virtumonde--still there

P

perineum

New member
I got hit with virtumonde. I rebooted and did a SB scan in safe mode. It did detect virtumonde. I removed it and my kaspersky on reboot detected virtumonde. I tried to run an online scan but it seemed to greyed out. Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:40 AM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1188054514343
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFEF4629-A2C2-4568-A4C4-7413D063E329}: NameServer = 208.67.222.222,208.67.220.220
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: jkkklkk - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\altera\72\quartus\bin\jtagserver.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 8290 bytes
 
perineum
Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.



I am still looking at a marker on your HJT log for Vundo, lets do a few things.


1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.




=============================================

Download VundoFix to your desktop

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.



======================================



Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall



=======================================

The thieves that have written Vundo have written it to evade a HJT scan so we need to rename it
This is important, do this before you post a HJT log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Safer.exe
Click to expand...



Let me see the Vundofix log, the Combofix log and a New HJT log renamed please.
 
Vundofix log:

VundoFix V6.7.7

Checking Java version...

Scan started at 1:10:00 PM 1/4/2008

Listing files found while scanning....

No infected files were found.
 
combofix log:
ComboFix 08-01-04.1 - Admin 2008-01-04 13:40:57.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.652 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix(2).exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 13:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 13:10 . 2008-01-04 13:10 <DIR> d-------- C:\VundoFix Backups
2008-01-02 10:58 . 2008-01-02 11:00 1,355 --a------ C:\WINDOWS\imsins.BAK
2007-12-30 15:13 . 2007-12-30 15:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-29 00:07 . 2007-12-29 00:07 <DIR> d-------- C:\Deckard
2007-12-28 20:01 . 2007-12-28 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 20:01 . 2007-12-28 16:12 1,031,259 --ahs---- C:\WINDOWS\system32\nscdapyd.ini
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a------ C:\WINDOWS\system32\drivers\GcKernel.sys
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a--c--- C:\WINDOWS\system32\dllcache\gckernel.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a------ C:\WINDOWS\system32\drivers\HIDSwvd.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a--c--- C:\WINDOWS\system32\dllcache\hidswvd.sys
2007-12-26 09:52 . 2007-12-26 10:01 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-26 09:52 . 2007-12-26 10:01 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-26 09:50 . 2007-12-26 09:50 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-26 09:50 . 2008-01-04 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-26 09:49 . 2008-01-04 13:47 5,428,000 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-26 09:49 . 2008-01-04 13:47 85,280 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-26 09:49 . 2008-01-04 11:07 75,164 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-26 09:49 . 2008-01-04 11:07 9,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-26 09:38 . 2007-12-26 09:38 <DIR> d-------- C:\KAV
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\MSECACHE
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-23 18:15 . 2007-12-23 18:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-23 18:05 . 2007-12-23 18:05 <DIR> d-------- C:\Program Files\Comodo
2007-12-23 18:05 . 2007-12-23 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC425
2007-12-23 18:05 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2007-12-23 18:05 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-12-23 18:05 . 2004-08-03 23:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2007-12-23 18:05 . 2007-12-26 10:07 9,196 --a------ C:\WINDOWS\BOC425.INI
2007-12-22 14:47 . 2007-12-30 10:08 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 11:21 . 2007-12-22 12:36 381 --a------ C:\WINDOWS\wininit.ini
2007-12-20 11:26 . 2007-12-31 08:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 11:26 . 2007-12-20 11:26 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-19 21:59 . 2007-12-31 09:50 <DIR> d-------- C:\Program Files\QuickTime
2007-12-18 09:34 . 2007-12-19 17:32 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DAEMON Tools
2007-12-18 09:29 . 2007-12-18 09:34 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2007-12-18 09:25 . 2007-12-18 09:25 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 08:56 . 2007-12-18 08:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-18 08:50 . 2007-12-27 08:51 <DIR> d-------- C:\Program Files\LucasArts
2007-12-11 13:46 . 2007-12-11 13:46 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 13:46 . 2007-12-11 13:46 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 13:46 . 2007-12-11 13:46 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 13:45 . 2007-12-11 13:45 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 13:45 . 2007-12-11 13:45 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 13:43 . 2007-12-11 13:43 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-10 20:06 . 2007-12-10 20:06 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 02:04 --------- d-----w C:\Program Files\Last.fm
2008-01-03 21:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\uTorrent
2008-01-02 15:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-31 15:47 --------- d-----w C:\Program Files\Java
2007-12-28 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-26 15:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-26 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-25 23:25 --------- d-----w C:\Program Files\DivX
2007-12-24 01:49 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-24 00:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-20 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2007-12-18 14:56 --------- d-----w C:\Program Files\Apple Software Update
2007-12-16 18:08 --------- d-----w C:\Program Files\ShurikSoft
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-02 16:56 321 ----a-w C:\license.dat
2007-12-02 16:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\SSH
2007-12-01 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-01 23:28 --------- d-----w C:\Documents and Settings\Admin\Application Data\NewsBin
2007-11-20 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2007-11-20 03:09 --------- d-----w C:\Program Files\Electronic Arts
2007-11-18 21:35 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-18 17:27 --------- d-----w C:\Documents and Settings\Admin\Application Data\EndNote
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 01:39 429 ----a-w C:\0030BD1CDE94__0-741837788253016.dat
2007-11-04 21:10 --------- d-----w C:\Program Files\Common Files\Thraex Software
2007-11-03 17:38 363,368 ----a-w C:\WINDOWS\system32\Incinerator.dll
2007-10-30 23:43 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 15:04 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll
.
Code: 
<pre>
----a-w           624,248 2007-12-25 19:45:53  C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w            90,112 2007-12-25 19:46:02  C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
----a-w            48,752 2007-12-26 14:04:47  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w           342,272 2007-12-26 16:03:37  C:\Program Files\Comodo\CBOClean\BOC425 .exe
----a-w         1,831,936 2007-12-25 19:45:59  C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
----a-w           286,720 2007-12-25 19:45:49  C:\Program Files\QuickTime\QTTask        .exe
----a-w         1,460,560 2007-12-30 16:03:23  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w            15,360 2007-12-30 16:08:50  C:\WINDOWS\system32\ctfmon .exe
</pre>
 
