Virtumonde found me

[cayveman]

combofix log:
ComboFix 08-02-25.2 - Owner 2008-02-24 21:05:53.3 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-24 14:26 . 2008-02-24 14:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-02-24 14:26 . 2008-02-24 14:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-24 14:25 . 2008-02-24 14:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-24 12:47 . 2008-02-24 13:17 <DIR> d-------- C:\VundoFix Backups
2008-02-23 13:56 . 2008-02-23 13:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-23 10:34 . 2008-02-24 10:20 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-02-23 10:34 . 2008-02-24 10:20 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-02-21 20:22 . 2008-02-23 20:34 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-17 14:06 . 2008-02-17 14:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-17 14:06 . 2008-02-17 14:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-15 20:40 . 2008-02-17 22:04 476 --a------ C:\WINDOWS\wininit.ini
2008-02-15 20:06 . 2008-02-15 19:56 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-15 20:06 . 2008-02-15 20:06 3,444 --a------ C:\WINDOWS\unins000.dat
2008-02-15 15:24 . 2008-02-15 15:25 2,094 --ahs---- C:\WINDOWS\system32\gebgemvv.ini
2008-02-15 15:18 . 2008-02-24 10:19 157,341 --a------ C:\WINDOWS\BM7383503f.xml
2008-02-15 15:18 . 2008-02-24 12:44 22 --a------ C:\WINDOWS\pskt.ini
2008-02-13 15:27 . 2008-02-15 14:53 1,373,515 --ahs---- C:\WINDOWS\system32\dwlbxjfq.ini
2008-02-07 19:22 . 2008-02-07 19:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Intuit
2008-02-07 19:20 . 2008-02-07 19:20 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-07 19:18 . 2008-02-07 19:18 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-02-07 19:18 . 2008-02-07 19:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-02-07 19:18 . 2007-10-22 18:58 1,721,712 --a------ C:\WINDOWS\system32\InetClnt.dll
2008-02-07 19:08 . 2008-02-07 19:08 <DIR> d-------- C:\Program Files\TurboTax
2008-02-03 08:57 . 2008-02-03 10:47 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-02-01 21:04 . 2008-02-01 21:05 1,741,284 --ahs---- C:\WINDOWS\system32\murjhrjq.ini
2008-02-01 09:07 . 2008-02-01 09:07 0 --a------ C:\WINDOWS\system32\scrwjxgd.tmp
2008-02-01 09:06 . 2008-02-01 09:07 1,707,104 --ahs---- C:\WINDOWS\system32\scrwjxgd.ini
2008-01-31 21:10 . 2008-01-31 21:10 1,719,767 --ahs---- C:\WINDOWS\system32\tcfqvwlf.ini
2008-01-31 21:06 . 2008-01-31 21:07 1,961,288 --ahs---- C:\WINDOWS\system32\rxdhlufi.ini
2008-01-31 09:09 . 2008-01-31 16:00 1,707,044 --ahs---- C:\WINDOWS\system32\impyrvot.ini
2008-01-31 09:03 . 2008-01-31 09:04 1,725,849 --ahs---- C:\WINDOWS\system32\conlbuwo.ini
2008-01-30 21:05 . 2008-01-30 21:05 1,721,568 --ahs---- C:\WINDOWS\system32\wlbgiali.ini
2008-01-29 17:30 . 2008-01-31 16:00 1,964,520 --ahs---- C:\WINDOWS\system32\wgtqxlop.ini
2008-01-28 19:03 . 2008-01-28 19:03 <DIR> d-------- C:\WINDOWS\system32\bak
2008-01-28 09:47 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-27 20:18 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-27 20:17 . 2008-01-27 20:17 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-27 20:13 . 2008-01-27 20:13 <DIR> d-------- C:\Program Files\SDM
2008-01-27 19:22 . 2008-01-27 19:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-27 19:00 . 2007-07-08 21:01 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-27 19:00 . 2007-07-08 21:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-01-27 19:00 . 2007-12-17 21:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-01-27 19:00 . 2007-07-08 21:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-01-27 09:26 . 2008-01-27 15:01 586 --ahs---- C:\WINDOWS\system32\gyflbydn.ini
2008-01-27 09:23 . 2008-01-27 09:23 294 --ahs---- C:\WINDOWS\system32\vwfoojqm.ini
2008-01-26 09:29 . 2008-01-26 18:02 466 --ahs---- C:\WINDOWS\system32\qwjlrleh.ini
2008-01-26 09:23 . 2008-01-26 09:23 294 --ahs---- C:\WINDOWS\system32\wqaqtmdy.ini
2008-01-25 21:24 . 2008-01-26 09:35 466 --ahs---- C:\WINDOWS\system32\imkhfurx.ini
2008-01-25 21:21 . 2008-01-25 21:21 294 --ahs---- C:\WINDOWS\system32\cxsvknup.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 18:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-24 04:35 15,360 ----a-w C:\WINDOWS\system32\ctfmon .exe
2008-02-22 04:22 --------- d-----w C:\Program Files\MSN Messenger
2008-02-16 04:39 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2008-02-16 04:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-16 01:05 --------- d-----w C:\Program Files\McAfee
2008-02-08 03:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-07 23:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-01-28 07:33 169,984 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
2008-01-28 04:18 --------- d-----w C:\Program Files\Java
2008-01-19 03:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-19 03:48 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-11 03:36 --------- d-----w C:\Program Files\RcvSystem
2008-01-05 19:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-01-04 19:00 --------- d-----w C:\Program Files\Common Files\Webroot Shared
2008-01-04 19:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-02 20:39 --------- d-----w C:\Documents and Settings\britney.FILBERT\Application Data\SiteAdvisor
2008-01-01 23:37 --------- d-----w C:\Program Files\SiteAdvisor
2008-01-01 16:12 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-12-31 01:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-31 01:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-31 01:29 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-31 01:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-31 01:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-31 01:03 --------- d-----w C:\Program Files\Yahoo!
2007-12-29 23:59 --------- d-----w C:\Program Files\QuickTime
2007-12-23 18:54 46,512 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-11-27 07:04 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll
2007-11-26 22:47 194,888 ----a-w C:\WINDOWS\Unwash6.exe
2007-11-26 02:49 46,512 ----a-w C:\Documents and Settings\britney.FILBERT\Application Data\GDIPFONTCACHEV1.DAT
.

