Adrevolver causing issues

[Fredo_P]

Hello all,
I am at my last string of sanity. Only going to give the basics to keep it short.
Started Saturda night. Attempting to fix since 5am Sunday PST.
Used S&D, Norton 360, Spy sweeper, windows defender. No good.

Symtptoms:
-Windows Auto update will not start, unkown program preventing it from starting as per windows alert warning.
-IE8 privacy settings locked and set to allow all cookies. Nothing will force it back to any other setting.
-Way to many pop-ups.
-"Adrevolver/" cookie and other cookies will not delete at all from \temporary internet files
-Trojas appear after starting IE8

Cookies I want gone(think might be the issue:
@media.adrevolver.com/adrevolver/
@www7.addfreestats.com/cgi-bin


Please refer to this post link, S&D search results were to long and posted multiple times making it seem as I was recieving help. Did not read forum rules all the way thru. Sorry.
http://forums.spybot.info/showthread.php?t=35516&highlight=fredo_p

 

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

First let me say since you still have not followed directions, even though tashi posted them plainly for you here:

http://forums.spybot.info/showthread.php?t=35516&highlight=fredo_p
Please see the stickied procedure for this forum: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

Start a new topic providing the HJT log and a link to this thread which I will then close.

You still have not posted a log. If you still want us to see if we can help, read the directions and post that log!

Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

 

[Fredo_P]

I appologize.
I will post the HJT results when I get home tonight.
Don't know if this will help, but it's more that adrevolver. Ran S&D one more time just to check, and it found multiple Virtumonde hits. I have my computer off the internet for safety.

 

[Fredo_P]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:48:34 PM, on 10/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\nHancer\nHancerService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\RivaTuner v2.11\RivaTuner.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360 Premier Edition\osCheck.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE"
O4 - HKLM\..\Run: [Alcmtr] "C:\WINDOWS\ALCMTR.EXE"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.11\RivaTuner.exe" /S
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.11\RivaTuner.exe" /T
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Gaming Software\LWEMon.exe" /noui
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] "C:\Program Files\Cyberlink\Shared Files\brs.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [445463ab] "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\nhphcxsd.dll",b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1220595184765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221893404887
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/J...c1/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://service.futuremark.com/virtualmark/tc/MSC3.cab
O20 - AppInit_DLLs: pnzagc.dll spwous.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 9357 bytes

 

[pskelley]

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed

Please continue as follows:

1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
http://www.bleepingcomputer.com/forums/topic114351.html
Remember to re-enable them afterwards.

2) Click Yes to allow ComboFix to continue scanning for malware.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

When the tool is finished, it will produce a report for you. Post that report and a new HJT log

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Thanks

 

[Fredo_P]

Here is the Combofix report:

ComboFix 08-10-24.02 - Fredo 2008-10-24 13:05:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2753 [GMT -7:00]
Running from: C:\Documents and Settings\Fredo\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Fredo\Application Data\Adobe\Player.exe
C:\Documents and Settings\Fredo\Application Data\Adobe\Player.exe.bak
C:\WINDOWS\system32\aesfrgti.dll
C:\WINDOWS\system32\CbbceMoq.ini
C:\WINDOWS\system32\CbbceMoq.ini2
C:\WINDOWS\system32\cgaiho.dll
C:\WINDOWS\system32\clconfbp.ini
C:\WINDOWS\system32\csgxtthd.dll
C:\WINDOWS\system32\dsxchphn.ini
C:\WINDOWS\system32\eencqooy.ini
C:\WINDOWS\system32\gkfpwxre.ini
C:\WINDOWS\system32\gpxoav.dll
C:\WINDOWS\system32\leuybnaj.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlJAPJax.dll
C:\WINDOWS\system32\mxlauhey.dll
C:\WINDOWS\system32\nhphcxsd.dll
C:\WINDOWS\system32\notvxz.dll
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oaykcewn.dll
C:\WINDOWS\system32\pnzagc.dll
C:\WINDOWS\system32\qfjlsaqc.dll
C:\WINDOWS\system32\qoMecbbC.dll
C:\WINDOWS\system32\qxskunfv.dll
C:\WINDOWS\system32\qynrye.dll
C:\WINDOWS\system32\racjmuhu.dll
C:\WINDOWS\system32\rbhtcyhq.dll
C:\WINDOWS\system32\saqdsk.dll
C:\WINDOWS\system32\shxnwvkj.dll
C:\WINDOWS\system32\spwous.dll
C:\WINDOWS\system32\ttmdmatl.dll
C:\WINDOWS\system32\uifpuroo.ini
C:\WINDOWS\system32\vbagz.sys
C:\WINDOWS\system32\whilgdjy.dll
C:\WINDOWS\system32\wqoapihn.dll

----- BITS: Possible infected sites -----

hxxp://220.231.180.229
.
((((((((((((((((((((((((( Files Created from 2008-09-24 to 2008-10-24 )))))))))))))))))))))))))))))))
.