((((((((((((((((((((((((((((( snapshot@2007-12-30_10.27.52.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-06-27 14:34:51 124,928 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\advpack.dll
+ 2006-10-17 15:57:50 214,528 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\dxtrans.dll
+ 2007-06-27 14:34:51 132,608 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\extmgr.dll
+ 2006-10-17 15:58:20 61,952 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\icardie.dll
+ 2007-06-27 08:27:04 63,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ie4uinit.exe
+ 2007-06-27 14:34:51 153,088 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakeng.dll
+ 2007-06-27 14:34:51 230,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieaksie.dll
+ 2007-06-27 07:00:33 161,792 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakui.dll
+ 2007-06-27 14:34:51 383,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieapfltr.dll
+ 2007-06-27 14:34:51 384,512 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iedkcs32.dll
+ 2007-06-27 14:34:55 6,058,496 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieframe.dll
+ 2007-06-27 14:34:55 44,544 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iernonce.dll
+ 2007-06-27 14:34:55 267,776 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iertutil.dll
+ 2007-06-27 08:27:05 13,824 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieudinit.exe
+ 2007-06-27 08:27:30 625,152 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iexplore.exe
+ 2007-06-27 14:34:56 27,648 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\jsproxy.dll
+ 2007-06-27 14:34:56 459,264 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeeds.dll
+ 2007-06-27 14:34:56 52,224 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeedsbs.dll
+ 2007-07-19 06:59:59 3,583,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtml.dll
+ 2007-06-27 14:34:57 477,696 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtmled.dll
+ 2007-06-27 14:34:58 193,024 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msrating.dll
+ 2007-06-27 14:34:58 671,232 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mstime.dll
+ 2007-06-27 14:34:58 102,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\occache.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\updspapi.dll
+ 2007-06-27 14:34:58 105,984 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\url.dll
+ 2007-06-27 14:34:58 1,152,000 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\urlmon.dll
+ 2007-06-27 14:34:59 232,960 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\webcheck.dll
+ 2007-06-27 14:34:59 823,808 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
- 2007-06-27 14:34:51 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2007-10-10 23:55:51 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-06-27 14:34:51 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2007-10-10 23:55:51 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2006-10-17 15:57:50 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-10-10 23:55:51 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-06-27 14:34:51 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-10-10 23:55:51 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-10-10 23:55:51 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2007-06-27 08:27:04 63,488 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2007-10-10 10:59:40 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-06-27 14:34:51 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2007-10-10 23:55:51 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-06-27 14:34:51 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2007-10-10 23:55:51 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-06-27 07:00:33 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2007-10-10 05:46:55 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-06-27 14:34:51 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2007-10-10 23:55:52 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2007-06-27 14:34:51 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2007-10-10 23:55:52 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-06-27 14:34:55 6,058,496 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2007-10-10 23:55:54 6,065,664 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2007-06-27 14:34:55 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2007-10-10 23:55:55 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-06-27 14:34:55 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2007-10-10 23:55:55 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-06-27 08:27:05 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2007-10-10 10:59:40 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2007-06-27 08:27:30 625,152 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2007-10-10 10:59:52 625,152 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-05-16 15:12:02 683,520 -c--a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
+ 2007-08-21 06:15:44 683,520 -c--a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
- 2007-06-27 14:34:56 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2004-08-04 03:58:22 72,960 -c--a-w C:\WINDOWS\system32\dllcache\mqac.sys
+ 2007-07-06 10:05:47 72,960 -c--a-w C:\WINDOWS\system32\dllcache\mqac.sys
- 2004-08-04 05:56:44 138,240 -c--a-w C:\WINDOWS\system32\dllcache\mqad.dll
+ 2007-07-06 12:46:59 138,240 -c--a-w C:\WINDOWS\system32\dllcache\mqad.dll
- 2004-08-04 05:56:44 47,104 -c--a-w C:\WINDOWS\system32\dllcache\mqdscli.dll
+ 2007-07-06 12:46:59 47,104 -c--a-w C:\WINDOWS\system32\dllcache\mqdscli.dll
- 2004-08-04 05:56:44 16,896 -c--a-w C:\WINDOWS\system32\dllcache\mqise.dll
+ 2007-07-06 12:46:59 16,896 -c--a-w C:\WINDOWS\system32\dllcache\mqise.dll
- 2004-08-04 05:56:44 660,992 -c--a-w C:\WINDOWS\system32\dllcache\mqqm.dll
+ 2007-07-06 12:46:59 660,992 -c--a-w C:\WINDOWS\system32\dllcache\mqqm.dll
- 2004-08-04 05:56:44 177,152 -c--a-w C:\WINDOWS\system32\dllcache\mqrt.dll
+ 2007-07-06 12:46:59 177,152 -c--a-w C:\WINDOWS\system32\dllcache\mqrt.dll
- 2004-08-04 05:56:44 95,744 -c--a-w C:\WINDOWS\system32\dllcache\mqsec.dll
+ 2007-07-06 12:46:59 95,744 -c--a-w C:\WINDOWS\system32\dllcache\mqsec.dll
- 2004-08-04 05:56:44 48,640 -c--a-w C:\WINDOWS\system32\dllcache\mqupgrd.dll
+ 2007-07-06 12:46:59 48,640 -c--a-w C:\WINDOWS\system32\dllcache\mqupgrd.dll
- 2004-08-04 05:56:44 471,552 -c--a-w C:\WINDOWS\system32\dllcache\mqutil.dll
+ 2007-07-06 12:46:59 471,552 -c--a-w C:\WINDOWS\system32\dllcache\mqutil.dll
- 2007-06-27 14:34:56 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2007-10-10 23:55:56 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2007-06-27 14:34:56 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2007-10-10 23:55:56 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2007-07-19 06:59:59 3,583,488 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-10-30 23:42:28 3,590,656 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-06-27 14:34:57 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-06-27 14:34:58 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-10-10 23:55:58 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-06-27 14:34:58 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-10-10 23:55:59 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-06-27 14:34:58 102,400 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-10-10 23:55:59 102,400 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
- 2005-08-30 03:54:26 1,287,168 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2007-10-29 22:43:03 1,287,680 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