Code:

<pre>
----a-w           115,816 2007-12-29 17:39:32  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w            68,856 2007-12-29 17:39:46  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           270,648 2007-12-22 18:55:30  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           144,784 2008-01-28 04:57:19  C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
----a-w           582,992 2008-01-30 02:05:10  C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w         1,694,208 2007-12-28 05:32:54  C:\Program Files\Messenger\msmsgs .exe
----a-w         5,674,352 2008-01-29 02:38:02  C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w         5,674,352 2008-01-31 03:43:29  C:\Program Files\MSN Messenger\bak\msnmsgr .exe
----a-w           282,624 2007-12-30 06:01:00  C:\Program Files\QuickTime\qttask                     .exe
----a-w           282,624 2007-12-30 06:01:01  C:\Program Files\QuickTime\qttask                    .exe
----a-w           282,624 2007-12-30 06:01:02  C:\Program Files\QuickTime\qttask                   .exe
----a-w           282,624 2007-12-30 06:01:03  C:\Program Files\QuickTime\qttask                  .exe
----a-w           282,624 2007-12-30 06:01:04  C:\Program Files\QuickTime\qttask                 .exe
----a-w           282,624 2007-12-30 06:01:05  C:\Program Files\QuickTime\qttask                .exe
----a-w           282,624 2007-12-30 06:01:07  C:\Program Files\QuickTime\qttask               .exe
----a-w           282,624 2007-12-30 06:01:08  C:\Program Files\QuickTime\qttask              .exe
----a-w           282,624 2007-12-30 06:01:09  C:\Program Files\QuickTime\qttask             .exe
----a-w           282,624 2007-12-30 06:01:11  C:\Program Files\QuickTime\qttask            .exe
----a-w           282,624 2007-12-30 06:01:13  C:\Program Files\QuickTime\qttask           .exe
----a-w           282,624 2007-12-30 06:01:14  C:\Program Files\QuickTime\qttask          .exe
----a-w           282,624 2007-12-30 06:01:16  C:\Program Files\QuickTime\qttask         .exe
----a-w           282,624 2007-12-30 06:01:17  C:\Program Files\QuickTime\qttask        .exe
----a-w           282,624 2007-12-30 06:01:19  C:\Program Files\QuickTime\qttask       .exe
----a-w           282,624 2007-12-30 06:01:20  C:\Program Files\QuickTime\qttask      .exe
----a-w           282,624 2007-12-30 06:01:21  C:\Program Files\QuickTime\qttask     .exe
----a-w           282,624 2007-12-30 06:01:22  C:\Program Files\QuickTime\qttask    .exe
----a-w           282,624 2007-12-30 06:01:23  C:\Program Files\QuickTime\qttask   .exe
----a-w           282,624 2007-12-30 06:01:25  C:\Program Files\QuickTime\qttask  .exe
----a-w           282,624 2007-12-30 06:01:27  C:\Program Files\QuickTime\qttask .exe
----a-w         2,097,488 2008-02-24 04:35:39  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w         1,206,600 2008-01-28 09:19:06  C:\Program Files\Webroot\Washer\wwDisp .exe
----a-w           169,984 2008-01-28 07:33:35  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w            15,360 2008-02-24 04:35:35  C:\WINDOWS\system32\ctfmon .exe
</pre>

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03818d58-854e-4681-bde0-8f5cb63c98aa}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06e33a7a-900e-4a4d-8e10-64894c5a6101}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07b1a70d-299a-427f-af53-b0d58f8c3236}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24130fc5-3284-4e8d-98f6-ea01b6984d16}]
C:\WINDOWS\system32\fmkqeyft.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F551E36-B34E-4342-944B-2B980E432716}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{432B2330-2008-4E26-A237-594C54126615}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48A16FEE-F943-403C-9F92-DECF55BCD820}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{552B86A7-D89C-4136-B589-81B5BE1B1D44}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59C3B40A-92FE-4975-A5DF-BE51F45E7CCD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64960885-0409-41E1-80CB-457BB2D6896F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A02C47F-60E3-4E2F-93B4-B4CE658B8C59}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E548D91-0D0F-4A48-9216-49C00191E207}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6FF5EB0C-94F1-415A-AB9F-FB2D6C86184B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79e40ab3-e068-4553-8839-b701acec1de7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91587F08-C5C4-4286-A90C-20DD8A78A4B2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97812B21-D87C-47BC-974E-2B30A46C0F59}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98450F23-A8F3-48E6-9F48-ADEA0FAA4C54}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c6d2a88-9e99-40b0-9e4a-29b4c8ea5fb4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E726B90-5DD7-4A24-9326-7A5067CBED64}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A337763C-B6CE-4FC3-BB9E-BC97F3751856}]
C:\WINDOWS\system32\vtutt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8352918-FFBA-4425-9FC0-EBF39236F6DE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B82802EF-5E7B-4FAF-B4E9-9CF807226EC0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C36E56FB-3064-434B-B07C-6CE9A1E85E7C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E733331C-DCDC-48A2-B81B-9BE1D5CAFC75}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1CB876D-4022-43B1-9156-6758C4132136}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F25A0899-F659-4B48-A012-0BC251DEB91F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8A643C4-4D76-44DA-BCE1-4E8B9B7F73EE}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-02-24 10:20 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 07:32 7204864]
"70b063a3"="C:\WINDOWS\system32\thantoom.dll" [ ]
"BM7383503f"="C:\WINDOWS\system32\mifvpspf.dll" [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\70b063a3]
C:\WINDOWS\system32\udeiwkeb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 16:42 79448 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup]
C:\DOCUME~1\Owner\LOCALS~1\Temp\200779174123_mcappins.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2004-11-03 13:03 125528 C:\Program Files\Common Files\AOL\1183959268\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-29 23:00 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\vtutt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2008-01-31 21:23 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msci]
C:\DOCUME~1\Owner\LOCALS~1\Temp\200779174121_mcinfo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-09-18 07:32 7204864 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2005-09-18 07:32 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-09-18 07:32 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 19:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-09-26 14:07 90112 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-01 04:32 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-11-15 14:04 135168 C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
C:\Program Files\Webroot\Washer\wwDisp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R2 SonyIEx;SonyIEx;C:\WINDOWS\system32\SonyIEx.exe [2005-05-30 10:48]
S2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 14:47]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 06:33:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-15 09:39:53 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-01 09:00:23 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 21:08:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-24 21:09:35
ComboFix-quarantined-files.txt 2008-02-25 05:09:25
ComboFix2.txt 2008-02-25 00:30:26
ComboFix3.txt 2008-01-28 05:01:11
.
2008-02-13 11:06:04 --- E O F ---

