Virtumonde Removal Help Please.

R

Rick7

New member
Here is the results of my HJT log. I ran Spybot in Safe Mode first. I can't get this one removed. I also have a Kaspersky Report, but didn't know when to post it.
Thank you,
Rick

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:53, on 2008-02-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Digidesign\Drivers\MMERefresh .exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY .EXE
C:\Program Files\Mediafour\MacDrive\MDDiskProtect .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1 .EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\vtstt.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on ANTEC" /O16 "\\ANTEC\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [603c7117] rundll32.exe "C:\WINDOWS\system32\aftteios.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8623] command /c del "C:\WINDOWS\system32\vtstt.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1401] cmd /c del "C:\WINDOWS\system32\vtstt.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3167] command /c del "C:\WINDOWS\system32\vtstt.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6940] cmd /c del "C:\WINDOWS\system32\vtstt.dll_old"
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1188973442546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1188973356453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8505 bytes
 
Hello Rick

Welcome to Safer Networking.

Please read Before YouPost
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.



Run these in order please.

Download VundoFix to your desktop

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.






Please download SuperAntiSpyware
Install the program
  • Run SuperAntiSpyware and click: Check for updates
  • Once the update is finished, on the main screen, click: Scan your computer
  • Check: Perform Complete Scan
  • Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
  • Click: Preferences
  • Click the Statistics/Logs tab
  • Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.






Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall



I need to see the Vundofix log, the SAS log, the Combofix log and a New HJT log please, the reports will most likely not fit all in one reply so take as many as you need to post them all. Use SUBMIT REPLY and NOT START A NEW TOPIC
 
I ran VundoFix and SuperAntiSpyware, but Combo fix will not launch. Error reads not a valid Win file when I try to launch it from my desktop. Here is the Vundo report. I will post the SAS and HJT report in a minute.
Thank you.


VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Scan started at 12:24:01 2008-02-04

Listing files found while scanning....

C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
C:\WINDOWS\system32\afpkpjhv.dll
C:\WINDOWS\system32\asrsjqvk.dll
C:\WINDOWS\system32\cmdefvuw.dll
C:\WINDOWS\system32\htogcfml.dll
C:\WINDOWS\system32\ilxuahwq.ini
C:\WINDOWS\system32\kgfdgulu.dll
C:\windows\system32\kgfdgulu.dllbox
C:\WINDOWS\system32\kjrhfgqn.dll
C:\WINDOWS\system32\lhcskgjl.dll
C:\WINDOWS\system32\ljgkschl.ini
C:\WINDOWS\system32\lmfcgoth.ini
C:\WINDOWS\system32\obmrrftf.dll
C:\WINDOWS\system32\qwhauxli.dll
C:\WINDOWS\system32\rsosveyd.dll
C:\WINDOWS\system32\uwjnnrxl.dll
C:\windows\system32\uwjnnrxl.dllbox
C:\WINDOWS\system32\vhjpkpfa.ini
C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\vtstt.exe
C:\WINDOWS\system32\xustaikt.dll

Beginning removal...

Attempting to delete C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\afpkpjhv.dll
C:\WINDOWS\system32\afpkpjhv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\asrsjqvk.dll
C:\WINDOWS\system32\asrsjqvk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cmdefvuw.dll
C:\WINDOWS\system32\cmdefvuw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\htogcfml.dll
C:\WINDOWS\system32\htogcfml.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ilxuahwq.ini
C:\WINDOWS\system32\ilxuahwq.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\kgfdgulu.dll
C:\WINDOWS\system32\kgfdgulu.dll Has been deleted!

Attempting to delete C:\windows\system32\kgfdgulu.dllbox
C:\windows\system32\kgfdgulu.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\kjrhfgqn.dll
C:\WINDOWS\system32\kjrhfgqn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lhcskgjl.dll
C:\WINDOWS\system32\lhcskgjl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljgkschl.ini
C:\WINDOWS\system32\ljgkschl.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\lmfcgoth.ini
C:\WINDOWS\system32\lmfcgoth.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\obmrrftf.dll
C:\WINDOWS\system32\obmrrftf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qwhauxli.dll
C:\WINDOWS\system32\qwhauxli.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rsosveyd.dll
C:\WINDOWS\system32\rsosveyd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uwjnnrxl.dll
C:\WINDOWS\system32\uwjnnrxl.dll Has been deleted!

Attempting to delete C:\windows\system32\uwjnnrxl.dllbox
C:\windows\system32\uwjnnrxl.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\vhjpkpfa.ini
C:\WINDOWS\system32\vhjpkpfa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\vtstt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtstt.exe
C:\WINDOWS\system32\vtstt.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\xustaikt.dll
C:\WINDOWS\system32\xustaikt.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.8

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Scan started at 11:01:20 2008-02-14

Listing files found while scanning....

