A4} - (no file)
O2 - BHO: (no name) - {3496AEAA-BD5E-4FC9-8E9E-66725F6A545B} - (no file)
O2 - BHO: (no name) - {36330830-6053-4E17-9B59-B55CF7101A19} - (no file)
O2 - BHO: (no name) - {37024FFE-F851-45A4-81DE-372AE57056C3} - (no file)
O2 - BHO: (no name) - {46782F63-2C18-4B43-90EC-C63E8AF6166B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59DFAEF9-71AB-44D0-ACE5-065317A0B614} - (no file)
O2 - BHO: (no name) - {6AE40AC7-A7FB-4077-B271-5A156B9D980D} - (no file)
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {77C5A4AE-A217-4EF2-A70A-2A41D7D75B0A} - (no file)
O2 - BHO: (no name) - {81FC19CA-4C54-4AB6-8952-341345BB8E7C} - (no file)
O2 - BHO: (no name) - {A204BC7D-6B84-4915-A629-76F790E96751} - (no file)
O2 - BHO: (no name) - {ACD52C84-DCCD-4A64-ACF3-478DA69B95CF} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll (file missing)
O2 - BHO: (no name) - {C4D3D881-5B72-4966-8418-4B1C3C6D8D5B} - (no file)
O2 - BHO: (no name) - {C744ED46-F576-4C63-B383-8A80CFCBC5F5} - (no file)
O2 - BHO: (no name) - {CA3EA2D9-48F5-4012-8C1A-10274F99A3FD} - (no file)
O2 - BHO: (no name) - {E5C5FC47-A373-4535-94A4-D37D93300479} - (no file)
O2 - BHO: (no name) - {E735962A-4C19-4447-BE6F-0BA3CE6EAE44} - (no file)
O2 - BHO: (no name) - {E96D4F03-E048-46DD-98D7-B15530AF90EC} - (no file)
O2 - BHO: (no name) - {EE403AD3-4C0A-48D4-9618-BC8D5838CD9E} - (no file)
O2 - BHO: (no name) - {EFD2D48C-972D-48F3-BD00-089DFB39DAEC} - (no file)
O2 - BHO: (no name) - {F5CB5F68-091E-4F25-8998-40B75CF3D268} - (no file)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxyvut - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7519 bytes

im a tad supicious of the many 02 Browser Help Objects with no name or file because thats what most of the vundo ones were, albit, spybot nor comodo firewall came up with anything so im going to assume thats alright. Can I now remove SAS, vundofix.exe etc.. (i will keep spybot, comodo and find my self an anti-virus programme)?

Otherwise, thanks for all the help!

**ken545** · 2008-01-07, 03:39

Not sure why all that came back, do this as there all related to Vundo, although there are no files but those entries should be gone.

Keep this disabled until I give you the all clear. Its possible that it prevented SAS from removing those entries
You need to disable the Tea Timer in Spybot Search and Destroy or it may prevent the fixes from taking.

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer for it to take effect.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {089BB353-5ED8-4C9B-866C-31605CFD2EFF} - (no file)
O2 - BHO: (no name) - {0F13071E-0B38-4324-839C-CA20E1C8C27C} - (no file)
O2 - BHO: (no name) - {153E1C77-992C-47A7-884D-04C89AF8E73F} - (no file)
O2 - BHO: (no name) - {203f3bcc-2e8e-4b41-ba05-16210261dcfd} - (no file)
O2 - BHO: (no name) - {2B380D9A-61A6-4D9F-97C0-4916CC7003EA} - (no file)
O2 - BHO: (no name) - {2F626105-5DC9-4623-A85B-67E64503249B} - (no file)
O2 - BHO: (no name) - {2F7A9AF9-2277-4C31-B19E-7B09931AC99F} - (no file)
O2 - BHO: (no name) - {31B2E6EC-2CAF-42F2-8A69-D5208B13D3A4} - (no file)
O2 - BHO: (no name) - {3496AEAA-BD5E-4FC9-8E9E-66725F6A545B} - (no file)
O2 - BHO: (no name) - {36330830-6053-4E17-9B59-B55CF7101A19} - (no file)
O2 - BHO: (no name) - {37024FFE-F851-45A4-81DE-372AE57056C3} - (no file)
O2 - BHO: (no name) - {46782F63-2C18-4B43-90EC-C63E8AF6166B} - (no file)
O2 - BHO: (no name) - {59DFAEF9-71AB-44D0-ACE5-065317A0B614} - (no file)
O2 - BHO: (no name) - {6AE40AC7-A7FB-4077-B271-5A156B9D980D} - (no file)
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - (no file)
O2 - BHO: (no name) - {C4D3D881-5B72-4966-8418-4B1C3C6D8D5B} - (no file)
O2 - BHO: (no name) - {C744ED46-F576-4C63-B383-8A80CFCBC5F5} - (no file)
O2 - BHO: (no name) - {CA3EA2D9-48F5-4012-8C1A-10274F99A3FD} - (no file)
O2 - BHO: (no name) - {E5C5FC47-A373-4535-94A4-D37D93300479} - (no file)
O2 - BHO: (no name) - {E735962A-4C19-4447-BE6F-0BA3CE6EAE44} - (no file)
O2 - BHO: (no name) - {E96D4F03-E048-46DD-98D7-B15530AF90EC} - (no file)
O2 - BHO: (no name) - {EE403AD3-4C0A-48D4-9618-BC8D5838CD9E} - (no file)
O2 - BHO: (no name) - {EFD2D48C-972D-48F3-BD00-089DFB39DAEC} - (no file)
O2 - BHO: (no name) - {F5CB5F68-091E-4F25-8998-40B75CF3D268} - (no file)