- 2004-08-04 05:56:46 581,120 -c--a-w C:\WINDOWS\system32\dllcache\rpcrt4.dll
+ 2007-07-09 13:16:16 582,656 -c--a-w C:\WINDOWS\system32\dllcache\rpcrt4.dll
- 2006-12-19 21:52:18 8,453,632 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
- 2007-06-27 14:34:58 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2007-10-10 23:55:59 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2007-06-27 14:34:58 1,152,000 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-10-10 23:56:00 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-06-27 14:34:59 232,960 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2007-10-10 23:56:00 232,960 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-06-27 14:34:59 823,808 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-10-10 23:56:00 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2005-01-28 17:44:28 224,768 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2007-10-27 23:40:06 227,328 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2004-08-04 03:58:22 72,960 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
+ 2007-07-06 10:05:47 72,960 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
- 2006-10-17 15:57:50 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-10-10 23:55:51 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-06-27 14:34:51 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-10-10 23:55:51 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2006-10-17 15:58:20 61,952 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2007-10-10 23:55:51 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-06-27 08:27:04 63,488 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2007-10-10 10:59:40 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-06-27 14:34:51 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2007-10-10 23:55:51 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-06-27 14:34:51 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2007-10-10 23:55:51 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-06-27 07:00:33 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2007-10-10 05:46:55 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-06-27 14:34:51 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2007-10-10 23:55:52 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-06-27 14:34:51 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2007-10-10 23:55:52 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-06-27 14:34:55 6,058,496 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2007-10-10 23:55:54 6,065,664 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-06-27 14:34:55 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2007-10-10 23:55:55 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-06-27 14:34:55 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2007-10-10 23:55:55 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-06-27 08:27:05 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2007-10-10 10:59:40 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
+ 2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
- 2007-06-27 14:34:56 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2007-04-24 15:32:06 1,485,696 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2007-10-11 20:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
- 2006-11-09 19:20:00 2,111,096 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2007-11-21 00:52:38 2,884,992 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
- 2006-11-09 19:20:00 190,072 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-11-21 00:52:40 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-01-04 17:14:46 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
- 2004-08-04 05:56:44 138,240 ----a-w C:\WINDOWS\system32\mqad.dll
+ 2007-07-06 12:46:59 138,240 ----a-w C:\WINDOWS\system32\mqad.dll
- 2004-08-04 05:56:44 47,104 ----a-w C:\WINDOWS\system32\mqdscli.dll
+ 2007-07-06 12:46:59 47,104 ----a-w C:\WINDOWS\system32\mqdscli.dll
- 2004-08-04 05:56:44 16,896 ----a-w C:\WINDOWS\system32\mqise.dll
+ 2007-07-06 12:46:59 16,896 ----a-w C:\WINDOWS\system32\mqise.dll
- 2004-08-04 05:56:44 660,992 ----a-w C:\WINDOWS\system32\mqqm.dll
+ 2007-07-06 12:46:59 660,992 ----a-w C:\WINDOWS\system32\mqqm.dll
- 2004-08-04 05:56:44 177,152 ----a-w C:\WINDOWS\system32\mqrt.dll
+ 2007-07-06 12:46:59 177,152 ----a-w C:\WINDOWS\system32\mqrt.dll
- 2004-08-04 05:56:44 95,744 ----a-w C:\WINDOWS\system32\mqsec.dll
+ 2007-07-06 12:46:59 95,744 ----a-w C:\WINDOWS\system32\mqsec.dll
- 2004-08-04 05:56:44 48,640 ----a-w C:\WINDOWS\system32\mqupgrd.dll
+ 2007-07-06 12:46:59 48,640 ----a-w C:\WINDOWS\system32\mqupgrd.dll
- 2004-08-04 05:56:44 471,552 ----a-w C:\WINDOWS\system32\mqutil.dll
+ 2007-07-06 12:46:59 471,552 ----a-w C:\WINDOWS\system32\mqutil.dll
- 2007-06-27 14:34:56 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2007-10-10 23:55:56 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-06-27 14:34:56 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2007-10-10 23:55:56 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-07-19 06:59:59 3,583,488 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-10-30 23:42:28 3,590,656 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-06-27 14:34:57 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-06-27 14:34:58 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-10-10 23:55:58 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-06-27 14:34:58 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-10-10 23:55:59 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-06-27 14:34:58 102,400 ----a-w C:\WINDOWS\system32\occache.dll
+ 2007-10-10 23:55:59 102,400 ----a-w C:\WINDOWS\system32\occache.dll
- 2004-08-04 05:56:46 581,120 ----a-w C:\WINDOWS\system32\rpcrt4.dll
+ 2007-07-09 13:16:16 582,656 ----a-w C:\WINDOWS\system32\rpcrt4.dll
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:34:01 8,460,288 ----a-w C:\WINDOWS\system32\shell32.dll
- 2007-12-14 03:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 14:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
- 2007-12-04 07:00:42 136,704 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2000-08-31 14:00:00 136,704 ----a-w C:\WINDOWS\system32\swsc.exe
- 2006-12-01 11:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2000-08-31 14:00:00 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
- 2007-01-29 08:58:06 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
+ 2007-11-13 11:31:11 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
- 2007-06-27 14:34:58 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2007-10-10 23:55:59 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-06-27 14:34:58 1,152,000 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-10-10 23:56:00 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2006-11-27 08:34:46 49,152 ----a-w C:\WINDOWS\system32\VFind.exe
+ 2000-08-31 14:00:00 49,152 ----a-w C:\WINDOWS\system32\VFind.exe
- 2007-06-27 14:34:59 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2007-10-10 23:56:00 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-06-27 14:34:59 823,808 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-10-10 23:56:00 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
- 2007-03-09 11:28:00 248,320 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:04:03 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-16 20:05:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkklkk]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" -atboottime