2008-10-24 12:50 . 2008-10-24 12:50 <DIR> d-------- C:\Documents and Settings\Fredo\Application Data\SystemRequirementsLab
2008-10-21 19:31 . 2008-10-21 19:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-21 19:09 . 2008-10-21 19:09 0 --a------ C:\WINDOWS\nsreg.dat
2008-10-20 18:28 . 2008-10-20 18:28 120 --ahs---- C:\WINDOWS\system32\nhtplwup.ini
2008-10-19 15:54 . 2008-10-19 15:54 <DIR> d-------- C:\VundoFix Backups
2008-10-19 14:36 . 2008-10-19 14:36 200 --a------ C:\sqmnoopt03.sqm
2008-10-19 14:36 . 2008-10-19 14:36 200 --a------ C:\sqmdata03.sqm
2008-10-19 14:33 . 2008-10-19 14:33 <DIR> d-------- C:\Binaries
2008-10-19 14:31 . 2008-10-19 14:31 <DIR> d-------- C:\Program Files\Webroot
2008-10-19 14:31 . 2008-10-19 14:31 <DIR> d-------- C:\Documents and Settings\Fredo\Application Data\Webroot
2008-10-19 14:31 . 2008-10-19 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-10-19 14:31 . 2008-10-12 13:18 1,553,272 --a------ C:\WINDOWS\WRSetup.dll
2008-10-19 14:31 . 2008-10-19 14:31 164 --a------ C:\install.dat
2008-10-19 13:21 . 2008-10-19 13:21 2,560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-10-19 12:47 . 2008-10-19 12:47 <DIR> d-------- C:\Program Files\Windows Defender
2008-10-19 10:58 . 2008-10-19 10:58 <DIR> d-------- C:\Documents and Settings\Administrator
2008-10-18 22:52 . 2008-10-18 22:52 69,120 --a------ C:\WINDOWS\system32\qpzqbige.wip
2008-10-18 16:09 . 2008-10-18 22:45 153 --a------ C:\WINDOWS\wininit.ini
2008-10-18 12:44 . 2008-10-18 12:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-18 12:44 . 2008-10-18 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-18 00:22 . 2008-10-22 21:23 49 --a------ C:\WINDOWS\NeroDigital.ini
2008-10-18 00:17 . 2008-10-18 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Temp
2008-10-18 00:14 . 2008-10-18 00:14 <DIR> d-------- C:\Program Files\Common Files\CyberLink
2008-10-17 18:32 . 2008-10-17 18:32 <DIR> d-------- C:\Program Files\Logitech
2008-10-17 18:32 . 2008-10-17 18:32 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-10-17 07:16 . 2008-10-17 07:16 <DIR> d-------- C:\Program Files\Vuze
2008-10-17 07:16 . 2008-10-19 17:12 <DIR> d-------- C:\Documents and Settings\Fredo\Application Data\Azureus
2008-10-17 07:16 . 2008-10-17 07:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-10-16 21:09 . 2008-10-16 21:21 <DIR> d-------- C:\Documents and Settings\Fredo\Application Data\Move Networks
2008-10-16 19:35 . 2008-10-16 19:37 <DIR> d-------- C:\WINDOWS\NV37363776.TMP
2008-10-16 19:28 . 2008-10-16 19:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-16 19:28 . 2008-08-14 03:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-16 19:28 . 2008-08-14 03:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-16 19:28 . 2008-08-14 02:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-16 19:28 . 2008-08-14 02:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-16 19:28 . 2008-09-15 05:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-16 19:28 . 2008-09-08 03:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-16 19:26 . 2008-10-16 19:26 <DIR> d-------- C:\Documents and Settings\Fredo\Application Data\nHancer
2008-10-13 23:03 . 2008-10-13 23:03 <DIR> d-------- C:\Program Files\nHancer
2008-10-13 23:03 . 2008-10-13 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-10-13 23:03 . 2008-10-16 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nHancer
2008-10-10 17:51 . 2008-10-10 17:51 151,552 --a------ C:\WINDOWS\system32\nvRegDev.dll
2008-10-10 17:49 . 2008-10-10 17:49 <DIR> d-------- C:\CUDA
2008-10-10 17:45 . 2008-10-10 17:45 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-10-10 17:45 . 2008-10-10 17:46 <DIR> d-------- C:\WINDOWS\NV35563560.TMP
2008-10-10 17:45 . 2008-10-10 17:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-10 17:45 . 2008-10-10 17:45 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-10-10 17:45 . 2008-10-07 13:33 201,157 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-10-09 00:06 . 2008-10-09 00:06 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-10-09 00:06 . 2008-05-16 09:25 219,669 -ra------ C:\WINDOWS\system32\nvdspchs.chm
2008-10-09 00:06 . 2008-05-16 09:25 213,493 -ra------ C:\WINDOWS\system32\nvdspcht.chm
2008-10-09 00:06 . 2008-10-24 13:11 194,956 --a------ C:\WINDOWS\system32\nvapps.xml
2008-10-09 00:06 . 2008-05-16 09:25 139,792 -ra------ C:\WINDOWS\system32\nv3dcht.chm
2008-10-09 00:06 . 2008-05-16 09:25 134,133 -ra------ C:\WINDOWS\system32\nv3dchs.chm
2008-10-09 00:06 . 2008-05-16 09:25 59,261 -ra------ C:\WINDOWS\system32\nvmobcht.chm
2008-10-09 00:06 . 2008-05-16 09:25 58,607 -ra------ C:\WINDOWS\system32\nvmobchs.chm
2008-10-02 04:15 . 2008-10-02 04:15 170,608 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-10-02 04:15 . 2008-10-02 04:15 29,808 --a------ C:\WINDOWS\system32\drivers\ssfs0bbc.sys
2008-10-02 04:15 . 2008-10-02 04:15 23,152 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-09-24 23:42 . 2008-09-16 10:15 4,224 --a------ C:\WINDOWS\system32\drivers\NVStrap.sys
2008-09-24 23:02 . 2008-09-24 23:02 <DIR> d-------- C:\Program Files\NVIDIA nTune Performance Application
2008-09-24 23:02 . 2008-10-10 17:51 <DIR> d-------- C:\Program Files\NVIDIA Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 20:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-24 20:11 --------- d-----w C:\Program Files\lg_fwupdate
2008-10-20 00:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-10-18 07:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-18 07:17 505,128 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-10-18 07:17 29,480 ----a-w C:\WINDOWS\system32\msxml3a.dll
2008-10-18 07:15 --------- d-----w C:\Documents and Settings\Fredo\Application Data\CyberLink
2008-10-18 07:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-10-18 07:13 --------- d-----w C:\Program Files\CyberLink
2008-10-18 03:19 --------- d-----w C:\Program Files\FSacars
2008-10-17 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-23 06:19 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-09-23 04:46 --------- d-----w C:\Program Files\Pirep2007
2008-09-22 02:59 --------- d-----w C:\Program Files\Bethesda Softworks
2008-09-22 00:44 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-09-22 00:44 262,144 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-09-22 00:42 --------- d-----w C:\Program Files\Futuremark
2008-09-20 20:40 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-09-20 20:40 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-09-20 20:40 --------- d-----w C:\Documents and Settings\Fredo\Application Data\Secret of the Solstice
2008-09-20 20:10 --------- d-----w C:\Program Files\Outspark
2008-09-20 07:04 --------- d-----w C:\Documents and Settings\Fredo\Application Data\Winamp
2008-09-20 06:57 --------- d-----w C:\Program Files\Winamp
2008-09-20 06:52 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-09-20 05:35 --------- d-----w C:\Program Files\Netflix
2008-09-20 03:16 --------- d-----w C:\Program Files\Java
2008-09-20 03:16 --------- d-----w C:\Program Files\Common Files\Java
2008-09-20 01:43 --------- d-----w C:\Program Files\SquawkBox
2008-09-20 01:35 --------- d-----w C:\Program Files\Boeing737FPL
2008-09-20 01:10 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-09-20 01:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-20 00:34 --------- d-----w C:\Program Files\Norton 360 Premier Edition