O20 - Winlogon Notify: byxyvut - C:\WINDOWS\

Drag Combofix to the trash and download and run the newest version that was just posted yesterday.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the New Combofix log and a New HJT log

**Llama** · 2008-01-07, 12:02

ComboFix 08-01-04.1 - Joel Gibson 2008-01-07 23:40:12.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.668 [GMT 13:00]
Running from: C:\Documents and Settings\Joel Gibson\Desktop\ComboFix.exe
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll

((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-07 00:54 . 2008-01-07 00:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-07 00:54 . 2008-01-07 00:54 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\SUPERAntiSpyware.com
2008-01-07 00:54 . 2008-01-07 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-07 00:48 . 2008-01-07 00:48 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-07 00:48 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-06 12:57 . 2008-01-06 12:57 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-05 15:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 21:57 . 2007-12-30 21:57 <DIR> d--hs---- C:\FOUND.003
2007-12-29 20:39 . 2007-12-29 20:39 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Command and Conquer 3 Tiberium Wars
2007-12-29 00:06 . 2007-12-29 00:06 <DIR> d-------- C:\Games
2007-12-28 11:29 . 2007-12-28 11:29 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Winamp
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\The Chosen demo
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Frater
2007-12-26 23:00 . 2007-12-26 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-26 23:00 . 2007-12-26 23:00 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2007-12-26 23:00 . 2007-12-26 23:00 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-26 23:00 . 2007-12-26 23:00 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Program Files\COMODO
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Comodo
2007-12-26 18:26 . 2007-12-26 18:26 <DIR> dr-h----- C:\Documents and Settings\Joel Gibson\Application Data\SecuROM
2007-12-26 17:25 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-12-26 17:25 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-12-26 17:25 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-12-26 17:25 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-12-19 19:57 . 2007-12-26 21:15 1,365 --a------ C:\WINDOWS\wininit.ini
2007-12-11 21:53 . 2007-12-11 21:53 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\ATI
2007-12-11 12:54 . 2007-12-11 12:54 294 ---hs---- C:\WINDOWS\system32\bhuymcss.ini
2007-12-10 14:26 . 2007-12-10 14:27 <DIR> d-------- C:\Program Files\Aquaria

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 06:30 --------- d-----w C:\Program Files\Fredryk Phantasy
2007-11-24 02:23 1,128 ----a-w C:\Program Files\log.dat
2007-11-23 08:30 --------- d-----w C:\Documents and Settings\Joel Gibson\Application Data\mIRC
2007-11-22 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-11-08 21:14 --------- d-----w C:\Program Files\Synaesthete
2007-10-30 16:12 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-21 14:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-19 22:34 53,880,837 ----a-w C:\Program Files\LastStandInstall.exe
2007-10-19 10:14 10,752 ----a-w C:\WINDOWS\DCEBoot.exe
2007-10-10 23:56 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:56 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-24 08:18 57,992 ----a-w C:\Documents and Settings\Joel Gibson\Application Data\GDIPFONTCACHEV1.DAT
2006-12-20 01:05 35,511 ----a-w C:\Program Files\ReadMe.txt
2004-11-08 20:22 929,792 ----a-w C:\Program Files\SCZ.exe
2001-11-22 23:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-08-18 11:41 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-05_16.50.18.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-30 19:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2008-01-06 11:54:08 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2008-01-06 11:54:08 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-01-06 11:54:08 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2007-07-11 12:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-24 09:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-11 12:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-24 09:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-11 13:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-24 10:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-07-27 02:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 02:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-05 07:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 00:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-08-02 05:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-02 05:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-08 03:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-12 22:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
+ 2004-12-06 22:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77C5A4AE-A217-4EF2-A70A-2A41D7D75B0A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81FC19CA-4C54-4AB6-8952-341345BB8E7C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A204BC7D-6B84-4915-A629-76F790E96751}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACD52C84-DCCD-4A64-ACF3-478DA69B95CF}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\WINDOWS\htpatch.exe" [2002-12-19 16:40 28672]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-12-21 04:16 37376]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2007-12-26 23:00 1481472]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 11:09 63712 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig]
C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"rpcapd"=3 (0x3)
"Pctspk"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Fax"=2 (0x2)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-26 23:00]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-26 23:00]
R2 CbmDev1;CbmDev1;C:\WINDOWS\system32\drivers\CbmDev1.sys [1998-01-16 08:43]
R2 CbmDev2;CbmDev2;C:\WINDOWS\system32\drivers\CbmDev2.sys [1998-01-16 08:43]
R2 CbmDev3;CbmDev3;C:\WINDOWS\system32\drivers\CbmDev3.sys [1998-01-16 08:43]
S3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys []
S3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys []
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 13:28]
S4 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 22:36]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 23:59:53
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-08 0:00:45
ComboFix-quarantined-files.txt 2008-01-07 11:00:42
ComboFix3.txt 2008-01-05 03:50:52
ComboFix2.txt 2008-01-05 23:11:02
.
2008-01-04 23:28:54 --- E O F ---

Thread: Vitumonde

Thread Tools

Display

sorry, This is the combo fix log (rest in next post)

rest of logs

SAS log

combofix log

Posting Permissions