[cayveman]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:37 PM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\SonyIEx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {03818d58-854e-4681-bde0-8f5cb63c98aa} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {06e33a7a-900e-4a4d-8e10-64894c5a6101} - (no file)
O2 - BHO: (no name) - {07b1a70d-299a-427f-af53-b0d58f8c3236} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - (no file)
O2 - BHO: {61d4896b-10ae-6f89-d8e4-48235cf03142} - {24130fc5-3284-4e8d-98f6-ea01b6984d16} - C:\WINDOWS\system32\fmkqeyft.dll (file missing)
O2 - BHO: (no name) - {2F551E36-B34E-4342-944B-2B980E432716} - (no file)
O2 - BHO: (no name) - {432B2330-2008-4E26-A237-594C54126615} - (no file)
O2 - BHO: (no name) - {48A16FEE-F943-403C-9F92-DECF55BCD820} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {552B86A7-D89C-4136-B589-81B5BE1B1D44} - (no file)
O2 - BHO: (no name) - {59C3B40A-92FE-4975-A5DF-BE51F45E7CCD} - (no file)
O2 - BHO: (no name) - {64960885-0409-41E1-80CB-457BB2D6896F} - (no file)
O2 - BHO: (no name) - {6A02C47F-60E3-4E2F-93B4-B4CE658B8C59} - (no file)
O2 - BHO: (no name) - {6E548D91-0D0F-4A48-9216-49C00191E207} - (no file)
O2 - BHO: (no name) - {6FF5EB0C-94F1-415A-AB9F-FB2D6C86184B} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {79e40ab3-e068-4553-8839-b701acec1de7} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {91587F08-C5C4-4286-A90C-20DD8A78A4B2} - (no file)
O2 - BHO: (no name) - {97812B21-D87C-47BC-974E-2B30A46C0F59} - (no file)
O2 - BHO: (no name) - {98450F23-A8F3-48E6-9F48-ADEA0FAA4C54} - (no file)
O2 - BHO: (no name) - {9c6d2a88-9e99-40b0-9e4a-29b4c8ea5fb4} - (no file)
O2 - BHO: (no name) - {9E726B90-5DD7-4A24-9326-7A5067CBED64} - (no file)
O2 - BHO: (no name) - {A337763C-B6CE-4FC3-BB9E-BC97F3751856} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {A8352918-FFBA-4425-9FC0-EBF39236F6DE} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {B82802EF-5E7B-4FAF-B4E9-9CF807226EC0} - (no file)
O2 - BHO: (no name) - {C36E56FB-3064-434B-B07C-6CE9A1E85E7C} - (no file)
O2 - BHO: (no name) - {E733331C-DCDC-48A2-B81B-9BE1D5CAFC75} - (no file)
O2 - BHO: (no name) - {F1CB876D-4022-43B1-9156-6758C4132136} - (no file)
O2 - BHO: (no name) - {F25A0899-F659-4B48-A012-0BC251DEB91F} - (no file)
O2 - BHO: (no name) - {F8A643C4-4D76-44DA-BCE1-4E8B9B7F73EE} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [70b063a3] rundll32.exe "C:\WINDOWS\system32\thantoom.dll",b
O4 - HKLM\..\Run: [BM7383503f] Rundll32.exe "C:\WINDOWS\system32\mifvpspf.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.regence.com/remote/msrdp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SonyIEx - Unknown owner - C:\WINDOWS\system32\SonyIEx.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 8185 bytes

If I'm understanding you, I need to do ANOTHER mbam & combofix. They'll be along shortly.

[cayveman]

Malwarebytes' Anti-Malware 1.05
Database version: 403

Scan type: Quick Scan
Objects scanned: 28201
Time elapsed: 7 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[cayveman]