C:\WINDOWS\system32\aftteios.dll
C:\WINDOWS\system32\cgrbcmoq.dll
C:\WINDOWS\system32\csikoyfj.dll
C:\WINDOWS\system32\eorpvgjd.dll
C:\WINDOWS\system32\etxvessu.dll
C:\windows\system32\etxvessu.dllbox
C:\WINDOWS\system32\hyukkcqv.dll
C:\WINDOWS\system32\iepwosfa.dll
C:\WINDOWS\system32\jfyokisc.ini
C:\WINDOWS\system32\jwgaffgv.dll
C:\WINDOWS\system32\kilhofrp.dll
C:\WINDOWS\system32\lnomvhwv.dll
C:\WINDOWS\system32\retnurlv.dll
C:\WINDOWS\system32\soiettfa.ini
C:\WINDOWS\system32\tobihgto.dll
C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ttstv.ini2
C:\WINDOWS\system32\vjlyqcij.dll
C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\vtstt.exe
C:\WINDOWS\system32\xosjpogq.dll
C:\WINDOWS\system32\xrgxqlss.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\aftteios.dll
C:\WINDOWS\system32\aftteios.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cgrbcmoq.dll
C:\WINDOWS\system32\cgrbcmoq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\csikoyfj.dll
C:\WINDOWS\system32\csikoyfj.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\eorpvgjd.dll
C:\WINDOWS\system32\eorpvgjd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\etxvessu.dll
C:\WINDOWS\system32\etxvessu.dll Could not be deleted.

Attempting to delete C:\windows\system32\etxvessu.dllbox
C:\windows\system32\etxvessu.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\hyukkcqv.dll
C:\WINDOWS\system32\hyukkcqv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iepwosfa.dll
C:\WINDOWS\system32\iepwosfa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jfyokisc.ini
C:\WINDOWS\system32\jfyokisc.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jwgaffgv.dll
C:\WINDOWS\system32\jwgaffgv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kilhofrp.dll
C:\WINDOWS\system32\kilhofrp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lnomvhwv.dll
C:\WINDOWS\system32\lnomvhwv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\retnurlv.dll
C:\WINDOWS\system32\retnurlv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\soiettfa.ini
C:\WINDOWS\system32\soiettfa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\tobihgto.dll
C:\WINDOWS\system32\tobihgto.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ttstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttstv.ini2
C:\WINDOWS\system32\ttstv.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vjlyqcij.dll
C:\WINDOWS\system32\vjlyqcij.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\vtstt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtstt.exe
C:\WINDOWS\system32\vtstt.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\xosjpogq.dll
C:\WINDOWS\system32\xosjpogq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xrgxqlss.dll
C:\WINDOWS\system32\xrgxqlss.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\csikoyfj.dll
C:\WINDOWS\system32\csikoyfj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\etxvessu.dll
C:\WINDOWS\system32\etxvessu.dll Has been deleted!

Attempting to delete C:\windows\system32\etxvessu.dllbox
C:\windows\system32\etxvessu.dllbox Has been deleted!

Performing Repairs to the registry.
Done!
 
SAS Part 1:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/14/2008 at 11:59 AM

Application Version : 3.9.1008

Core Rules Database Version : 3402
Trace Rules Database Version: 1394

Scan type : Complete Scan
Total Scan Time : 00:36:37

Memory items scanned : 382
Memory threats detected : 9
Registry items scanned : 6945
Registry threats detected : 28
File items scanned : 53652
File threats detected : 266

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\VTSTT.DLL
C:\WINDOWS\SYSTEM32\VTSTT.DLL
HKLM\Software\Classes\CLSID\{A2539071-A21B-4ADF-8A42-03FE709A3FA4}
HKCR\CLSID\{A2539071-A21B-4ADF-8A42-03FE709A3FA4}
HKCR\CLSID\{A2539071-A21B-4ADF-8A42-03FE709A3FA4}\InprocServer32
HKCR\CLSID\{A2539071-A21B-4ADF-8A42-03FE709A3FA4}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A2539071-A21B-4ADF-8A42-03FE709A3FA4}

Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\QMVCETEF.DLL
C:\WINDOWS\SYSTEM32\QMVCETEF.DLL
HKLM\Software\Classes\CLSID\{54fe1af9-4262-42a0-9250-83fbd803e8b5}
HKCR\CLSID\{54FE1AF9-4262-42A0-9250-83FBD803E8B5}
HKCR\CLSID\{54FE1AF9-4262-42A0-9250-83FBD803E8B5}\InprocServer32
HKCR\CLSID\{54FE1AF9-4262-42A0-9250-83FBD803E8B5}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\HXYINCXF.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54fe1af9-4262-42a0-9250-83fbd803e8b5}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001223.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001224.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001225.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001227.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001231.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001232.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001234.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001235.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001238.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001239.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001248.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000133.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000726.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000727.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000804.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001044.DLL