2008-09-20 00:32 --------- d-----w C:\Program Files\Windows Live
2008-09-20 00:31 --------- d-----w C:\Program Files\Microsoft
2008-09-20 00:29 --------- d-----w C:\Program Files\Common Files\Windows Live
2008-09-19 00:50 --------- d-----w C:\Program Files\CH Products
2008-09-19 00:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\CaptainSim
2008-09-18 01:59 --------- d-----w C:\Program Files\RivaTuner v2.11
2008-09-18 01:56 --------- d-----w C:\Program Files\Intel Corporation
2008-09-17 16:55 453,152 ----a-w C:\WINDOWS\system32\nvudisp.exe
2008-09-17 04:27 453,152 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-09-17 02:31 --------- d-----w C:\Program Files\U-ABIT
2008-09-17 02:15 73,728 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2008-09-17 02:12 --------- d-----w C:\Program Files\Realtek
2008-09-17 02:01 --------- d-----w C:\Program Files\Intel
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-11 05:43 --------- d-----w C:\Program Files\OO Software
2008-09-11 05:33 --------- d-----w C:\Program Files\Shockwave 3D Lights Redux for FS9
2008-09-10 07:29 --------- d-----w C:\Program Files\MSXML 4.0
2008-09-10 07:11 --------- d-----w C:\Program Files\Microsoft Games
2008-09-10 07:10 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-10 01:23 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-09-10 01:11 --------- d-----w C:\Program Files\Flight One Software
2008-09-09 07:03 51,712 ----a-w C:\WINDOWS\system32\sirenacm.dll
2008-09-09 06:11 --------- d-----w C:\Program Files\Common Files\Ahead
2008-09-09 06:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-09-09 06:07 --------- d-----w C:\Program Files\Nero
2008-09-09 06:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-05 09:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-09-05 09:21 --------- d-----w C:\Documents and Settings\Fredo\Application Data\Symantec
2008-09-05 09:19 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-09-05 09:00 --------- d-----w C:\Program Files\Microsoft.NET
2008-09-05 09:00 --------- d-----w C:\Program Files\Microsoft Works
2008-09-05 08:10 --------- d-----w C:\Program Files\Reference Assemblies
2008-09-05 08:10 --------- d-----w C:\Program Files\MSBuild
2008-09-05 07:57 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-09-05 07:57 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-05 07:57 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-05 07:57 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-09-05 07:57 --------- d-----w C:\Program Files\Symantec
2008-09-05 07:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-05 07:47 --------- d-----w C:\Program Files\DIFX
2008-09-05 07:09 --------- d-----w C:\Program Files\Windows Sidebar
2008-09-05 06:50 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-09-05 05:58 --------- d-----w C:\Documents and Settings\Fredo\Application Data\InstallShield
2008-09-05 05:57 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-09-05 03:57 --------- d-----w C:\Program Files\microsoft frontpage
2008-09-04 16:31 288,024 ----a-w C:\WINDOWS\system32\PhysXCplUI.exe
2008-08-29 15:57 70,936 ----a-w C:\WINDOWS\system32\PhysXLoader.dll
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-06 00:55 265,720 ----a-w C:\WINDOWS\system32\msdbg2.dll
2008-07-31 17:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 17:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 17:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-30 04:10 73,720 ----a-w C:\WINDOWS\system32\dxva2.dll
2008-07-30 04:10 493,048 ----a-w C:\WINDOWS\system32\evr.dll
2008-07-30 04:10 26,112 ----a-w C:\WINDOWS\system32\TsWpfWrp.exe
2008-07-30 03:35 326,160 ----a-w C:\WINDOWS\system32\PresentationHost.exe
2008-07-30 02:59 781,344 ----a-w C:\WINDOWS\system32\PresentationNative_v0300.dll
2008-07-30 02:59 43,544 ----a-w C:\WINDOWS\system32\PresentationHostProxy.dll
2008-07-30 02:59 161,296 ----a-w C:\WINDOWS\system32\UIAutomationCore.dll
2008-07-30 02:59 105,016 ----a-w C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2008-07-30 02:24 97,800 ----a-w C:\WINDOWS\system32\infocardapi.dll
2008-07-30 02:24 622,080 ----a-w C:\WINDOWS\system32\icardagt.exe
2008-07-30 02:24 11,264 ----a-w C:\WINDOWS\system32\icardres.dll
2008-07-25 18:17 41,984 ----a-w C:\WINDOWS\system32\netfxperf.dll
2008-07-25 18:16 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2008-07-25 18:16 83,968 ----a-w C:\WINDOWS\system32\mscories.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-10-12 13:11 238968 --a------ C:\Program Files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_9.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 01:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 01:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 01:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 51048]
"osCheck"="C:\Program Files\Norton 360 Premier Edition\osCheck.exe" [2008-02-26 988512]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-02-26 249856]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]
"RTHDCPL"="C:\WINDOWS\RTHDCPL.EXE" [2008-06-13 16871936]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.11\RivaTuner.exe" [2008-09-16 2715648]
"RivaTuner"="C:\Program Files\RivaTuner v2.11\RivaTuner.exe" [2008-09-16 2715648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-10-07 13574144]
"nwiz"="C:\WINDOWS\system32\nwiz.exe" [2008-10-07 1630208]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-10-07 86016]
"Start WingMan Profiler"="C:\Program Files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 88584]
"RemoteControl8"="C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-08-08 91432]
"SpySweeper"="C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2008-10-12 6272888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=pnzagc.dll gpxoav.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
--a------ 2007-05-24 21:13 1957888 C:\WINDOWS\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2008-02-18 14:36 1057064 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
--a------ 2007-03-19 23:36 36864 C:\WINDOWS\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2008-02-18 14:36 1629480 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R0 ssfs0bbc;ssfs0bbc;C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys [2008-10-02 29808]
R1 UGURU;UGURU;C:\WINDOWS\system32\drivers\uGuru.sys [2006-05-02 14592]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};C:\Program Files\CyberLink\PowerDVD8\000.fcl [2008-08-08 10:15 41456]
R3 chdrvr01;CH Control Manager Driver 1;C:\WINDOWS\system32\DRIVERS\chdrvr01.sys [2006-11-21 215104]
R3 chdrvr02;CH Control Manager Driver 2;C:\WINDOWS\system32\DRIVERS\chdrvr02.sys [2005-12-22 3744]
R3 chdrvr03;CH Control Manager Driver 3;C:\WINDOWS\system32\DRIVERS\chdrvr03.sys [2005-12-22 9024]
S0 NVStrap;NVStrap;C:\WINDOWS\system32\drivers\NVStrap.sys [2008-09-16 4224]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
S3 Memctl;Memctl;C:\Program Files\U-ABIT\FlashMenu\Memctl.sys [2006-04-18 4047]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-10-24 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-10-24 C:\WINDOWS\Tasks\wrSpySweeper_LA240101943EC4BE1BF0A7F4E107F3FEB.job
- C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe [2008-10-12 13:18]