ComboFix 08-02-25.2 - Owner 2008-02-24 21:40:23.4 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-24 14:26 . 2008-02-24 14:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-02-24 14:26 . 2008-02-24 14:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-24 14:25 . 2008-02-24 14:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-24 12:47 . 2008-02-24 13:17 <DIR> d-------- C:\VundoFix Backups
2008-02-23 13:56 . 2008-02-23 13:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-23 10:34 . 2008-02-24 10:20 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-02-23 10:34 . 2008-02-24 10:20 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-02-21 20:22 . 2008-02-23 20:34 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-17 14:06 . 2008-02-17 14:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-17 14:06 . 2008-02-17 14:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-15 20:40 . 2008-02-17 22:04 476 --a------ C:\WINDOWS\wininit.ini
2008-02-15 20:06 . 2008-02-15 19:56 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-15 20:06 . 2008-02-15 20:06 3,444 --a------ C:\WINDOWS\unins000.dat
2008-02-15 15:24 . 2008-02-15 15:25 2,094 --ahs---- C:\WINDOWS\system32\gebgemvv.ini
2008-02-15 15:18 . 2008-02-24 10:19 157,341 --a------ C:\WINDOWS\BM7383503f.xml
2008-02-15 15:18 . 2008-02-24 12:44 22 --a------ C:\WINDOWS\pskt.ini
2008-02-13 15:27 . 2008-02-15 14:53 1,373,515 --ahs---- C:\WINDOWS\system32\dwlbxjfq.ini
2008-02-07 19:22 . 2008-02-07 19:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Intuit
2008-02-07 19:20 . 2008-02-07 19:20 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-07 19:18 . 2008-02-07 19:18 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-02-07 19:18 . 2008-02-07 19:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-02-07 19:18 . 2007-10-22 18:58 1,721,712 --a------ C:\WINDOWS\system32\InetClnt.dll
2008-02-07 19:08 . 2008-02-07 19:08 <DIR> d-------- C:\Program Files\TurboTax
2008-02-03 08:57 . 2008-02-03 10:47 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-02-01 21:04 . 2008-02-01 21:05 1,741,284 --ahs---- C:\WINDOWS\system32\murjhrjq.ini
2008-02-01 09:07 . 2008-02-01 09:07 0 --a------ C:\WINDOWS\system32\scrwjxgd.tmp
2008-02-01 09:06 . 2008-02-01 09:07 1,707,104 --ahs---- C:\WINDOWS\system32\scrwjxgd.ini
2008-01-31 21:10 . 2008-01-31 21:10 1,719,767 --ahs---- C:\WINDOWS\system32\tcfqvwlf.ini
2008-01-31 21:06 . 2008-01-31 21:07 1,961,288 --ahs---- C:\WINDOWS\system32\rxdhlufi.ini
2008-01-31 09:09 . 2008-01-31 16:00 1,707,044 --ahs---- C:\WINDOWS\system32\impyrvot.ini
2008-01-31 09:03 . 2008-01-31 09:04 1,725,849 --ahs---- C:\WINDOWS\system32\conlbuwo.ini
2008-01-30 21:05 . 2008-01-30 21:05 1,721,568 --ahs---- C:\WINDOWS\system32\wlbgiali.ini
2008-01-29 17:30 . 2008-01-31 16:00 1,964,520 --ahs---- C:\WINDOWS\system32\wgtqxlop.ini
2008-01-28 19:03 . 2008-01-28 19:03 <DIR> d-------- C:\WINDOWS\system32\bak
2008-01-28 09:47 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-27 20:18 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-27 20:17 . 2008-01-27 20:17 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-27 20:13 . 2008-01-27 20:13 <DIR> d-------- C:\Program Files\SDM
2008-01-27 19:22 . 2008-01-27 19:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-27 19:00 . 2007-07-08 21:01 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-27 19:00 . 2007-07-08 21:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-01-27 19:00 . 2007-12-17 21:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-01-27 19:00 . 2007-07-08 21:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-01-27 09:26 . 2008-01-27 15:01 586 --ahs---- C:\WINDOWS\system32\gyflbydn.ini
2008-01-27 09:23 . 2008-01-27 09:23 294 --ahs---- C:\WINDOWS\system32\vwfoojqm.ini
2008-01-26 09:29 . 2008-01-26 18:02 466 --ahs---- C:\WINDOWS\system32\qwjlrleh.ini
2008-01-26 09:23 . 2008-01-26 09:23 294 --ahs---- C:\WINDOWS\system32\wqaqtmdy.ini
2008-01-25 21:24 . 2008-01-26 09:35 466 --ahs---- C:\WINDOWS\system32\imkhfurx.ini
2008-01-25 21:21 . 2008-01-25 21:21 294 --ahs---- C:\WINDOWS\system32\cxsvknup.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 18:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-24 04:35 15,360 ----a-w C:\WINDOWS\system32\ctfmon .exe
2008-02-22 04:22 --------- d-----w C:\Program Files\MSN Messenger
2008-02-16 04:39 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2008-02-16 04:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-16 01:05 --------- d-----w C:\Program Files\McAfee
2008-02-08 03:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-07 23:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-01-28 07:33 169,984 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
2008-01-28 04:18 --------- d-----w C:\Program Files\Java
2008-01-19 03:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-19 03:48 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-11 03:36 --------- d-----w C:\Program Files\RcvSystem
2008-01-05 19:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-01-04 19:00 --------- d-----w C:\Program Files\Common Files\Webroot Shared
2008-01-04 19:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-02 20:39 --------- d-----w C:\Documents and Settings\britney.FILBERT\Application Data\SiteAdvisor
2008-01-01 23:37 --------- d-----w C:\Program Files\SiteAdvisor
2008-01-01 16:12 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-12-31 01:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-31 01:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-31 01:29 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-31 01:24 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-31 01:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-31 01:03 --------- d-----w C:\Program Files\Yahoo!
2007-12-29 23:59 --------- d-----w C:\Program Files\QuickTime
2007-12-23 18:54 46,512 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-11-27 07:04 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll
2007-11-26 22:47 194,888 ----a-w C:\WINDOWS\Unwash6.exe
2007-11-26 02:49 46,512 ----a-w C:\Documents and Settings\britney.FILBERT\Application Data\GDIPFONTCACHEV1.DAT
.

Code:

<pre>
----a-w           115,816 2007-12-29 17:39:32  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w            68,856 2007-12-29 17:39:46  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           270,648 2007-12-22 18:55:30  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           144,784 2008-01-28 04:57:19  C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
----a-w           582,992 2008-01-30 02:05:10  C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w         1,694,208 2007-12-28 05:32:54  C:\Program Files\Messenger\msmsgs .exe
----a-w         5,674,352 2008-01-29 02:38:02  C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w         5,674,352 2008-01-31 03:43:29  C:\Program Files\MSN Messenger\bak\msnmsgr .exe
----a-w           282,624 2007-12-30 06:01:00  C:\Program Files\QuickTime\qttask                     .exe
----a-w           282,624 2007-12-30 06:01:01  C:\Program Files\QuickTime\qttask                    .exe
----a-w           282,624 2007-12-30 06:01:02  C:\Program Files\QuickTime\qttask                   .exe
----a-w           282,624 2007-12-30 06:01:03  C:\Program Files\QuickTime\qttask                  .exe
----a-w           282,624 2007-12-30 06:01:04  C:\Program Files\QuickTime\qttask                 .exe
----a-w           282,624 2007-12-30 06:01:05  C:\Program Files\QuickTime\qttask                .exe
----a-w           282,624 2007-12-30 06:01:07  C:\Program Files\QuickTime\qttask               .exe
----a-w           282,624 2007-12-30 06:01:08  C:\Program Files\QuickTime\qttask              .exe
----a-w           282,624 2007-12-30 06:01:09  C:\Program Files\QuickTime\qttask             .exe
----a-w           282,624 2007-12-30 06:01:11  C:\Program Files\QuickTime\qttask            .exe
----a-w           282,624 2007-12-30 06:01:13  C:\Program Files\QuickTime\qttask           .exe
----a-w           282,624 2007-12-30 06:01:14  C:\Program Files\QuickTime\qttask          .exe
----a-w           282,624 2007-12-30 06:01:16  C:\Program Files\QuickTime\qttask         .exe
----a-w           282,624 2007-12-30 06:01:17  C:\Program Files\QuickTime\qttask        .exe
----a-w           282,624 2007-12-30 06:01:19  C:\Program Files\QuickTime\qttask       .exe
----a-w           282,624 2007-12-30 06:01:20  C:\Program Files\QuickTime\qttask      .exe
----a-w           282,624 2007-12-30 06:01:21  C:\Program Files\QuickTime\qttask     .exe
----a-w           282,624 2007-12-30 06:01:22  C:\Program Files\QuickTime\qttask    .exe
----a-w           282,624 2007-12-30 06:01:23  C:\Program Files\QuickTime\qttask   .exe
----a-w           282,624 2007-12-30 06:01:25  C:\Program Files\QuickTime\qttask  .exe
----a-w           282,624 2007-12-30 06:01:27  C:\Program Files\QuickTime\qttask .exe
----a-w         2,097,488 2008-02-24 04:35:39  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w         1,206,600 2008-01-28 09:19:06  C:\Program Files\Webroot\Washer\wwDisp .exe
----a-w           169,984 2008-01-28 07:33:35  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w            15,360 2008-02-24 04:35:35  C:\WINDOWS\system32\ctfmon .exe
</pre>