Trojan.Vundo/Variant-Installer/A
C:\PROGRAM FILES\DIGIDESIGN\DRIVERS\MMEREFRESH.EXE
C:\PROGRAM FILES\DIGIDESIGN\DRIVERS\MMEREFRESH.EXE
C:\PROGRAM FILES\MEDIAFOUR\MACDRIVE\MDDISKPROTECT.EXE
C:\PROGRAM FILES\MEDIAFOUR\MACDRIVE\MDDISKPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\MEDIAFOUR\MACVNTFY.EXE
C:\PROGRAM FILES\COMMON FILES\MEDIAFOUR\MACVNTFY.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 8.0\ACROBAT\ACROTRAY.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 8.0\ACROBAT\ACROTRAY.EXE
C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE
C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE12\GROOVEMONITOR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE12\GROOVEMONITOR.EXE
[MDDiskProtect.exe] C:\PROGRAM FILES\MEDIAFOUR\MACDRIVE\MDDISKPROTECT.EXE
[Mediafour Mac Volume Notifications] C:\PROGRAM FILES\COMMON FILES\MEDIAFOUR\MACVNTFY.EXE
[DigidesignMMERefresh] C:\PROGRAM FILES\DIGIDESIGN\DRIVERS\MMEREFRESH.EXE
[AdobeUpdater] C:\PROGRAM FILES\COMMON FILES\ADOBE\UPDATER5\ADOBEUPDATER.EXE
C:\PROGRAM FILES\COMMON FILES\ADOBE\UPDATER5\ADOBEUPDATER.EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX12.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX13.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX15.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX158.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX15B.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX15E.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX161.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX164.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX16A.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX16D.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX17.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX170.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX1B.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX1C.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX1E.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX1F.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX22.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX24.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX27.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX2A.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX40D.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX410.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX413.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX416.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX419.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX425.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX6.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX61C.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX61F.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX622.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX625.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX628.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX62E.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX631.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX634.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX666.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX669.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX66C.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX66F.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX672.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX678.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX67B.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX67E.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCX9.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA10.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA3E.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA41.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA44.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA47.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA4A.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA50.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA53.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA56.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA67.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA6A.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA6D.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA70.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA73.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA79.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA7C.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXA7F.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXC1C.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXC26.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXC34.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXC3F.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXC58.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXC7F.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXC8D.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXC96.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXD.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXD02.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXD14.TMP
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RCXE.TMP
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME ALTERNATIVE\QTTASK.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP1\A0000011.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP1\A0000013.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP1\A0000014.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP1\A0000015.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP1\A0000016.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP1\A0000018.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP1\A0000019.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001241.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001259.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001262.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001263.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001264.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001265.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001266.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001267.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001268.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\SNAPSHOT\MFEX-2.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000137.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000139.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000140.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000141.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000142.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000143.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000144.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000145.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP4\A0000203.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP4\A0000204.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP4\A0000205.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP4\A0000206.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP4\A0000207.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP4\A0000208.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP4\A0000209.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP4\A0000210.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000744.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000746.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000747.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000748.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000749.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000752.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP6\A0000865.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP6\A0000866.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP6\A0000867.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP6\A0000868.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP6\A0000869.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP6\A0000870.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP6\A0000871.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP6\A0000872.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001063.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001064.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001066.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001067.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001068.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001069.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001070.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001071.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001111.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001113.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001114.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001115.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001116.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001117.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001118.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001119.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001129.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001131.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001132.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001133.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001134.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001135.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001136.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001137.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001206.EXE
C:\VUNDOFIX BACKUPS\MSCONFIG.EXE.BAD
C:\WINDOWS\INSTALLER\$PATCHCACHE$\MANAGED\00002109030000000000000000F01FEC\12.0.4518\GROOVEMONITOR.EXE
C:\WINDOWS\Prefetch\ACROTRAY.EXE-075AD37A.pf
C:\WINDOWS\Prefetch\E_S4I2H1.EXE-1F5C1C4D.pf
C:\WINDOWS\Prefetch\MACVNTFY.EXE-355842C7.pf
C:\WINDOWS\Prefetch\MDDISKPROTECT.EXE-1273016D.pf
 
SAS Part 2:

Trojan.Vundo/Variant-Installer
[load] C:\WINDOWS\SYSTEM32\VTSTT.EXE
C:\WINDOWS\SYSTEM32\VTSTT.EXE
[load] C:\WINDOWS\SYSTEM32\VTSTT.EXE
[load] C:\WINDOWS\SYSTEM32\VTSTT.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001237.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP3\A0000147.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000754.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP6\A0000873.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001072.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001120.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001138.EXE
C:\VUNDOFIX BACKUPS\VTSTT.EXE.BAD
C:\WINDOWS\SYSTEM32\RCX426.TMP
C:\WINDOWS\SYSTEM32\RCXD15.TMP

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\IFGNXVWS.DLL
E:\DELETE ME\WINDOWS\SYSTEM32\ROSDZOP.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sale.antispywaresuite[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@citi.bridgetrack[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@statsgod[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertpro.investorvillage[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@antispywaresuite[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@findwhat[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sonymediasoftware.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bizadverts[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.cnn[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@adecn[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@advertising[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@azjmp[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@buycom.122.2o7[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@counter2.hitslink[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@fastclick[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@findwhat[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@heavycom.122.2o7[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@hg1.hitbox[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@hitbox[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@media.fastclick[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@overture[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@pro-market[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@questionmarket[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@revsci[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@server.iad.liveperson[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@shopping.112.2o7[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@stat.dealtime[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@statcounter[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@tacoda[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@toseeka[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@traffic.buyservices[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@upspiral[2].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@web4.realtracker[1].txt
E:\Delete me\WINDOWS\system32\config\systemprofile\Cookies\system@www.upspiral[1].txt