R2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.sys [2000-03-29 08:26]
R2 BTTUNER;BtTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\BTTUNER.sys [2000-03-29 08:26]
R2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.sys [2000-03-29 08:26]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2005-06-10 08:01]
R3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys [2007-04-17 14:14]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 15:10]
S3 PEEK5;PEEK5 Protocol Driver;C:\DOCUME~1\Admin\Desktop\WINDOW~1\AIRSNO~1.6_W\PEEK5.SYS []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb
.
Contents of the 'Scheduled Tasks' folder
"2008-01-03 03:56:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 13:47:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 13:49:23
ComboFix-quarantined-files.txt 2008-01-04 19:49:17
 
HJT log from safer.exe:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:47 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\safer.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1188054514343
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFEF4629-A2C2-4568-A4C4-7413D063E329}: NameServer = 208.67.222.222,208.67.220.220
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: jkkklkk - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\altera\72\quartus\bin\jtagserver.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 8190 bytes
 
perineum,

You are infected with a newer variant of Vundo, this one infects legitimate files. If you look at your Combofix report, all those programs in the CODE box are all infected. All the files in the SNAPSHOT with a A W next to them are infected also.

We will try out a new tool. Thank You sUbs

Download http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
to your Desktop.

Double click RenV.exe to run it
It will produce a log for you, please post it.
 
Code: 
Ran on Fri 01/04/2008 - 19:27:32.85

----a-w           624,248 2007-12-25 19:45:53  C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w            90,112 2007-12-25 19:46:02  C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
----a-w            48,752 2007-12-26 14:04:47  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w           342,272 2007-12-26 16:03:37  C:\Program Files\Comodo\CBOClean\BOC425 .exe
----a-w         1,831,936 2007-12-25 19:45:59  C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
----a-w           286,720 2007-12-25 19:45:49  C:\Program Files\QuickTime\QTTask        .exe
----a-w         1,460,560 2007-12-30 16:03:23  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w            15,360 2007-12-30 16:08:50  C:\WINDOWS\system32\ctfmon .exe

 Entries:                8  (8)
 Directories:            0  Files:             8
 Bytes:          4,699,960  Blocks:        9,182
 
Hello,

Your Tea Timer is still active, do this before you proceed or it can bork the fix.

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer<------------.
Click to expand...


Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O20 - Winlogon Notify: jkkklkk - C:\WINDOWS\




Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::

RenV::
----a-w 624,248 2007-12-25 19:45:53 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 90,112 2007-12-25 19:46:02 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
----a-w 48,752 2007-12-26 14:04:47 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 342,272 2007-12-26 16:03:37 C:\Program Files\Comodo\CBOClean\BOC425 .exe
----a-w 1,831,936 2007-12-25 19:45:59 C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
----a-w 286,720 2007-12-25 19:45:49 C:\Program Files\QuickTime\QTTask .exe
----a-w 1,460,560 2007-12-30 16:03:23 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 15,360 2007-12-30 16:08:50 C:\WINDOWS\system32\ctfmon .exe
Click to expand...

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


You are most likely going to have to re install the programs in the Quote box so start getting your CDs in order.
 
ComboFix 08-01-04.1 - Admin 2008-01-04 21:01:48.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.631 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix(4).exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-04 20:57 . 2008-01-04 20:57 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-04 13:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 13:10 . 2008-01-04 13:10 <DIR> d-------- C:\VundoFix Backups
2008-01-02 10:58 . 2008-01-02 11:00 1,355 --a------ C:\WINDOWS\imsins.BAK
2007-12-30 15:13 . 2007-12-30 15:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-29 00:07 . 2007-12-29 00:07 <DIR> d-------- C:\Deckard
2007-12-28 20:01 . 2007-12-28 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 20:01 . 2007-12-28 16:12 1,031,259 --ahs---- C:\WINDOWS\system32\nscdapyd.ini
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a------ C:\WINDOWS\system32\drivers\GcKernel.sys
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a--c--- C:\WINDOWS\system32\dllcache\gckernel.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a------ C:\WINDOWS\system32\drivers\HIDSwvd.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a--c--- C:\WINDOWS\system32\dllcache\hidswvd.sys
2007-12-26 09:52 . 2007-12-26 10:01 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-26 09:52 . 2007-12-26 10:01 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-26 09:50 . 2007-12-26 09:50 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-26 09:50 . 2008-01-04 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-26 09:49 . 2008-01-04 21:03 5,517,600 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-26 09:49 . 2008-01-04 21:03 89,632 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-26 09:49 . 2008-01-04 15:57 76,196 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-26 09:49 . 2008-01-04 15:57 10,256 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-26 09:38 . 2007-12-26 09:38 <DIR> d-------- C:\KAV
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\MSECACHE
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-23 18:15 . 2007-12-23 18:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-23 18:05 . 2007-12-23 18:05 <DIR> d-------- C:\Program Files\Comodo
2007-12-23 18:05 . 2007-12-23 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC425
2007-12-23 18:05 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2007-12-23 18:05 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-12-23 18:05 . 2004-08-03 23:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2007-12-23 18:05 . 2007-12-26 10:07 9,196 --a------ C:\WINDOWS\BOC425.INI
2007-12-22 14:47 . 2007-12-30 10:08 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 11:21 . 2007-12-22 12:36 381 --a------ C:\WINDOWS\wininit.ini
2007-12-20 11:26 . 2007-12-31 08:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 11:26 . 2007-12-20 11:26 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-19 21:59 . 2007-12-31 09:50 <DIR> d-------- C:\Program Files\QuickTime
2007-12-18 09:34 . 2007-12-19 17:32 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DAEMON Tools
2007-12-18 09:29 . 2007-12-18 09:34 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2007-12-18 09:25 . 2007-12-18 09:25 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 08:56 . 2007-12-18 08:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-18 08:50 . 2007-12-27 08:51 <DIR> d-------- C:\Program Files\LucasArts
2007-12-11 13:46 . 2007-12-11 13:46 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 13:46 . 2007-12-11 13:46 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 13:46 . 2007-12-11 13:46 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 13:45 . 2007-12-11 13:45 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 13:45 . 2007-12-11 13:45 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 13:43 . 2007-12-11 13:43 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-10 20:06 . 2007-12-10 20:06 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 02:04 --------- d-----w C:\Program Files\Last.fm
2008-01-03 21:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\uTorrent
2008-01-02 15:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-31 15:47 --------- d-----w C:\Program Files\Java
2007-12-28 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-26 15:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-26 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-25 23:25 --------- d-----w C:\Program Files\DivX
2007-12-24 01:49 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-24 00:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-20 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2007-12-18 14:56 --------- d-----w C:\Program Files\Apple Software Update
2007-12-16 18:08 --------- d-----w C:\Program Files\ShurikSoft
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-02 16:56 321 ----a-w C:\license.dat
2007-12-02 16:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\SSH
2007-12-01 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-01 23:28 --------- d-----w C:\Documents and Settings\Admin\Application Data\NewsBin
2007-11-20 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2007-11-20 03:09 --------- d-----w C:\Program Files\Electronic Arts
2007-11-18 21:35 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-18 17:27 --------- d-----w C:\Documents and Settings\Admin\Application Data\EndNote
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 01:39 429 ----a-w C:\0030BD1CDE94__0-741837788253016.dat
2007-11-03 17:38 363,368 ----a-w C:\WINDOWS\system32\Incinerator.dll
2007-10-30 23:43 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 15:04 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll
.
Code: 
<pre>
------w            48,752 2007-12-26 14:04:47  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w           342,272 2007-12-26 16:03:37  C:\Program Files\Comodo\CBOClean\BOC425 .exe
----a-w         1,831,936 2007-12-25 19:45:59  C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
----a-w           286,720 2007-12-25 19:45:49  C:\Program Files\QuickTime\QTTask        .exe
----a-w         1,460,560 2007-12-30 16:03:23  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w            15,360 2007-12-30 16:08:50  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-16 20:05:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" -atboottime