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03818d58-854e-4681-bde0-8f5cb63c98aa}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06e33a7a-900e-4a4d-8e10-64894c5a6101}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07b1a70d-299a-427f-af53-b0d58f8c3236}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24130fc5-3284-4e8d-98f6-ea01b6984d16}]
C:\WINDOWS\system32\fmkqeyft.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F551E36-B34E-4342-944B-2B980E432716}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{432B2330-2008-4E26-A237-594C54126615}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48A16FEE-F943-403C-9F92-DECF55BCD820}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{552B86A7-D89C-4136-B589-81B5BE1B1D44}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59C3B40A-92FE-4975-A5DF-BE51F45E7CCD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64960885-0409-41E1-80CB-457BB2D6896F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A02C47F-60E3-4E2F-93B4-B4CE658B8C59}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E548D91-0D0F-4A48-9216-49C00191E207}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6FF5EB0C-94F1-415A-AB9F-FB2D6C86184B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79e40ab3-e068-4553-8839-b701acec1de7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91587F08-C5C4-4286-A90C-20DD8A78A4B2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97812B21-D87C-47BC-974E-2B30A46C0F59}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98450F23-A8F3-48E6-9F48-ADEA0FAA4C54}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c6d2a88-9e99-40b0-9e4a-29b4c8ea5fb4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E726B90-5DD7-4A24-9326-7A5067CBED64}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A337763C-B6CE-4FC3-BB9E-BC97F3751856}]
C:\WINDOWS\system32\vtutt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8352918-FFBA-4425-9FC0-EBF39236F6DE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B82802EF-5E7B-4FAF-B4E9-9CF807226EC0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C36E56FB-3064-434B-B07C-6CE9A1E85E7C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E733331C-DCDC-48A2-B81B-9BE1D5CAFC75}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1CB876D-4022-43B1-9156-6758C4132136}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F25A0899-F659-4B48-A012-0BC251DEB91F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8A643C4-4D76-44DA-BCE1-4E8B9B7F73EE}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-02-24 10:20 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 07:32 7204864]
"70b063a3"="C:\WINDOWS\system32\thantoom.dll" [ ]
"BM7383503f"="C:\WINDOWS\system32\mifvpspf.dll" [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\70b063a3]
C:\WINDOWS\system32\udeiwkeb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 16:42 79448 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup]
C:\DOCUME~1\Owner\LOCALS~1\Temp\200779174123_mcappins.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2004-11-03 13:03 125528 C:\Program Files\Common Files\AOL\1183959268\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-29 23:00 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\vtutt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2008-01-31 21:23 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msci]
C:\DOCUME~1\Owner\LOCALS~1\Temp\200779174121_mcinfo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-09-18 07:32 7204864 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2005-09-18 07:32 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-09-18 07:32 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 19:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-09-26 14:07 90112 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-01 04:32 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-11-15 14:04 135168 C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
C:\Program Files\Webroot\Washer\wwDisp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R2 SonyIEx;SonyIEx;C:\WINDOWS\system32\SonyIEx.exe [2005-05-30 10:48]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 14:47]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 06:33:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-15 09:39:53 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-01 09:00:23 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 21:44:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-24 21:45:12
ComboFix-quarantined-files.txt 2008-02-25 05:45:02
ComboFix2.txt 2008-02-25 05:09:36
ComboFix3.txt 2008-02-25 00:30:26
ComboFix4.txt 2008-01-28 05:01:11
.
2008-02-13 11:06:04 --- E O F ---

[cayveman]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:51 PM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\SonyIEx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {03818d58-854e-4681-bde0-8f5cb63c98aa} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {06e33a7a-900e-4a4d-8e10-64894c5a6101} - (no file)
O2 - BHO: (no name) - {07b1a70d-299a-427f-af53-b0d58f8c3236} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - (no file)
O2 - BHO: {61d4896b-10ae-6f89-d8e4-48235cf03142} - {24130fc5-3284-4e8d-98f6-ea01b6984d16} - C:\WINDOWS\system32\fmkqeyft.dll (file missing)
O2 - BHO: (no name) - {2F551E36-B34E-4342-944B-2B980E432716} - (no file)
O2 - BHO: (no name) - {432B2330-2008-4E26-A237-594C54126615} - (no file)
O2 - BHO: (no name) - {48A16FEE-F943-403C-9F92-DECF55BCD820} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {552B86A7-D89C-4136-B589-81B5BE1B1D44} - (no file)
O2 - BHO: (no name) - {59C3B40A-92FE-4975-A5DF-BE51F45E7CCD} - (no file)
O2 - BHO: (no name) - {64960885-0409-41E1-80CB-457BB2D6896F} - (no file)
O2 - BHO: (no name) - {6A02C47F-60E3-4E2F-93B4-B4CE658B8C59} - (no file)
O2 - BHO: (no name) - {6E548D91-0D0F-4A48-9216-49C00191E207} - (no file)
O2 - BHO: (no name) - {6FF5EB0C-94F1-415A-AB9F-FB2D6C86184B} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {79e40ab3-e068-4553-8839-b701acec1de7} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {91587F08-C5C4-4286-A90C-20DD8A78A4B2} - (no file)
O2 - BHO: (no name) - {97812B21-D87C-47BC-974E-2B30A46C0F59} - (no file)
O2 - BHO: (no name) - {98450F23-A8F3-48E6-9F48-ADEA0FAA4C54} - (no file)
O2 - BHO: (no name) - {9c6d2a88-9e99-40b0-9e4a-29b4c8ea5fb4} - (no file)
O2 - BHO: (no name) - {9E726B90-5DD7-4A24-9326-7A5067CBED64} - (no file)
O2 - BHO: (no name) - {A337763C-B6CE-4FC3-BB9E-BC97F3751856} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {A8352918-FFBA-4425-9FC0-EBF39236F6DE} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {B82802EF-5E7B-4FAF-B4E9-9CF807226EC0} - (no file)
O2 - BHO: (no name) - {C36E56FB-3064-434B-B07C-6CE9A1E85E7C} - (no file)
O2 - BHO: (no name) - {E733331C-DCDC-48A2-B81B-9BE1D5CAFC75} - (no file)
O2 - BHO: (no name) - {F1CB876D-4022-43B1-9156-6758C4132136} - (no file)
O2 - BHO: (no name) - {F25A0899-F659-4B48-A012-0BC251DEB91F} - (no file)
O2 - BHO: (no name) - {F8A643C4-4D76-44DA-BCE1-4E8B9B7F73EE} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [70b063a3] rundll32.exe "C:\WINDOWS\system32\thantoom.dll",b
O4 - HKLM\..\Run: [BM7383503f] Rundll32.exe "C:\WINDOWS\system32\mifvpspf.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.regence.com/remote/msrdp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Thanks,
cayveman

[ken545]

Good Morning,

Thanks for the logs, let me tell you what we are up against. You have the latest variant of Vundo that includes a File Infector, if you look at your Combofix log, all the files and programs in the Blue Code Box have been infected by this trojan, besides that, you have another issue being a downloader trojan . I would strongly urge you until we give you the all clear that you stay off the internet except for posting here , if not this trojan is going to continue to go out and download other garbage.