2008-10-24 C:\WINDOWS\Tasks\wrSpySweeper_LA240101943EC4BE1BF0A7F4E107F3FEB.job
- C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe [2008-10-12 13:18]

2008-10-24 C:\WINDOWS\Tasks\wrSpySweeper_LA240101943EC4BE1BF0A7F4E107F3FEB.job
- C:\","D:\","E:\" []
.
- - - - ORPHANS REMOVED - - - -

BHO-{045A5438-1C09-4AC2-B784-15B98B130D11} - C:\WINDOWS\system32\rbhtcyhq.dll
BHO-{38AEAB23-71AC-4BF8-90AF-524CA13AE41E} - C:\WINDOWS\system32\qoMecbbC.dll
BHO-{4f658885-bcd7-4b7b-ae65-edeb859dff9c} - C:\WINDOWS\system32\gpxoav.dll
HKLM-Run-445463ab - C:\WINDOWS\system32\nhphcxsd.dll
ShellExecuteHooks-{420959A7-1B3F-49EE-848E-6DE631A39223} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Fredo\Application Data\Mozilla\Firefox\Profiles\g30cxnbk.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://google.com
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-24 13:11:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD8\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\nHancer\nHancerService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\ALCFDRTM.EXE
.
**************************************************************************
.
Completion time: 2008-10-24 13:18:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-24 20:18:34