R2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.sys [2000-03-29 08:26]
R2 BTTUNER;BtTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\BTTUNER.sys [2000-03-29 08:26]
R2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.sys [2000-03-29 08:26]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2005-06-10 08:01]
R3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys [2007-04-17 14:14]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 15:10]
S3 PEEK5;PEEK5 Protocol Driver;C:\DOCUME~1\Admin\Desktop\WINDOW~1\AIRSNO~1.6_W\PEEK5.SYS []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb
.
Contents of the 'Scheduled Tasks' folder
"2008-01-03 03:56:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 21:04:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 21:05:10
ComboFix-quarantined-files.txt 2008-01-05 03:04:52
ComboFix2.txt 2008-01-04 19:49:27
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:36 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\safer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1188054514343
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFEF4629-A2C2-4568-A4C4-7413D063E329}: NameServer = 208.67.222.222,208.67.220.220
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\altera\72\quartus\bin\jtagserver.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 8108 bytes
 
Some where not removed, do this in Safemode.

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode


Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::

RenV::
----a-w 342,272 2007-12-26 16:03:37 C:\Program Files\Comodo\CBOClean\BOC425 .exe
----a-w 1,831,936 2007-12-25 19:45:59 C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
----a-w 286,720 2007-12-25 19:45:49 C:\Program Files\QuickTime\QTTask .exe
----a-w 1,460,560 2007-12-30 16:03:23 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 15,360 2007-12-30 16:08:50 C:\WINDOWS\system32\ctfmon .exe
Click to expand...

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


I need to see a new HJT log also please
 
ComboFix 08-01-04.1 - Admin 2008-01-04 21:40:54.9 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.791 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix(2).exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-04 21:22 . 2007-12-05 14:17 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-01-04 21:21 . 2008-01-04 21:21 <DIR> d-------- C:\Program Files\ATI Technologies
2008-01-04 20:57 . 2008-01-04 20:57 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-04 13:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 13:10 . 2008-01-04 13:10 <DIR> d-------- C:\VundoFix Backups
2008-01-02 10:58 . 2008-01-02 11:00 1,355 --a------ C:\WINDOWS\imsins.BAK
2007-12-30 15:13 . 2007-12-30 15:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-29 00:07 . 2007-12-29 00:07 <DIR> d-------- C:\Deckard
2007-12-28 20:01 . 2007-12-28 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 20:01 . 2007-12-28 16:12 1,031,259 --ahs---- C:\WINDOWS\system32\nscdapyd.ini
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a------ C:\WINDOWS\system32\drivers\GcKernel.sys
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a--c--- C:\WINDOWS\system32\dllcache\gckernel.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a------ C:\WINDOWS\system32\drivers\HIDSwvd.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a--c--- C:\WINDOWS\system32\dllcache\hidswvd.sys
2007-12-26 09:52 . 2007-12-26 10:01 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-26 09:52 . 2007-12-26 10:01 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-26 09:50 . 2007-12-26 09:50 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-26 09:50 . 2008-01-04 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-26 09:49 . 2008-01-04 21:38 5,578,528 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-26 09:49 . 2008-01-04 21:38 96,032 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-26 09:49 . 2008-01-04 21:38 77,876 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-26 09:49 . 2008-01-04 21:38 11,120 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-26 09:38 . 2007-12-26 09:38 <DIR> d-------- C:\KAV
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\MSECACHE
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-23 18:15 . 2007-12-23 18:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-23 18:05 . 2007-12-23 18:05 <DIR> d-------- C:\Program Files\Comodo
2007-12-23 18:05 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2007-12-23 18:05 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-12-23 18:05 . 2004-08-03 23:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2007-12-22 14:47 . 2007-12-30 10:08 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 11:21 . 2008-01-04 21:12 381 --a------ C:\WINDOWS\wininit.ini
2007-12-20 11:26 . 2007-12-31 08:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 11:26 . 2007-12-20 11:26 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-19 21:59 . 2007-12-31 09:50 <DIR> d-------- C:\Program Files\QuickTime
2007-12-18 09:34 . 2007-12-19 17:32 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DAEMON Tools
2007-12-18 09:29 . 2007-12-18 09:34 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2007-12-18 09:25 . 2007-12-18 09:25 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 08:50 . 2007-12-27 08:51 <DIR> d-------- C:\Program Files\LucasArts
2007-12-11 13:46 . 2007-12-11 13:46 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 13:46 . 2007-12-11 13:46 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 13:46 . 2007-12-11 13:46 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 13:45 . 2007-12-11 13:45 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 13:45 . 2007-12-11 13:45 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 13:43 . 2007-12-11 13:43 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-10 20:06 . 2007-12-10 20:06 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 03:15 --------- d-----w C:\Program Files\Google
2008-01-05 03:12 --------- d-----w C:\Program Files\Apple Software Update
2008-01-04 02:04 --------- d-----w C:\Program Files\Last.fm
2008-01-03 21:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\uTorrent
2008-01-02 15:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-31 15:47 --------- d-----w C:\Program Files\Java
2007-12-28 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-26 15:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-26 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-25 23:25 --------- d-----w C:\Program Files\DivX
2007-12-24 01:49 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-24 00:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-20 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2007-12-16 18:08 --------- d-----w C:\Program Files\ShurikSoft
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 03:05 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-12-05 02:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-12-05 02:54 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-12-05 02:53 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-12-05 02:48 9,535,488 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-12-05 02:19 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-12-05 02:19 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-12-05 02:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-05 02:14 180,224 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-12-02 16:56 321 ----a-w C:\license.dat
2007-12-02 16:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\SSH
2007-12-01 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-01 23:28 --------- d-----w C:\Documents and Settings\Admin\Application Data\NewsBin
2007-11-20 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2007-11-20 03:09 --------- d-----w C:\Program Files\Electronic Arts
2007-11-18 21:35 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-18 17:27 --------- d-----w C:\Documents and Settings\Admin\Application Data\EndNote
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 01:39 429 ----a-w C:\0030BD1CDE94__0-741837788253016.dat
2007-11-03 17:38 363,368 ----a-w C:\WINDOWS\system32\Incinerator.dll
2007-10-30 23:43 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 15:04 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll
.
Code: 
<pre>
------w            48,752 2007-12-26 14:04:47  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w           286,720 2007-12-25 19:45:49  C:\Program Files\QuickTime\QTTask        .exe
----a-w         1,460,560 2007-12-30 16:03:23  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w            15,360 2007-12-30 16:08:50  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((( snapshot_2008-01-04_13.47.41.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-01-30 16:21:34 128,813 ----a-w C:\WINDOWS\system32\atiicdxx.dat
+ 2007-11-06 14:19:00 158,080 ----a-w C:\WINDOWS\system32\atiicdxx.dat
+ 2007-12-05 02:33:27 3,107,788 ----a-w C:\WINDOWS\system32\ativva5x.dat
+ 2007-12-05 02:33:27 887,724 ----a-w C:\WINDOWS\system32\ativva6x.dat
- 2007-02-02 19:40:11 3,107,788 ----a-w C:\WINDOWS\system32\ativvaxx.dat
+ 2007-12-05 02:33:27 3,107,788 ----a-w C:\WINDOWS\system32\ativvaxx.dat
- 2007-02-02 19:20:28 348,160 -c--a-w C:\WINDOWS\system32\dllcache\ati2cqag.dll
+ 2007-12-05 02:11:18 499,712 -c--a-w C:\WINDOWS\system32\dllcache\ati2cqag.dll
- 2007-02-02 20:03:43 264,704 -c--a-w C:\WINDOWS\system32\dllcache\ati2dvag.dll
+ 2007-12-05 03:04:08 269,312 -c--a-w C:\WINDOWS\system32\dllcache\ati2dvag.dll
- 2007-02-02 20:03:25 1,975,296 -c--a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
+ 2007-12-05 05:26:40 2,782,208 -c--a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
- 2007-02-02 19:46:45 2,827,968 -c--a-w C:\WINDOWS\system32\dllcache\ati3duag.dll
+ 2007-12-05 02:44:54 3,175,584 -c--a-w C:\WINDOWS\system32\dllcache\ati3duag.dll
- 2007-02-02 19:40:29 1,272,960 -c--a-w C:\WINDOWS\system32\dllcache\ativvaxx.dll
+ 2007-12-05 02:33:47 1,640,192 -c--a-w C:\WINDOWS\system32\dllcache\ativvaxx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-16 20:05:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" -atboottime