Do this, make sure you do this correctly, any programs not removed with have to be uninstalled and reinstalled .

Open Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Killall::

Code:

Killall::

RenV::
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
C:\Program Files\McAfee.com\Agent\mcagent .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\MSN Messenger\MsnMsgr .Exe
C:\Program Files\MSN Messenger\bak\msnmsgr .exe
C:\Program Files\QuickTime\qttask                     .exe
C:\Program Files\QuickTime\qttask                    .exe
C:\Program Files\QuickTime\qttask                   .exe
C:\Program Files\QuickTime\qttask                  .exe
C:\Program Files\QuickTime\qttask                 .exe
C:\Program Files\QuickTime\qttask                .exe
C:\Program Files\QuickTime\qttask               .exe
C:\Program Files\QuickTime\qttask              .exe
C:\Program Files\QuickTime\qttask             .exe
C:\Program Files\QuickTime\qttask            .exe
C:\Program Files\QuickTime\qttask           .exe
C:\Program Files\QuickTime\qttask          .exe
C:\Program Files\QuickTime\qttask         .exe
C:\Program Files\QuickTime\qttask        .exe
C:\Program Files\QuickTime\qttask       .exe
C:\Program Files\QuickTime\qttask      .exe
C:\Program Files\QuickTime\qttask     .exe
C:\Program Files\QuickTime\qttask    .exe
C:\Program Files\QuickTime\qttask   .exe
C:\Program Files\QuickTime\qttask  .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Webroot\Washer\wwDisp .exe
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
C:\WINDOWS\system32\ctfmon .exe

File::
C:\WINDOWS\system32\gebgemvv.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dwlbxjfq.ini
C:\WINDOWS\system32\murjhrjq.ini
C:\WINDOWS\system32\scrwjxgd.tmp
C:\WINDOWS\system32\scrwjxgd.ini
C:\WINDOWS\system32\tcfqvwlf.ini
C:\WINDOWS\system32\rxdhlufi.ini
C:\WINDOWS\system32\impyrvot.ini
C:\WINDOWS\system32\conlbuwo.ini
C:\WINDOWS\system32\wlbgiali.ini
C:\WINDOWS\system32\wgtqxlop.ini
C:\WINDOWS\system32\gyflbydn.ini
C:\WINDOWS\system32\vwfoojqm.ini
C:\WINDOWS\system32\qwjlrleh.ini
C:\WINDOWS\system32\wqaqtmdy.ini
C:\WINDOWS\system32\imkhfurx.ini
C:\WINDOWS\system32\cxsvknup.ini
C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\fmkqeyft.dll
C:\WINDOWS\system32\udeiwkeb.dll
C:\WINDOWS\system32\mifvpspf.dll
C:\WINDOWS\system32\thantoom.dll


Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03818d58-854e-4681-bde0-8f5cb63c98aa}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06e33a7a-900e-4a4d-8e10-64894c5a6101}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07b1a70d-299a-427f-af53-b0d58f8c3236}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24130fc5-3284-4e8d-98f6-ea01b6984d16}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F551E36-B34E-4342-944B-2B980E432716}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{432B2330-2008-4E26-A237-594C54126615}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48A16FEE-F943-403C-9F92-DECF55BCD820}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{552B86A7-D89C-4136-B589-81B5BE1B1D44}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59C3B40A-92FE-4975-A5DF-BE51F45E7CCD}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64960885-0409-41E1-80CB-457BB2D6896F}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A02C47F-60E3-4E2F-93B4-B4CE658B8C59}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E548D91-0D0F-4A48-9216-49C00191E207}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6FF5EB0C-94F1-415A-AB9F-FB2D6C86184B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79e40ab3-e068-4553-8839-b701acec1de7}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91587F08-C5C4-4286-A90C-20DD8A78A4B2}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97812B21-D87C-47BC-974E-2B30A46C0F59}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98450F23-A8F3-48E6-9F48-ADEA0FAA4C54}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c6d2a88-9e99-40b0-9e4a-29b4c8ea5fb4}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E726B90-5DD7-4A24-9326-7A5067CBED64}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A337763C-B6CE-4FC3-BB9E-BC97F3751856}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8352918-FFBA-4425-9FC0-EBF39236F6DE}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B82802EF-5E7B-4FAF-B4E9-9CF807226EC0}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C36E56FB-3064-434B-B07C-6CE9A1E85E7C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E733331C-DCDC-48A2-B81B-9BE1D5CAFC75}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1CB876D-4022-43B1-9156-6758C4132136}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F25A0899-F659-4B48-A012-0BC251DEB91F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"70b063a3"=-
"BM7383503f"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\70b063a3]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and their backups and then restore them.