Pre-Run: 425,633,140,736 bytes free
Post-Run: 425,635,598,336 bytes free

352 --- E O F --- 2008-10-17 02:35:00



And here is the new KJT report:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:33 PM, on 10/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\nHancer\nHancerService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360 Premier Edition\osCheck.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.11\RivaTuner.exe" /S
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.11\RivaTuner.exe" /T
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Gaming Software\LWEMon.exe" /noui
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] "C:\Program Files\Cyberlink\Shared Files\brs.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1220595184765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221893404887
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/J...c1/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://service.futuremark.com/virtualmark/tc/MSC3.cab
O20 - AppInit_DLLs: pnzagc.dll gpxoav.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 8756 bytes

 

[pskelley]

Thanks for returning your information, please read and follow the directions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\nhtplwup.ini
C:\WINDOWS\system32\qpzqbige.wip

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O20 - AppInit_DLLs: pnzagc.dll gpxoav.dll <<< may be gone

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

How is the computer running now?

Thanks

 

[Fredo_P]

Computer is running better. No pop-ups yet. Adrevolver/ cookie and a list of others still are not allowing me to delete them. Here are the reports:

CFScripts----

ComboFix 08-10-25.01 - Fredo 2008-10-27 0:32:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2766 [GMT -7:00]
Running from: C:\Documents and Settings\Fredo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Fredo\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\nhtplwup.ini
C:\WINDOWS\system32\qpzqbige.wip
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\nhtplwup.ini
C:\WINDOWS\system32\qpzqbige.wip

.
((((((((((((((((((((((((( Files Created from 2008-09-27 to 2008-10-27 )))))))))))))))))))))))))))))))
.