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.sys [2000-03-29 08:26]
S2 BTTUNER;BtTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\BTTUNER.sys [2000-03-29 08:26]
S2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.sys [2000-03-29 08:26]
S2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2005-06-10 08:01]
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 15:10]
S3 PEEK5;PEEK5 Protocol Driver;C:\DOCUME~1\Admin\Desktop\WINDOW~1\AIRSNO~1.6_W\PEEK5.SYS []

*Newly Created Service* - BTTUNER
*Newly Created Service* - BTXBAR
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 21:46:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 21:47:37
ComboFix-quarantined-files.txt 2008-01-05 03:47:16
ComboFix2.txt 2008-01-05 03:05:11
ComboFix3.txt 2008-01-04 19:49:27
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:08 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\safer.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1188054514343
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFEF4629-A2C2-4568-A4C4-7413D063E329}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\altera\72\quartus\bin\jtagserver.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7923 bytes
 
Good Morning,

Your Tea Timer is still active and is most likely preventing the other entries from being removed. Its possible that since that program is infected that its preventing you from disabling it.

Go to your Add Remove Programs in the Control Panel and uninstall Spybot Search and Destroy.

Then reboot and delete the entire folder.
C:\Program Files\Spybot - Search & Destroy



Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad. Make sure there is no space above and to the left of File::

RenV::
------w 48,752 2007-12-26 14:04:47 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 286,720 2007-12-25 19:45:49 C:\Program Files\QuickTime\QTTask .exe
----a-w 1,460,560 2007-12-30 16:03:23 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 15,360 2007-12-30 16:08:50 C:\WINDOWS\system32\ctfmon .exe
Click to expand...


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next replytogether with a new HijackThis log.
 