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP1\A0000002.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP10\A0001236.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP5\A0000800.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D79FD8C5-DD7F-4A69-A589-FFEB6B53D266}\RP9\A0001102.DLL

Trojan.IP6FW/Rootkit
E:\DELETE ME\WINDOWS\$NTSERVICEPACKUNINSTALL$\IP6FW.SYS

Trojan.Unknown Origin
E:\DELETE ME\WINDOWS\SYSTEM32\AMMAAAAA.EXE

Worm.Alcra Variant
E:\DELETE ME\WINDOWS\SYSTEM32\CMD.COM
E:\DELETE ME\WINDOWS\SYSTEM32\PING.COM
E:\DELETE ME\WINDOWS\SYSTEM32\TASKLIST.COM
E:\DELETE ME\WINDOWS\SYSTEM32\TRACERT.COM

Trojan.Flx/Conhook
E:\DELETE ME\WINDOWS\SYSTEM32\COMPONENTS\FLX4.DLL

Malware.Notifier
E:\DELETE ME\WINDOWS\SYSTEM32\ISSEARCH.EXE

Trojan.RPCC
E:\DELETE ME\WINDOWS\SYSTEM32\RPCC.EXE

Trojan.Net-K163
E:\RECYCLER\NPROTECT\00000003.SYS

Trojan.Downloader-SysMon
E:\RECYCLER\NPROTECT\00000004.EXE

Trace.Known Threat Sources
E:\Delete me\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8PMZ8LMN\144[1].htm
 
HJT Report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33, on 2008-02-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\vtstt.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on ANTEC" /O16 "\\ANTEC\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [603c7117] rundll32.exe "C:\WINDOWS\system32\qmvcetef.dll",b
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1188973442546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1188973356453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ifgnxvws - ifgnxvws.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8046 bytes
 
I just realized my Vundo report also contains info from when I ran it last week. I don't know how to edit the post.
Thank you,
Rick
 
Rick,

Vundo and SAS removed some Naaaaassty stuff, more to do, Drag Combofix to the Trash and grab a new Copy and run it this way.

Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
 
Ok - How does this look? ComboFix Report.

ComboFix 08-02-15.1 - Administrator 2008-02-14 14:55:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1759 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\gykqichb.ini
C:\WINDOWS\system32\hnvltann.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ptpiikof.ini
C:\WINDOWS\system32\qgopjsox.ini
C:\WINDOWS\system32\sbcoyqwr.ini
C:\WINDOWS\system32\shopvqlc.ini
C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ttstv.ini2

.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-14 11:20 . 2008-02-14 12:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-14 11:19 . 2008-02-14 11:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-14 11:19 . 2008-02-14 11:19 294 ---hs---- C:\WINDOWS\system32\fetecvmq.ini
2008-02-13 17:53 . 2008-02-13 17:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-10 00:29 . 2008-02-10 00:20 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 00:29 . 2008-02-10 00:29 3,453 --a------ C:\WINDOWS\unins000.dat
2008-02-04 12:24 . 2008-02-14 11:13 <DIR> d-------- C:\VundoFix Backups
2008-02-02 11:39 . 2008-02-02 17:33 <DIR> d-------- C:\Temp Refill Temp
2008-01-20 19:56 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-19 09:23 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\MSBuild
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-19 09:21 . 2008-01-19 09:21 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-19 09:19 . 2008-01-19 09:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-19 09:19 . 2008-01-19 09:19 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-19 09:19 . 2008-02-13 03:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-19 09:18 . 2008-01-19 09:18 <DIR> dr-h----- C:\MSOCache
2008-01-15 20:26 . 2008-01-15 20:26 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 22:59 --------- d-----w C:\Program Files\Common Files\Mediafour
2008-02-14 20:07 --------- d-----w C:\Program Files\iTunes
2008-02-14 19:16 --------- d-----w C:\Program Files\QuickTime Alternative
2008-02-14 18:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-02-12 03:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Digidesign
2008-02-10 10:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 08:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-23 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-09 09:07 --------- d-----w C:\Program Files\FLVPlayer
2008-01-09 09:05 --------- d-----w C:\Program Files\PowerISO
2008-01-09 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\iShell
2008-01-03 02:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Propellerhead Software
2008-01-03 01:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 01:27 --------- d-----w C:\Program Files\M-Audio
2007-12-31 07:36 --------- d-----w C:\Program Files\Azureus
2007-12-21 08:10 --------- d-----w C:\Program Files\Red Kawa
2007-12-21 08:10 --------- d-----w C:\Program Files\AviSynth 2.5
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-16 21:37 --------- d-----w C:\Program Files\Smartparts
2002-08-02 12:00 12,348 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.
Code: 
<pre>
----a-w         5,104,459 2002-07-20 02:45:08  C:\Documents and Settings\Administrator\Desktop\New Comp Synths\Native Instruments FM7 DXi-VSTi-works RH\NI FM7 Synth Native instruments .exe
----a-w           620,152 2008-02-14 19:16:23  C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w         2,321,600 2008-02-14 19:16:33  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w            61,440 2008-02-14 19:16:22  C:\Program Files\Common Files\Mediafour\MACVNTFY .EXE
----a-w            61,440 2008-02-14 19:16:13  C:\Program Files\Digidesign\Drivers\MMERefresh .exe
----a-w           267,048 2008-02-14 19:16:27  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           106,496 2008-02-14 19:16:23  C:\Program Files\Mediafour\MacDrive\MDDiskProtect .exe
----a-w            33,648 2008-02-14 19:16:28  C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
----a-w           169,984 2008-02-01 01:33:46  C:\WINDOWS\pchealth\helpctr\binaries\msconfig .exe
----a-w            99,840 2008-02-14 19:16:23  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2H1 .EXE
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [ ]
"Auto EPSON Stylus Photo R200 Series on ANTEC"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"603c7117"="C:\WINDOWS\system32\qmvcetef.dll" [ ]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 12:54 106496]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-12-17 12:43 61440]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\603c7117]
C:\WINDOWS\system32\cdiooidh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 17:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\vtstt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft]
C:\WINDOWS\temp\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 16:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime Alternative\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-10-30 18:49 16269312 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 17:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Updates]
c:\windows\system\Update.exe