2008-10-24 13:14 . 2008-10-15 09:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-24 12:50 . 2008-10-24 12:50 <DIR> d-------- C:\Documents and Settings\Fredo\Application Data\SystemRequirementsLab
2008-10-21 19:31 . 2008-10-21 19:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-21 19:09 . 2008-10-21 19:09 0 --a------ C:\WINDOWS\nsreg.dat
2008-10-19 15:54 . 2008-10-19 15:54 <DIR> d-------- C:\VundoFix Backups
2008-10-19 14:36 . 2008-10-19 14:36 200 --a------ C:\sqmnoopt03.sqm
2008-10-19 14:36 . 2008-10-19 14:36 200 --a------ C:\sqmdata03.sqm
2008-10-19 14:33 . 2008-10-19 14:33 <DIR> d-------- C:\Binaries
2008-10-19 14:31 . 2008-10-19 14:31 <DIR> d-------- C:\Program Files\Webroot
2008-10-19 14:31 . 2008-10-19 14:31 <DIR> d-------- C:\Documents and Settings\Fredo\Application Data\Webroot
2008-10-19 14:31 . 2008-10-19 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-10-19 14:31 . 2008-10-12 13:18 1,553,272 --a------ C:\WINDOWS\WRSetup.dll
2008-10-19 14:31 . 2008-10-19 14:31 164 --a------ C:\install.dat
2008-10-19 13:21 . 2008-10-19 13:21 2,560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2008-10-19 12:47 . 2008-10-19 12:47 <DIR> d-------- C:\Program Files\Windows Defender
2008-10-19 10:58 . 2008-10-19 10:58 <DIR> d-------- C:\Documents and Settings\Administrator
2008-10-18 16:09 . 2008-10-18 22:45 153 --a------ C:\WINDOWS\wininit.ini
2008-10-18 12:44 . 2008-10-18 12:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-18 12:44 . 2008-10-18 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-18 00:22 . 2008-10-22 21:23 49 --a------ C:\WINDOWS\NeroDigital.ini
2008-10-18 00:17 . 2008-10-18 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Temp
2008-10-18 00:14 . 2008-10-18 00:14 <DIR> d-------- C:\Program Files\Common Files\CyberLink
2008-10-17 18:32 . 2008-10-17 18:32 <DIR> d-------- C:\Program Files\Logitech
2008-10-17 18:32 . 2008-10-17 18:32 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-10-17 07:16 . 2008-10-17 07:16 <DIR> d-------- C:\Program Files\Vuze
2008-10-17 07:16 . 2008-10-19 17:12 <DIR> d-------- C:\Documents and Settings\Fredo\Application Data\Azureus
2008-10-17 07:16 . 2008-10-17 07:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-10-16 21:09 . 2008-10-16 21:21 <DIR> d-------- C:\Documents and Settings\Fredo\Application Data\Move Networks
2008-10-16 19:35 . 2008-10-16 19:37 <DIR> d-------- C:\WINDOWS\NV37363776.TMP
2008-10-16 19:28 . 2008-10-16 19:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-16 19:28 . 2008-08-14 03:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-16 19:28 . 2008-08-14 03:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-16 19:28 . 2008-08-14 02:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-16 19:28 . 2008-08-14 02:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-16 19:28 . 2008-09-15 05:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-16 19:28 . 2008-09-08 03:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-16 19:26 . 2008-10-16 19:26 <DIR> d-------- C:\Documents and Settings\Fredo\Application Data\nHancer
2008-10-13 23:03 . 2008-10-13 23:03 <DIR> d-------- C:\Program Files\nHancer
2008-10-13 23:03 . 2008-10-13 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-10-13 23:03 . 2008-10-16 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nHancer
2008-10-10 17:51 . 2008-10-10 17:51 151,552 --a------ C:\WINDOWS\system32\nvRegDev.dll
2008-10-10 17:49 . 2008-10-10 17:49 <DIR> d-------- C:\CUDA
2008-10-10 17:45 . 2008-10-10 17:45 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-10-10 17:45 . 2008-10-10 17:46 <DIR> d-------- C:\WINDOWS\NV35563560.TMP
2008-10-10 17:45 . 2008-10-10 17:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-10 17:45 . 2008-10-10 17:45 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-10-10 17:45 . 2008-10-07 13:33 201,157 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-10-09 00:06 . 2008-10-09 00:06 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-10-09 00:06 . 2008-05-16 09:25 219,669 -ra------ C:\WINDOWS\system32\nvdspchs.chm
2008-10-09 00:06 . 2008-05-16 09:25 213,493 -ra------ C:\WINDOWS\system32\nvdspcht.chm
2008-10-09 00:06 . 2008-10-27 00:23 194,956 --a------ C:\WINDOWS\system32\nvapps.xml
2008-10-09 00:06 . 2008-05-16 09:25 139,792 -ra------ C:\WINDOWS\system32\nv3dcht.chm
2008-10-09 00:06 . 2008-05-16 09:25 134,133 -ra------ C:\WINDOWS\system32\nv3dchs.chm
2008-10-09 00:06 . 2008-05-16 09:25 59,261 -ra------ C:\WINDOWS\system32\nvmobcht.chm
2008-10-09 00:06 . 2008-05-16 09:25 58,607 -ra------ C:\WINDOWS\system32\nvmobchs.chm
2008-10-02 04:15 . 2008-10-02 04:15 170,608 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-10-02 04:15 . 2008-10-02 04:15 29,808 --a------ C:\WINDOWS\system32\drivers\ssfs0bbc.sys
2008-10-02 04:15 . 2008-10-02 04:15 23,152 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 07:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-27 07:22 --------- d-----w C:\Program Files\lg_fwupdate
2008-10-27 07:18 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-10-20 00:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-10-18 07:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-18 07:17 505,128 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-10-18 07:17 29,480 ----a-w C:\WINDOWS\system32\msxml3a.dll
2008-10-18 07:15 --------- d-----w C:\Documents and Settings\Fredo\Application Data\CyberLink
2008-10-18 07:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-10-18 07:13 --------- d-----w C:\Program Files\CyberLink
2008-10-18 03:19 --------- d-----w C:\Program Files\FSacars
2008-10-17 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-10-11 00:51 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-09-25 06:02 --------- d-----w C:\Program Files\NVIDIA nTune Performance Application
2008-09-23 06:19 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-09-23 04:46 --------- d-----w C:\Program Files\Pirep2007
2008-09-22 02:59 --------- d-----w C:\Program Files\Bethesda Softworks
2008-09-22 00:44 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-09-22 00:44 262,144 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-09-22 00:42 --------- d-----w C:\Program Files\Futuremark
2008-09-20 20:40 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-09-20 20:40 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-09-20 20:40 --------- d-----w C:\Documents and Settings\Fredo\Application Data\Secret of the Solstice
2008-09-20 20:10 --------- d-----w C:\Program Files\Outspark
2008-09-20 07:04 --------- d-----w C:\Documents and Settings\Fredo\Application Data\Winamp
2008-09-20 06:57 --------- d-----w C:\Program Files\Winamp
2008-09-20 05:35 --------- d-----w C:\Program Files\Netflix
2008-09-20 03:16 --------- d-----w C:\Program Files\Java
2008-09-20 03:16 --------- d-----w C:\Program Files\Common Files\Java
2008-09-20 01:43 --------- d-----w C:\Program Files\SquawkBox
2008-09-20 01:35 --------- d-----w C:\Program Files\Boeing737FPL
2008-09-20 01:10 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-09-20 01:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-20 00:34 --------- d-----w C:\Program Files\Norton 360 Premier Edition
2008-09-20 00:32 --------- d-----w C:\Program Files\Windows Live
2008-09-20 00:31 --------- d-----w C:\Program Files\Microsoft
2008-09-20 00:29 --------- d-----w C:\Program Files\Common Files\Windows Live
2008-09-19 00:50 --------- d-----w C:\Program Files\CH Products
2008-09-19 00:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\CaptainSim
2008-09-18 01:59 --------- d-----w C:\Program Files\RivaTuner v2.11
2008-09-18 01:56 --------- d-----w C:\Program Files\Intel Corporation
2008-09-17 16:55 453,152 ----a-w C:\WINDOWS\system32\nvudisp.exe
2008-09-17 04:27 453,152 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-09-17 02:31 --------- d-----w C:\Program Files\U-ABIT
2008-09-17 02:15 73,728 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2008-09-17 02:12 --------- d-----w C:\Program Files\Realtek
2008-09-17 02:01 --------- d-----w C:\Program Files\Intel
2008-09-16 17:15 4,224 ----a-w C:\WINDOWS\system32\drivers\NVStrap.sys
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-11 05:43 --------- d-----w C:\Program Files\OO Software
2008-09-11 05:33 --------- d-----w C:\Program Files\Shockwave 3D Lights Redux for FS9
2008-09-10 07:29 --------- d-----w C:\Program Files\MSXML 4.0
2008-09-10 07:11 --------- d-----w C:\Program Files\Microsoft Games
2008-09-10 07:10 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-10 01:23 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-09-10 01:11 --------- d-----w C:\Program Files\Flight One Software
2008-09-09 07:03 51,712 ----a-w C:\WINDOWS\system32\sirenacm.dll
2008-09-09 06:11 --------- d-----w C:\Program Files\Common Files\Ahead
2008-09-09 06:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-09-09 06:07 --------- d-----w C:\Program Files\Nero
2008-09-09 06:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-05 09:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-09-05 09:21 --------- d-----w C:\Documents and Settings\Fredo\Application Data\Symantec
2008-09-05 09:19 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-09-05 09:00 --------- d-----w C:\Program Files\Microsoft.NET
2008-09-05 09:00 --------- d-----w C:\Program Files\Microsoft Works
2008-09-05 08:10 --------- d-----w C:\Program Files\Reference Assemblies
2008-09-05 08:10 --------- d-----w C:\Program Files\MSBuild
2008-09-05 07:57 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-09-05 07:57 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-05 07:57 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-05 07:57 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-09-05 07:57 --------- d-----w C:\Program Files\Symantec
2008-09-05 07:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-05 07:47 --------- d-----w C:\Program Files\DIFX
2008-09-05 07:09 --------- d-----w C:\Program Files\Windows Sidebar
2008-09-05 06:50 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-09-05 05:58 --------- d-----w C:\Documents and Settings\Fredo\Application Data\InstallShield
2008-09-05 05:57 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-09-05 03:57 --------- d-----w C:\Program Files\microsoft frontpage
2008-09-04 16:31 288,024 ----a-w C:\WINDOWS\system32\PhysXCplUI.exe
2008-08-29 15:57 70,936 ----a-w C:\WINDOWS\system32\PhysXLoader.dll
2008-08-20 05:30 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-08-06 00:55 265,720 ----a-w C:\WINDOWS\system32\msdbg2.dll
2008-07-31 17:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 17:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 17:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-30 04:10 73,720 ----a-w C:\WINDOWS\system32\dxva2.dll
2008-07-30 04:10 493,048 ----a-w C:\WINDOWS\system32\evr.dll
2008-07-30 04:10 26,112 ----a-w C:\WINDOWS\system32\TsWpfWrp.exe
2008-07-30 03:35 326,160 ----a-w C:\WINDOWS\system32\PresentationHost.exe
2008-07-30 02:59 781,344 ----a-w C:\WINDOWS\system32\PresentationNative_v0300.dll
2008-07-30 02:59 43,544 ----a-w C:\WINDOWS\system32\PresentationHostProxy.dll
2008-07-30 02:59 161,296 ----a-w C:\WINDOWS\system32\UIAutomationCore.dll
2008-07-30 02:59 105,016 ----a-w C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2008-07-30 02:24 97,800 ----a-w C:\WINDOWS\system32\infocardapi.dll
2008-07-30 02:24 622,080 ----a-w C:\WINDOWS\system32\icardagt.exe
.