ComboFix 08-01-04.1 - Admin 2008-01-05 10:06:29.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.671 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix(2).exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-04 21:22 . 2007-12-05 14:17 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-01-04 21:21 . 2008-01-04 21:21 <DIR> d-------- C:\Program Files\ATI Technologies
2008-01-04 20:57 . 2008-01-04 20:57 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-04 13:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 13:10 . 2008-01-04 13:10 <DIR> d-------- C:\VundoFix Backups
2008-01-02 10:58 . 2008-01-02 11:00 1,355 --a------ C:\WINDOWS\imsins.BAK
2007-12-30 15:13 . 2007-12-30 15:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-29 00:07 . 2007-12-29 00:07 <DIR> d-------- C:\Deckard
2007-12-28 20:01 . 2007-12-28 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 20:01 . 2007-12-28 16:12 1,031,259 --ahs---- C:\WINDOWS\system32\nscdapyd.ini
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a------ C:\WINDOWS\system32\drivers\GcKernel.sys
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a--c--- C:\WINDOWS\system32\dllcache\gckernel.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a------ C:\WINDOWS\system32\drivers\HIDSwvd.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a--c--- C:\WINDOWS\system32\dllcache\hidswvd.sys
2007-12-26 09:52 . 2007-12-26 10:01 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-26 09:52 . 2007-12-26 10:01 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-26 09:50 . 2007-12-26 09:50 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-26 09:50 . 2008-01-05 10:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-26 09:49 . 2008-01-05 10:12 5,643,040 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-26 09:49 . 2008-01-05 10:12 99,616 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-26 09:49 . 2008-01-05 10:01 78,452 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-26 09:49 . 2008-01-05 10:01 11,288 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-26 09:38 . 2007-12-26 09:38 <DIR> d-------- C:\KAV
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\MSECACHE
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-23 18:15 . 2007-12-23 18:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-23 18:05 . 2007-12-23 18:05 <DIR> d-------- C:\Program Files\Comodo
2007-12-23 18:05 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2007-12-23 18:05 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-12-23 18:05 . 2004-08-03 23:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2007-12-22 14:47 . 2007-12-30 10:08 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 11:21 . 2008-01-04 21:12 381 --a------ C:\WINDOWS\wininit.ini
2007-12-20 11:26 . 2007-12-31 08:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 11:26 . 2007-12-20 11:26 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-19 21:59 . 2007-12-31 09:50 <DIR> d-------- C:\Program Files\QuickTime
2007-12-18 09:34 . 2007-12-19 17:32 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DAEMON Tools
2007-12-18 09:29 . 2007-12-18 09:34 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2007-12-18 09:25 . 2007-12-18 09:25 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 08:50 . 2007-12-27 08:51 <DIR> d-------- C:\Program Files\LucasArts
2007-12-11 13:46 . 2007-12-11 13:46 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 13:46 . 2007-12-11 13:46 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 13:46 . 2007-12-11 13:46 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 13:45 . 2007-12-11 13:45 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 13:45 . 2007-12-11 13:45 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 13:43 . 2007-12-11 13:43 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-10 20:06 . 2007-12-10 20:06 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 16:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-05 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-05 03:15 --------- d-----w C:\Program Files\Google
2008-01-05 03:12 --------- d-----w C:\Program Files\Apple Software Update
2008-01-04 02:04 --------- d-----w C:\Program Files\Last.fm
2008-01-03 21:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\uTorrent
2008-01-02 15:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-31 15:47 --------- d-----w C:\Program Files\Java
2007-12-26 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-25 23:25 --------- d-----w C:\Program Files\DivX
2007-12-24 01:49 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-24 00:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-20 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2007-12-16 18:08 --------- d-----w C:\Program Files\ShurikSoft
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 03:05 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-12-05 02:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-12-05 02:54 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-12-05 02:53 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-12-05 02:48 9,535,488 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-12-05 02:19 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-12-05 02:19 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-12-05 02:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-05 02:14 180,224 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-12-02 16:56 321 ----a-w C:\license.dat
2007-12-02 16:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\SSH
2007-12-01 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-01 23:28 --------- d-----w C:\Documents and Settings\Admin\Application Data\NewsBin
2007-11-20 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2007-11-20 03:09 --------- d-----w C:\Program Files\Electronic Arts
2007-11-18 21:35 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-18 17:27 --------- d-----w C:\Documents and Settings\Admin\Application Data\EndNote
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 01:39 429 ----a-w C:\0030BD1CDE94__0-741837788253016.dat
2007-11-03 17:38 363,368 ----a-w C:\WINDOWS\system32\Incinerator.dll
2007-10-30 23:43 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 15:04 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll
.
Code: 
<pre>
----a-w           286,720 2007-12-25 19:45:49  C:\Program Files\QuickTime\QTTask        .exe
----a-w            15,360 2007-12-30 16:08:50  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((( snapshot_2008-01-04_13.47.41.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-01-30 16:21:34 128,813 ----a-w C:\WINDOWS\system32\atiicdxx.dat
+ 2007-11-06 14:19:00 158,080 ----a-w C:\WINDOWS\system32\atiicdxx.dat
+ 2007-12-05 02:33:27 3,107,788 ----a-w C:\WINDOWS\system32\ativva5x.dat
+ 2007-12-05 02:33:27 887,724 ----a-w C:\WINDOWS\system32\ativva6x.dat
- 2007-02-02 19:40:11 3,107,788 ----a-w C:\WINDOWS\system32\ativvaxx.dat
+ 2007-12-05 02:33:27 3,107,788 ----a-w C:\WINDOWS\system32\ativvaxx.dat
- 2007-02-02 19:20:28 348,160 -c--a-w C:\WINDOWS\system32\dllcache\ati2cqag.dll
+ 2007-12-05 02:11:18 499,712 -c--a-w C:\WINDOWS\system32\dllcache\ati2cqag.dll
- 2007-02-02 20:03:43 264,704 -c--a-w C:\WINDOWS\system32\dllcache\ati2dvag.dll
+ 2007-12-05 03:04:08 269,312 -c--a-w C:\WINDOWS\system32\dllcache\ati2dvag.dll
- 2007-02-02 20:03:25 1,975,296 -c--a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
+ 2007-12-05 05:26:40 2,782,208 -c--a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
- 2007-02-02 19:46:45 2,827,968 -c--a-w C:\WINDOWS\system32\dllcache\ati3duag.dll
+ 2007-12-05 02:44:54 3,175,584 -c--a-w C:\WINDOWS\system32\dllcache\ati3duag.dll
- 2007-02-02 19:40:29 1,272,960 -c--a-w C:\WINDOWS\system32\dllcache\ativvaxx.dll
+ 2007-12-05 02:33:47 1,640,192 -c--a-w C:\WINDOWS\system32\dllcache\ativvaxx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-16 20:05:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" -atboottime

R2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.sys [2000-03-29 08:26]
R2 BTTUNER;BtTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\BTTUNER.sys [2000-03-29 08:26]
R2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.sys [2000-03-29 08:26]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2005-06-10 08:01]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 15:10]
S3 PEEK5;PEEK5 Protocol Driver;C:\DOCUME~1\Admin\Desktop\WINDOW~1\AIRSNO~1.6_W\PEEK5.SYS []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 10:12:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 10:13:48
ComboFix-quarantined-files.txt 2008-01-05 16:13:38
ComboFix2.txt 2008-01-05 03:47:37
ComboFix3.txt 2008-01-05 03:05:11
ComboFix4.txt 2008-01-04 19:49:27
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:01 AM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\safer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1188054514343
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFEF4629-A2C2-4568-A4C4-7413D063E329}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\altera\72\quartus\bin\jtagserver.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7462 bytes
 
This is a relatively new infection so we are still working on a complete fix.