Please download FindAWF and save it to your desktop

• * Double-click FindAWF.exe to start the tool.
  * Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
  * When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

**Do not run any other option unless directed to do so.**

[cayveman]

Here we are again.
Here's the latest combofix log:
ComboFix 08-02-25.2 - Owner 2008-02-25 6:47:10.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.164 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\conlbuwo.ini
C:\WINDOWS\system32\cxsvknup.ini
C:\WINDOWS\system32\dwlbxjfq.ini
C:\WINDOWS\system32\fmkqeyft.dll
C:\WINDOWS\system32\gebgemvv.ini
C:\WINDOWS\system32\gyflbydn.ini
C:\WINDOWS\system32\imkhfurx.ini
C:\WINDOWS\system32\impyrvot.ini
C:\WINDOWS\system32\mifvpspf.dll
C:\WINDOWS\system32\murjhrjq.ini
C:\WINDOWS\system32\qwjlrleh.ini
C:\WINDOWS\system32\rxdhlufi.ini
C:\WINDOWS\system32\scrwjxgd.ini
C:\WINDOWS\system32\scrwjxgd.tmp
C:\WINDOWS\system32\tcfqvwlf.ini
C:\WINDOWS\system32\thantoom.dll
C:\WINDOWS\system32\udeiwkeb.dll
C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\vwfoojqm.ini
C:\WINDOWS\system32\wgtqxlop.ini
C:\WINDOWS\system32\wlbgiali.ini
C:\WINDOWS\system32\wqaqtmdy.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\aghjxwrd.dll.bad
C:\VundoFix Backups\aksumahx.dll.bad
C:\VundoFix Backups\amwfiqkf.dll.bad
C:\VundoFix Backups\aqvbukab.dll.bad
C:\VundoFix Backups\bjominev.dll.bad
C:\VundoFix Backups\ceghykvk.dll.bad
C:\VundoFix Backups\cjjckmvs.dll.bad
C:\VundoFix Backups\ddgjnwdc.dll.bad
C:\VundoFix Backups\doxpnrnm.dll.bad
C:\VundoFix Backups\dypiwteu.dll.bad
C:\VundoFix Backups\ewfcybmm.dll.bad
C:\VundoFix Backups\fbklhyfq.dll.bad
C:\VundoFix Backups\fgiuvppm.dll.bad
C:\VundoFix Backups\fmayjpkm.dll.bad
C:\VundoFix Backups\fmkqeyft.dll.bad
C:\VundoFix Backups\fskijcao.dll.bad
C:\VundoFix Backups\fwiebwbd.dll.bad
C:\VundoFix Backups\geyfirhl.ini.bad
C:\VundoFix Backups\gwicdexo.dll.bad
C:\VundoFix Backups\hgukuywh.dll.bad
C:\VundoFix Backups\hinagmgk.dll.bad
C:\VundoFix Backups\hkgfpgqd.dll.bad
C:\VundoFix Backups\hogllebc.dll.bad
C:\VundoFix Backups\hoijemrn.dll.bad
C:\VundoFix Backups\icmxaegm.dll.bad
C:\VundoFix Backups\innxlgul.dll.bad
C:\VundoFix Backups\irmynkhu.dll.bad
C:\VundoFix Backups\jhbbgdoj.dll.bad
C:\VundoFix Backups\jodgbbhj.ini.bad
C:\VundoFix Backups\jrltcmbu.dll.bad
C:\VundoFix Backups\kgeggbqd.dll.bad
C:\VundoFix Backups\kgxmdqfy.dll.bad
C:\VundoFix Backups\klifcsbu.dll.bad
C:\VundoFix Backups\lhrifyeg.dll.bad
C:\VundoFix Backups\ljllfkqp.dll.bad
C:\VundoFix Backups\ltrjlgek.dll.bad
C:\VundoFix Backups\luglxnni.ini.bad
C:\VundoFix Backups\mboriwcb.dll.bad
C:\VundoFix Backups\mhuylmiu.dll.bad
C:\VundoFix Backups\mifvpspf.dll.bad
C:\VundoFix Backups\ngaiwptf.dll.bad
C:\VundoFix Backups\okahonhb.dll.bad
C:\VundoFix Backups\ouoeairs.dll.bad
C:\VundoFix Backups\qmpfifdh.dll.bad
C:\VundoFix Backups\qquepugl.dll.bad
C:\VundoFix Backups\slddicyu.dll.bad
C:\VundoFix Backups\svmkcjjc.ini.bad
C:\VundoFix Backups\swiwfcge.dll.bad
C:\VundoFix Backups\thantoom.dll.bad
C:\VundoFix Backups\tibhuvuc.dll.bad
C:\VundoFix Backups\ufcqwrqj.dll.bad
C:\VundoFix Backups\ushpgnll.dll.bad
C:\VundoFix Backups\uvqejdft.dll.bad
C:\VundoFix Backups\uxjxmltt.dll.bad
C:\VundoFix Backups\veyadkpe.dll.bad
C:\VundoFix Backups\vkaxxpnb.dll.bad
C:\VundoFix Backups\vlusnmil.dll.bad
C:\VundoFix Backups\vnbbkkbx.dll.bad
C:\VundoFix Backups\vswudxdl.dll.bad
C:\VundoFix Backups\vtutt.dll.bad
C:\VundoFix Backups\vvmegbeg.dll.bad
C:\VundoFix Backups\wfswybfm.dll.bad
C:\VundoFix Backups\xcphbrnr.dll.bad
C:\VundoFix Backups\xmnnngeh.dll.bad
C:\VundoFix Backups\xpxovnax.dll.bad
C:\VundoFix Backups\yoynqqhc.dll.bad
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\conlbuwo.ini
C:\WINDOWS\system32\cxsvknup.ini
C:\WINDOWS\system32\dwlbxjfq.ini
C:\WINDOWS\system32\gebgemvv.ini
C:\WINDOWS\system32\gyflbydn.ini
C:\WINDOWS\system32\imkhfurx.ini
C:\WINDOWS\system32\impyrvot.ini
C:\WINDOWS\system32\murjhrjq.ini
C:\WINDOWS\system32\qwjlrleh.ini
C:\WINDOWS\system32\rxdhlufi.ini
C:\WINDOWS\system32\scrwjxgd.ini
C:\WINDOWS\system32\scrwjxgd.tmp
C:\WINDOWS\system32\tcfqvwlf.ini
C:\WINDOWS\system32\vwfoojqm.ini
C:\WINDOWS\system32\wgtqxlop.ini
C:\WINDOWS\system32\wlbgiali.ini
C:\WINDOWS\system32\wqaqtmdy.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-24 14:26 . 2008-02-24 14:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-02-24 14:26 . 2008-02-24 14:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-24 14:25 . 2008-02-24 14:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-23 13:56 . 2008-02-23 13:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-21 20:22 . 2008-02-23 20:34 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-17 14:06 . 2008-02-17 14:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-17 14:06 . 2008-02-17 14:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-15 20:40 . 2008-02-17 22:04 476 --a------ C:\WINDOWS\wininit.ini
2008-02-15 20:06 . 2008-02-15 19:56 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-15 20:06 . 2008-02-15 20:06 3,444 --a------ C:\WINDOWS\unins000.dat
2008-02-15 15:18 . 2008-02-24 10:19 157,341 --a------ C:\WINDOWS\BM7383503f.xml
2008-02-07 19:22 . 2008-02-07 19:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Intuit
2008-02-07 19:20 . 2008-02-07 19:20 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-07 19:18 . 2008-02-07 19:18 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-02-07 19:18 . 2008-02-07 19:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-02-07 19:18 . 2007-10-22 18:58 1,721,712 --a------ C:\WINDOWS\system32\InetClnt.dll
2008-02-07 19:08 . 2008-02-07 19:08 <DIR> d-------- C:\Program Files\TurboTax
2008-02-03 08:57 . 2008-02-03 10:47 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-28 19:03 . 2008-01-28 19:03 <DIR> d-------- C:\WINDOWS\system32\bak
2008-01-28 09:47 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-27 20:18 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-27 20:17 . 2008-01-27 20:17 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-27 20:13 . 2008-01-27 20:13 <DIR> d-------- C:\Program Files\SDM
2008-01-27 19:22 . 2008-01-27 19:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-27 19:00 . 2007-07-08 21:01 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-27 19:00 . 2007-07-08 21:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-01-27 19:00 . 2007-12-17 21:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-01-27 19:00 . 2007-07-08 21:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 14:47 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-25 14:47 --------- d-----w C:\Program Files\QuickTime
2008-02-25 14:46 --------- d-----w C:\Program Files\MSN Messenger
2008-02-25 14:46 --------- d-----w C:\Program Files\iTunes
2008-02-25 14:46 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-16 04:39 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2008-02-16 04:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-16 01:05 --------- d-----w C:\Program Files\McAfee
2008-02-08 03:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-07 23:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-01-28 04:18 --------- d-----w C:\Program Files\Java
2008-01-19 03:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-11 03:36 --------- d-----w C:\Program Files\RcvSystem
2008-01-05 19:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-01-04 19:00 --------- d-----w C:\Program Files\Common Files\Webroot Shared
2008-01-04 19:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-02 20:39 --------- d-----w C:\Documents and Settings\britney.FILBERT\Application Data\SiteAdvisor
2008-01-01 23:37 --------- d-----w C:\Program Files\SiteAdvisor
2008-01-01 16:12 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-12-31 01:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-31 01:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-31 01:29 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-31 01:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-31 01:03 --------- d-----w C:\Program Files\Yahoo!
2007-12-23 18:54 46,512 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-11-26 22:47 194,888 ----a-w C:\WINDOWS\Unwash6.exe
2007-11-26 02:49 46,512 ----a-w C:\Documents and Settings\britney.FILBERT\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 5,674,352 2008-01-31 03:43:29 C:\Program Files\MSN Messenger\bak\msnmsgr.exe
----a-w 5,674,352 2008-01-29 02:38:02 C:\Program Files\MSN Messenger\MsnMsgr.Exe