R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-11-13 20:38]
R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2006-04-30 06:57]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-06-16 08:53]
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys [2006-11-13 20:38]
R3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2006-11-13 20:36]
R3 MBX2DFU;MBX2DFU;C:\WINDOWS\system32\DRIVERS\MBX2DFU.sys [2006-11-13 20:37]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;C:\WINDOWS\system32\drivers\mbx2midk.sys [2006-11-13 20:37]
S3 MA_CMIDI;M-Audio USB Driver;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2007-11-14 16:20]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2007-11-14 16:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\ONSPCLCK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fdbb270-7822-11dc-afc5-00301b44c162}]
\Shell\AutoRun\command - N:\ONSPCLCK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 17:50:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 14:59:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-15 15:01:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 23:01:12
.
2008-02-13 11:05:13 --- E O F ---
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:20, on 2008-02-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on ANTEC" /O16 "\\ANTEC\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [603c7117] rundll32.exe "C:\WINDOWS\system32\qmvcetef.dll",b
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1188973442546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1188973356453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 7979 bytes
 
Hello Rick,

You have the latest variant of Vundo that includes a File Infector, if you look at your Combofix log, all the files and programs in the Blue Code Box are infected, we need to fix them.

Open Notepad and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::

Code: 
RenV::
----a-w         5,104,459 2002-07-20 02:45:08  C:\Documents and Settings\Administrator\Desktop\New Comp Synths\Native Instruments FM7 DXi-VSTi-works RH\NI FM7 Synth Native instruments .exe
----a-w           620,152 2008-02-14 19:16:23  C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w         2,321,600 2008-02-14 19:16:33  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w            61,440 2008-02-14 19:16:22  C:\Program Files\Common Files\Mediafour\MACVNTFY .EXE
----a-w            61,440 2008-02-14 19:16:13  C:\Program Files\Digidesign\Drivers\MMERefresh .exe
----a-w           267,048 2008-02-14 19:16:27  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           106,496 2008-02-14 19:16:23  C:\Program Files\Mediafour\MacDrive\MDDiskProtect .exe
----a-w            33,648 2008-02-14 19:16:28  C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
----a-w           169,984 2008-02-01 01:33:46  C:\WINDOWS\pchealth\helpctr\binaries\msconfig .exe
----a-w            99,840 2008-02-14 19:16:23  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2H1 .EXE

File::
C:\WINDOWS\system32\fetecvmq.ini
C:\WINDOWS\system32\cdiooidh.dll
C:\WINDOWS\system32\vtstt.exe