((((((((((((((((((((((((((((( snapshot@2008-10-24_13.18.05.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-24 19:48:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-10-27 07:18:49 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-10-24 19:48:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-27 07:18:49 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-10-24 19:48:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-27 07:18:49 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-09 10:53:39 512,000 -c----w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2008-08-20 05:30:53 3,067,904 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-08-20 05:30:51 1,499,136 -c----w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-08-20 05:30:52 619,520 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-05-09 10:53:40 430,080 -c----w C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2008-08-20 05:30:51 666,112 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-04-14 00:11:56 512,000 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2008-05-09 10:53:39 512,000 ----a-w C:\WINDOWS\system32\jscript.dll
- 2008-04-14 00:11:59 3,066,880 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-08-20 05:30:53 3,067,904 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-04-14 00:12:01 337,408 ----a-w C:\WINDOWS\system32\netapi32.dll
+ 2008-10-15 16:34:24 337,408 ----a-w C:\WINDOWS\system32\netapi32.dll
- 2008-04-14 00:12:05 1,499,136 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2008-08-20 05:30:51 1,499,136 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2008-04-14 00:12:08 619,520 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-08-20 05:30:52 619,520 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-04-14 00:12:08 434,176 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2008-05-09 10:53:40 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2008-10-27 07:19:27 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_3b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-10-12 13:11 238968 --a------ C:\Program Files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_9.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 01:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 01:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 01:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 51048]
"osCheck"="C:\Program Files\Norton 360 Premier Edition\osCheck.exe" [2008-02-26 988512]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-02-26 249856]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]
"RTHDCPL"="C:\WINDOWS\RTHDCPL.EXE" [2008-06-13 16871936]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.11\RivaTuner.exe" [2008-09-16 2715648]
"RivaTuner"="C:\Program Files\RivaTuner v2.11\RivaTuner.exe" [2008-09-16 2715648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-10-07 13574144]
"nwiz"="C:\WINDOWS\system32\nwiz.exe" [2008-10-07 1630208]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-10-07 86016]
"Start WingMan Profiler"="C:\Program Files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 88584]
"RemoteControl8"="C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-08-08 91432]
"SpySweeper"="C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2008-10-12 6272888]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
--a------ 2007-05-24 21:13 1957888 C:\WINDOWS\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2008-02-18 14:36 1057064 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
--a------ 2007-03-19 23:36 36864 C:\WINDOWS\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2008-02-18 14:36 1629480 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R0 ssfs0bbc;ssfs0bbc;C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys [2008-10-02 29808]
R1 UGURU;UGURU;C:\WINDOWS\system32\drivers\uGuru.sys [2006-05-02 14592]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};C:\Program Files\CyberLink\PowerDVD8\000.fcl [2008-08-08 10:15 41456]
R3 chdrvr01;CH Control Manager Driver 1;C:\WINDOWS\system32\DRIVERS\chdrvr01.sys [2006-11-21 215104]
R3 chdrvr02;CH Control Manager Driver 2;C:\WINDOWS\system32\DRIVERS\chdrvr02.sys [2005-12-22 3744]
R3 chdrvr03;CH Control Manager Driver 3;C:\WINDOWS\system32\DRIVERS\chdrvr03.sys [2005-12-22 9024]
S0 NVStrap;NVStrap;C:\WINDOWS\system32\drivers\NVStrap.sys [2008-09-16 4224]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
S3 Memctl;Memctl;C:\Program Files\U-ABIT\FlashMenu\Memctl.sys [2006-04-18 4047]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-10-27 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-10-24 C:\WINDOWS\Tasks\wrSpySweeper_LA240101943EC4BE1BF0A7F4E107F3FEB.job
- C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe [2008-10-12 13:18]