----a-w 36,640 2008-02-01 12:38:26 C:\Program Files\SiteAdvisor\6253\bak\SiteAdv.exe

----a-w 15,360 2004-08-04 19:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2008-02-24 04:35:35 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8A643C4-4D76-44DA-BCE1-4E8B9B7F73EE}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-02-23 20:35 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 07:32 7204864]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 16:42 79448 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup]
C:\DOCUME~1\Owner\LOCALS~1\Temp\200779174123_mcappins.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2004-11-03 13:03 125528 C:\Program Files\Common Files\AOL\1183959268\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-22 10:55 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2008-01-29 18:05 582992 C:\Program Files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msci]
C:\DOCUME~1\Owner\LOCALS~1\Temp\200779174121_mcinfo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2008-01-28 18:38 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-09-18 07:32 7204864 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2005-09-18 07:32 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-09-18 07:32 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-29 22:01 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 19:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-09-26 14:07 90112 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-01-27 20:57 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-11-15 14:04 135168 C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
--a------ 2008-01-28 01:19 1206600 C:\Program Files\Webroot\Washer\wwDisp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R2 SonyIEx;SonyIEx;C:\WINDOWS\system32\SonyIEx.exe [2005-05-30 10:48]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 14:47]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 06:33:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-15 09:39:53 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-01 09:00:23 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 06:51:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-02-25 6:54:22 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-02-25 14:54:18
ComboFix2.txt 2008-02-25 05:45:13
ComboFix3.txt 2008-02-25 05:09:36
ComboFix4.txt 2008-02-25 00:30:26
ComboFix5.txt 2008-01-28 05:01:11
.
2008-02-13 11:06:04 --- E O F ---

[cayveman]

AWF log:

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Mon 02/25/2008
The current time is: 6:56:11.29


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MSNMES~1\BAK

01/30/2008 07:43 PM 5,674,352 msnmsgr.exe
1 File(s) 5,674,352 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 11:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\SITEAD~1\6253\BAK

02/01/2008 04:38 AM 36,640 SiteAdv.exe
1 File(s) 36,640 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

5674352 Jan 28 2008 "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
5674352 Jan 30 2008 "C:\Program Files\MSN Messenger\bak\msnmsgr.exe"
15360 Feb 23 2008 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
36640 Feb 1 2008 "C:\Program Files\SiteAdvisor\6253\bak\SiteAdv.exe"


end of report

And the Highjackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:06:03 AM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\SonyIEx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {F8A643C4-4D76-44DA-BCE1-4E8B9B7F73EE} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.regence.com/remote/msrdp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SonyIEx - Unknown owner - C:\WINDOWS\system32\SonyIEx.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 6284 bytes

Thanks again,
Cayveman

[ken545]

Hello,

You lucked out, Combofix removed the infected Vundo files.


Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {F8A643C4-4D76-44DA-BCE1-4E8B9B7F73EE} - (no file)



Double-click FindAWF.exe to start the tool.

* Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:

"C:\Program Files\MSN Messenger\bak\msnmsgr.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\SiteAdvisor\6253\bak\SiteAdv.exe"

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.

[cayveman]

Hello ken545,

Here is my awf log:


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Mon 02/25/2008
The current time is: 18:41:17.32


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MSNMES~1\BAK

01/30/2008 07:43 PM 5,674,352 msnmsgr.exe
1 File(s) 5,674,352 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 11:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\SITEAD~1\6253\BAK

02/01/2008 04:38 AM 36,640 SiteAdv.exe
1 File(s) 36,640 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

5674352 Jan 30 2008 "C:\Program Files\MSN Messenger\msnmsgr.exe"
5674352 Jan 30 2008 "C:\Program Files\MSN Messenger\bak\msnmsgr.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
36640 Feb 1 2008 "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe"
36640 Feb 1 2008 "C:\Program Files\SiteAdvisor\6253\bak\SiteAdv.exe"


end of report