Folder::
C:\VundoFix Backups

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"603c7117"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\603c7117]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 
ComboFix 08-02-15.1 - Administrator 2008-02-14 17:06:47.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1629 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\cdiooidh.dll
C:\WINDOWS\system32\fetecvmq.ini
C:\WINDOWS\system32\vtstt.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\afpkpjhv.dll.bad
C:\VundoFix Backups\aftteios.dll.bad
C:\VundoFix Backups\asrsjqvk.dll.bad
C:\VundoFix Backups\cgrbcmoq.dll.bad
C:\VundoFix Backups\cmdefvuw.dll.bad
C:\VundoFix Backups\csikoyfj.dll.bad
C:\VundoFix Backups\eorpvgjd.dll.bad
C:\VundoFix Backups\etxvessu.dll.bad
C:\VundoFix Backups\etxvessu.dllbox.bad
C:\VundoFix Backups\htogcfml.dll.bad
C:\VundoFix Backups\hyukkcqv.dll.bad
C:\VundoFix Backups\iepwosfa.dll.bad
C:\VundoFix Backups\ifgnxvws.dllbox.bad
C:\VundoFix Backups\ilxuahwq.ini.bad
C:\VundoFix Backups\jfyokisc.ini.bad
C:\VundoFix Backups\jwgaffgv.dll.bad
C:\VundoFix Backups\kgfdgulu.dll.bad
C:\VundoFix Backups\kgfdgulu.dllbox.bad
C:\VundoFix Backups\kilhofrp.dll.bad
C:\VundoFix Backups\kjrhfgqn.dll.bad
C:\VundoFix Backups\lhcskgjl.dll.bad
C:\VundoFix Backups\ljgkschl.ini.bad
C:\VundoFix Backups\lmfcgoth.ini.bad
C:\VundoFix Backups\lnomvhwv.dll.bad
C:\VundoFix Backups\obmrrftf.dll.bad
C:\VundoFix Backups\qwhauxli.dll.bad
C:\VundoFix Backups\retnurlv.dll.bad
C:\VundoFix Backups\rsosveyd.dll.bad
C:\VundoFix Backups\soiettfa.ini.bad
C:\VundoFix Backups\sppewsoy.dll.bad
C:\VundoFix Backups\tobihgto.dll.bad
C:\VundoFix Backups\ttstv.ini.bad
C:\VundoFix Backups\ttstv.ini2.bad
C:\VundoFix Backups\uwjnnrxl.dll.bad
C:\VundoFix Backups\uwjnnrxl.dllbox.bad
C:\VundoFix Backups\vhjpkpfa.ini.bad
C:\VundoFix Backups\vjlyqcij.dll.bad
C:\VundoFix Backups\vtstt.dll.bad
C:\VundoFix Backups\xosjpogq.dll.bad
C:\VundoFix Backups\xrgxqlss.dll.bad
C:\VundoFix Backups\xustaikt.dll.bad
C:\WINDOWS\system32\fetecvmq.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-14 11:20 . 2008-02-14 12:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-14 11:19 . 2008-02-14 11:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 17:53 . 2008-02-13 17:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-10 00:29 . 2008-02-10 00:20 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 00:29 . 2008-02-10 00:29 3,453 --a------ C:\WINDOWS\unins000.dat
2008-02-02 11:39 . 2008-02-02 17:33 <DIR> d-------- C:\Temp Refill Temp
2008-01-20 19:56 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-19 09:23 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\MSBuild
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-19 09:21 . 2008-01-19 09:21 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-19 09:19 . 2008-01-19 09:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-19 09:19 . 2008-01-19 09:19 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-19 09:19 . 2008-02-13 03:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-19 09:18 . 2008-01-19 09:18 <DIR> dr-h----- C:\MSOCache
2008-01-15 20:26 . 2008-01-15 20:26 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 01:08 --------- d-----w C:\Program Files\Common Files\Mediafour
2008-02-15 01:06 --------- d-----w C:\Program Files\iTunes
2008-02-14 19:16 --------- d-----w C:\Program Files\QuickTime Alternative
2008-02-14 18:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-02-12 03:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Digidesign
2008-02-10 10:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 08:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-23 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-09 09:07 --------- d-----w C:\Program Files\FLVPlayer
2008-01-09 09:05 --------- d-----w C:\Program Files\PowerISO
2008-01-09 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\iShell
2008-01-03 02:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Propellerhead Software
2008-01-03 01:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 01:27 --------- d-----w C:\Program Files\M-Audio
2007-12-31 07:36 --------- d-----w C:\Program Files\Azureus
2007-12-21 08:10 --------- d-----w C:\Program Files\Red Kawa
2007-12-21 08:10 --------- d-----w C:\Program Files\AviSynth 2.5
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-16 21:37 --------- d-----w C:\Program Files\Smartparts
2002-08-02 12:00 12,348 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.
Code: 
<pre>
----a-w         2,321,600 2008-02-14 19:16:33  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w            61,440 2008-02-14 19:16:22  C:\Program Files\Common Files\Mediafour\MACVNTFY .EXE
----a-w           106,496 2008-02-14 19:16:23  C:\Program Files\Mediafour\MacDrive\MDDiskProtect .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [ ]
"Auto EPSON Stylus Photo R200 Series on ANTEC"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 12:54 106496]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-12-17 12:43 61440]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 17:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft]
C:\WINDOWS\temp\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 16:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime Alternative\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-10-30 18:49 16269312 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 17:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Updates]
c:\windows\system\Update.exe

R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-11-13 20:38]
R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2006-04-30 06:57]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-06-16 08:53]
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys [2006-11-13 20:38]
R3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2006-11-13 20:36]
R3 MBX2DFU;MBX2DFU;C:\WINDOWS\system32\DRIVERS\MBX2DFU.sys [2006-11-13 20:37]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;C:\WINDOWS\system32\drivers\mbx2midk.sys [2006-11-13 20:37]
S3 MA_CMIDI;M-Audio USB Driver;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2007-11-14 16:20]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2007-11-14 16:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\ONSPCLCK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fdbb270-7822-11dc-afc5-00301b44c162}]
\Shell\AutoRun\command - N:\ONSPCLCK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 17:50:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 17:08:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-02-14 17:10:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 01:10:48
ComboFix2.txt 2008-02-15 23:01:15
.
2008-02-13 11:05:13 --- E O F ---
 
VundoFix V6.7.8

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Scan started at 12:38:17 2008-02-14

Listing files found while scanning....