2008-10-24 C:\WINDOWS\Tasks\wrSpySweeper_LA240101943EC4BE1BF0A7F4E107F3FEB.job
- C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe [2008-10-12 13:18]

2008-10-24 C:\WINDOWS\Tasks\wrSpySweeper_LA240101943EC4BE1BF0A7F4E107F3FEB.job
- C:\","D:\","E:\" []
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-27 00:35:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD8\000.fcl"
.
Completion time: 2008-10-27 0:38:25
ComboFix-quarantined-files.txt 2008-10-27 07:38:22
ComboFix2.txt 2008-10-24 20:18:38

Pre-Run: 425,551,253,504 bytes free
Post-Run: 425,532,657,664 bytes free

314 --- E O F --- 2008-10-24 20:28:58





MBAM-----

Malwarebytes' Anti-Malware 1.30
Database version: 1325
Windows 5.1.2600 Service Pack 3

10/27/2008 2:08:41 AM
mbam-log-2008-10-27 (02-08-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 850411
Time elapsed: 59 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 54

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\aesfrgti.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cgaiho.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\csgxtthd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gpxoav.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\leuybnaj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mlJAPJax.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mxlauhey.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nhphcxsd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\notvxz.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\oaykcewn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pnzagc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\qfjlsaqc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\qoMecbbC.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\qpzqbige.wip.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\qxskunfv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\qynrye.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\racjmuhu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rbhtcyhq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\saqdsk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\shxnwvkj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\spwous.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ttmdmatl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\whilgdjy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wqoapihn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP87\A0026597.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP87\A0026578.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP87\A0026596.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP87\A0026598.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP87\A0028589.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP89\A0037625.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP89\A0040817.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042842.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042831.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042832.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042834.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042838.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042839.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042840.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042841.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042843.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042844.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042845.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042846.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042847.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042848.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042849.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042850.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042851.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042852.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042853.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042854.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042855.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042857.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{17EFB55D-3117-4C92-BED2-165F2A537A57}\RP92\A0042858.dll (Trojan.Vundo) -> Quarantined and deleted successfully.



HJT----


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:46 AM, on 10/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\nHancer\nHancerService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360 Premier Edition\osCheck.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE"
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.11\RivaTuner.exe" /S
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.11\RivaTuner.exe" /T
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Gaming Software\LWEMon.exe" /noui
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [BDRegion] "C:\Program Files\Cyberlink\Shared Files\brs.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1220595184765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221893404887
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/J...c1/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://service.futuremark.com/virtualmark/tc/MSC3.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 9025 bytes

 

[pskelley]

Cookies are a part of doing business on the internet and some are necessary (passwords, etc.) for the ones you do not want, see this information:

http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx

This freeware program will also block the junk:
http://www.bleepingcomputer.com/forums/tutorial49.html

I suggest a good hosts file which you can add addresses to that will block the junk. http://www.mvps.org/winhelp2002/hosts.htm

I also suggest you consider Internet Explorer 7 (8 is in beta now) for the additional security it provides.
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx

Some additional information is available at Google:
http://www.google.com/search?hl=en&q=remove+Adrevolver&btnG=Search

Let's proceed like this...

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.

Update Symantec and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
http://www.symantec.com/enterprise/support/index.jsp
If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

 

[Fredo_P]

It's all good here. Thanx for all the work. I greatly appreciate it. Although, spybot alerted that something wanted to be added to the registry upon start up after reboot. It was labled as spyware, but I refused, and never saw it again. WIll be more careful from here on out.

 

[pskelley]

You be careful our there, since organized crime moved online, the internet is no longer a safe place. Just a bit of information for you.

http://news.cnet.com/8301-1009_3-9992897-83.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://en.wikipedia.org/wiki/Russian_Business_Network
http://rbnexploit.blogspot.com/
http://en.wikipedia.org/wiki/Vundo_trojan
Infected websites are the next internet security threats
http://www.google.com/search?hl=en&q=infected+websites&btnG=Google+Search
http://news.cnet.com/8301-1009_3-10004970-83.html?tag=nl.e703