C:\windows\system32\ifgnxvws.dllbox
C:\WINDOWS\system32\sppewsoy.dll

Beginning removal...

Attempting to delete C:\windows\system32\ifgnxvws.dllbox
C:\windows\system32\ifgnxvws.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\sppewsoy.dll
C:\WINDOWS\system32\sppewsoy.dll Has been deleted!

Performing Repairs to the registry.
Done!
 
Please download ATF Cleaner by Atribune to your desktop.
  • This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up


Open Notepad and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::

Code: 
RenV::
----a-w         2,321,600 2008-02-14 19:16:33  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w            61,440 2008-02-14 19:16:22  C:\Program Files\Common Files\Mediafour\MACVNTFY .EXE
----a-w           106,496 2008-02-14 19:16:23  C:\Program Files\Mediafour\MacDrive\MDDiskProtect .exe

File::
C:\WINDOWS\temp\lsass.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 
ComboFix 08-02-15.1 - Administrator 2008-02-14 23:45:02.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1645 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\temp\lsass.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-14 11:20 . 2008-02-14 12:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-14 11:19 . 2008-02-14 11:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 17:53 . 2008-02-13 17:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-10 00:29 . 2008-02-10 00:20 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 00:29 . 2008-02-10 00:29 3,453 --a------ C:\WINDOWS\unins000.dat
2008-02-02 11:39 . 2008-02-02 17:33 <DIR> d-------- C:\Temp Refill Temp
2008-01-20 19:56 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-19 09:23 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\MSBuild
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-19 09:21 . 2008-01-19 09:21 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-19 09:19 . 2008-01-19 09:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-19 09:19 . 2008-01-19 09:19 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-19 09:19 . 2008-02-13 03:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-19 09:18 . 2008-01-19 09:18 <DIR> dr-h----- C:\MSOCache
2008-01-15 20:26 . 2008-01-15 20:26 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 07:46 --------- d-----w C:\Program Files\Common Files\Mediafour
2008-02-15 01:08 --------- d-----w C:\Program Files\iTunes
2008-02-14 19:16 --------- d-----w C:\Program Files\QuickTime Alternative
2008-02-14 18:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-02-12 03:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Digidesign
2008-02-10 10:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 08:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-23 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-09 09:07 --------- d-----w C:\Program Files\FLVPlayer
2008-01-09 09:05 --------- d-----w C:\Program Files\PowerISO
2008-01-09 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\iShell
2008-01-03 02:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Propellerhead Software
2008-01-03 01:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 01:27 --------- d-----w C:\Program Files\M-Audio
2007-12-31 07:36 --------- d-----w C:\Program Files\Azureus
2007-12-21 08:10 --------- d-----w C:\Program Files\Red Kawa
2007-12-21 08:10 --------- d-----w C:\Program Files\AviSynth 2.5
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-16 21:37 --------- d-----w C:\Program Files\Smartparts
2002-08-02 12:00 12,348 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.
Code: 
<pre>
----a-w         2,321,600 2008-02-14 19:16:33  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w            61,440 2008-02-14 19:16:22  C:\Program Files\Common Files\Mediafour\MACVNTFY .EXE
----a-w           106,496 2008-02-14 19:16:23  C:\Program Files\Mediafour\MacDrive\MDDiskProtect .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [ ]
"Auto EPSON Stylus Photo R200 Series on ANTEC"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 12:54 106496]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-12-17 12:43 61440]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 17:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 16:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime Alternative\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-10-30 18:49 16269312 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 17:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Updates]
c:\windows\system\Update.exe

R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-11-13 20:38]
R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2006-04-30 06:57]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-06-16 08:53]
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys [2006-11-13 20:38]
R3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2006-11-13 20:36]
R3 MBX2DFU;MBX2DFU;C:\WINDOWS\system32\DRIVERS\MBX2DFU.sys [2006-11-13 20:37]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;C:\WINDOWS\system32\drivers\mbx2midk.sys [2006-11-13 20:37]
S3 MA_CMIDI;M-Audio USB Driver;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2007-11-14 16:20]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2007-11-14 16:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\ONSPCLCK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fdbb270-7822-11dc-afc5-00301b44c162}]
\Shell\AutoRun\command - N:\ONSPCLCK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 17:50:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 23:47:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-14 23:49:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 07:49:13
ComboFix2.txt 2008-02-15 01:10:52
ComboFix3.txt 2008-02-15 23:01:15
.
2008-02-13 11:05:13 --- E O F ---

===========================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:53, on 2008-02-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on ANTEC" /O16 "\\ANTEC\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1188973442546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1188973356453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 7717 bytes
 
Hello,

Don't worry about your clock, when where done Combofix has a tool that will restore it, just leave it be.

Again, drag Combofix to the trash and download a fresh copy. Same rules

Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.




Open Notepad and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::

Code: 
Killall::

RenV::
----a-w         2,321,600 2008-02-14 19:16:33  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w            61,440 2008-02-14 19:16:22  C:\Program Files\Common Files\Mediafour\MACVNTFY .EXE
----a-w           106,496 2008-02-14 19:16:23  C:\Program Files\Mediafour\MacDrive\MDDiskProtect .exe

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 
ComboFix 08-02-15.2 - Administrator 2008-02-15 1:50:12.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1645 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-14 11:20 . 2008-02-14 12:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-14 11:19 . 2008-02-14 11:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 17:53 . 2008-02-13 17:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-13 12:28 . 2008-02-13 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-10 00:29 . 2008-02-10 00:20 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 00:29 . 2008-02-10 00:29 3,453 --a------ C:\WINDOWS\unins000.dat
2008-02-02 11:39 . 2008-02-02 17:33 <DIR> d-------- C:\Temp Refill Temp
2008-01-20 19:56 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-19 09:23 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\MSBuild
2008-01-19 09:22 . 2008-01-19 09:22 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-19 09:21 . 2008-01-19 09:21 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-19 09:19 . 2008-01-19 09:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-19 09:19 . 2008-01-19 09:19 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-19 09:19 . 2008-02-13 03:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-19 09:18 . 2008-01-19 09:18 <DIR> dr-h----- C:\MSOCache
2008-01-15 20:26 . 2008-01-15 20:26 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 09:51 --------- d-----w C:\Program Files\Common Files\Mediafour
2008-02-15 09:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-02-15 01:08 --------- d-----w C:\Program Files\iTunes
2008-02-14 19:16 --------- d-----w C:\Program Files\QuickTime Alternative
2008-02-12 03:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Digidesign
2008-02-10 10:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 08:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-23 18:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-09 09:07 --------- d-----w C:\Program Files\FLVPlayer
2008-01-09 09:05 --------- d-----w C:\Program Files\PowerISO
2008-01-09 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\iShell
2008-01-03 02:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Propellerhead Software
2008-01-03 01:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 01:27 --------- d-----w C:\Program Files\M-Audio
2007-12-31 07:36 --------- d-----w C:\Program Files\Azureus
2007-12-21 08:10 --------- d-----w C:\Program Files\Red Kawa
2007-12-21 08:10 --------- d-----w C:\Program Files\AviSynth 2.5
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-16 21:37 --------- d-----w C:\Program Files\Smartparts
2002-08-02 12:00 12,348 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.
Code: 
<pre>
----a-w         2,321,600 2008-02-14 19:16:33  C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
----a-w            61,440 2008-02-14 19:16:22  C:\Program Files\Common Files\Mediafour\MACVNTFY .EXE
----a-w           106,496 2008-02-14 19:16:23  C:\Program Files\Mediafour\MacDrive\MDDiskProtect .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{A08FB30D-51C4-4E54-AA5E-FF18739802EA}]
@=Mediafour Mac Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [ ]
"Auto EPSON Stylus Photo R200 Series on ANTEC"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.exe" [ ]
"MDDiskProtect.exe"="C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe" [2005-04-15 12:54 106496]
"Mediafour Mac Volume Notifications"="C:\Program Files\Common Files\Mediafour\MACVNTFY.exe" [2002-12-17 12:43 61440]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 17:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 16:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime Alternative\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-10-30 18:49 16269312 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 17:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Updates]
c:\windows\system\Update.exe

R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-11-13 20:38]
R0 MDPMGRNT;MDPMGRNT;C:\WINDOWS\system32\drivers\MDPMGRNT.sys [2006-04-30 06:57]
R1 MDFSYSNT;MDFSYSNT;C:\WINDOWS\system32\drivers\MDFSYSNT.sys [2006-06-16 08:53]
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys [2006-11-13 20:38]
R3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2006-11-13 20:36]
R3 MBX2DFU;MBX2DFU;C:\WINDOWS\system32\DRIVERS\MBX2DFU.sys [2006-11-13 20:37]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;C:\WINDOWS\system32\drivers\mbx2midk.sys [2006-11-13 20:37]
S3 MA_CMIDI;M-Audio USB Driver;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2007-11-14 16:20]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2007-11-14 16:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\ONSPCLCK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fdbb270-7822-11dc-afc5-00301b44c162}]
\Shell\AutoRun\command - N:\ONSPCLCK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 17:50:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 01:52:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-15 1:54:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 09:54:46
ComboFix2.txt 2008-02-15 09:46:25
ComboFix3.txt 2008-02-15 07:49:16
ComboFix4.txt 2008-02-15 01:10:52
ComboFix5.txt 2008-02-15 23:01:15
.
2008-02-13 11:05:13 --- E O F ---

====================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:56, on 2008-02-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on ANTEC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on ANTEC" /O16 "\\ANTEC\Printer2" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1188973442546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1188973356453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing)
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 7750 bytes
 
What I would do is to use those programs, make sure they work with no problems. Wait a few days and post a new HJT log. I have to look into this a bit as this infection is new.

C:\Program Files\Mediafour
C:\Program Files\Common Files\Adobe\Updater5
 
Every time I try to empty the trash, after I run these fixes - this screen comes up saying it is updating Adobe. Adobe Acrobat 8.1.2. Should I try to delete Acrobat and install again later?

I am not sure what Mediafour is - it may be from Digidesign/ProTools - Macdrive.

Thank you,
Rick
 
You must log in or register to reply here.
Back
Top