Go to your Add Remove Programs in the Control Panel and uninstall C:\Program Files\QuickTime

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


Boot back into Safemode and run this script again.

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RenV::

RenV::
----a-w 286,720 2007-12-25 19:45:49 C:\Program Files\QuickTime\QTTask .exe
----a-w 15,360 2007-12-30 16:08:50 C:\WINDOWS\system32\ctfmon .exe
Click to expand...

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


Run this scanner from Nod32
ESET Online Scanner
  • Please go to the following link ESET Online Scanner Link
  • Tick the box YES, I accept the Terms Of Use
  • Click the Start button
  • Now click the Install button
  • Click Start

    The scanner engine will initialise and update
  • Do Not tick the box Remove found threats
  • Click the Scan button

    The scan will now run, please be patient
  • When the scan finishes click the Details tab
  • Copy and paste the contents of the :\Program Files\EsetOnlineScanner\log.txt back here.


Let me see the new Combofix log, the ESET log and a New HJT log please
 
ComboFix 08-01-04.1 - Admin 2008-01-05 11:10:39.11 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.789 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix(2).exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-04 21:22 . 2007-12-05 14:17 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-01-04 21:21 . 2008-01-04 21:21 <DIR> d-------- C:\Program Files\ATI Technologies
2008-01-04 20:57 . 2008-01-04 20:57 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-04 13:39 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 13:10 . 2008-01-04 13:10 <DIR> d-------- C:\VundoFix Backups
2008-01-02 10:58 . 2008-01-02 11:00 1,355 --a------ C:\WINDOWS\imsins.BAK
2007-12-30 15:13 . 2007-12-30 15:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-29 00:07 . 2007-12-29 00:07 <DIR> d-------- C:\Deckard
2007-12-28 20:01 . 2007-12-28 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 20:01 . 2007-12-28 16:12 1,031,259 --ahs---- C:\WINDOWS\system32\nscdapyd.ini
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a------ C:\WINDOWS\system32\drivers\GcKernel.sys
2007-12-26 19:27 . 2004-08-03 23:08 59,136 --a--c--- C:\WINDOWS\system32\dllcache\gckernel.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-26 19:27 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a------ C:\WINDOWS\system32\drivers\HIDSwvd.sys
2007-12-26 19:27 . 2001-08-17 14:02 2,688 --a--c--- C:\WINDOWS\system32\dllcache\hidswvd.sys
2007-12-26 09:52 . 2007-12-26 10:01 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-26 09:52 . 2007-12-26 10:01 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-26 09:50 . 2007-12-26 09:50 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-26 09:50 . 2008-01-05 10:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-26 09:49 . 2008-01-05 11:08 5,653,792 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-26 09:49 . 2008-01-05 11:08 100,128 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-26 09:49 . 2008-01-05 11:08 78,884 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-26 09:49 . 2008-01-05 11:08 11,504 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-26 09:38 . 2007-12-26 09:38 <DIR> d-------- C:\KAV
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-12-23 18:46 . 2007-12-23 18:46 <DIR> d-------- C:\Program Files\MSECACHE
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-23 18:25 . 2007-12-23 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-23 18:15 . 2007-12-23 18:20 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-23 18:05 . 2007-12-23 18:05 <DIR> d-------- C:\Program Files\Comodo
2007-12-23 18:05 . 2007-11-26 10:38 238,848 --a------ C:\WINDOWS\UNBOC.EXE
2007-12-23 18:05 . 2007-05-08 17:01 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-12-23 18:05 . 2004-08-03 23:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2007-12-22 14:47 . 2007-12-30 10:08 15,360 --------- C:\WINDOWS\system32\ctfmon .exe
2007-12-22 11:21 . 2008-01-04 21:12 381 --a------ C:\WINDOWS\wininit.ini
2007-12-20 11:26 . 2007-12-31 08:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 11:26 . 2007-12-20 11:26 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-19 21:59 . 2007-12-31 09:50 <DIR> d-------- C:\Program Files\QuickTime
2007-12-18 09:34 . 2007-12-19 17:32 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\DAEMON Tools
2007-12-18 09:29 . 2007-12-18 09:34 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2007-12-18 09:25 . 2007-12-18 09:25 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 08:50 . 2007-12-27 08:51 <DIR> d-------- C:\Program Files\LucasArts
2007-12-11 13:46 . 2007-12-11 13:46 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 13:46 . 2007-12-11 13:46 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 13:46 . 2007-12-11 13:46 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 13:45 . 2007-12-11 13:45 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 13:45 . 2007-12-11 13:45 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 13:43 . 2007-12-11 13:43 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-10 20:06 . 2007-12-10 20:06 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 16:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-05 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-05 03:15 --------- d-----w C:\Program Files\Google
2008-01-05 03:12 --------- d-----w C:\Program Files\Apple Software Update
2008-01-04 02:04 --------- d-----w C:\Program Files\Last.fm
2008-01-03 21:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\uTorrent
2008-01-02 15:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-31 15:47 --------- d-----w C:\Program Files\Java
2007-12-26 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-25 23:25 --------- d-----w C:\Program Files\DivX
2007-12-24 01:49 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-24 00:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-20 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2007-12-16 18:08 --------- d-----w C:\Program Files\ShurikSoft
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 03:05 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-12-05 02:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-12-05 02:54 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-12-05 02:53 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-12-05 02:48 9,535,488 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-12-05 02:19 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-12-05 02:19 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-12-05 02:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-05 02:14 180,224 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-12-02 16:56 321 ----a-w C:\license.dat
2007-12-02 16:37 --------- d-----w C:\Documents and Settings\Admin\Application Data\SSH
2007-12-01 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-01 23:28 --------- d-----w C:\Documents and Settings\Admin\Application Data\NewsBin
2007-11-20 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2007-11-20 03:09 --------- d-----w C:\Program Files\Electronic Arts
2007-11-18 21:35 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-18 17:27 --------- d-----w C:\Documents and Settings\Admin\Application Data\EndNote
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-05 01:39 429 ----a-w C:\0030BD1CDE94__0-741837788253016.dat
2007-11-03 17:38 363,368 ----a-w C:\WINDOWS\system32\Incinerator.dll
2007-10-30 23:43 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 15:04 74,703 ----a-w C:\WINDOWS\system32\mfc45.dll
.
Code: 
<pre>
----a-w           286,720 2007-12-25 19:45:49  C:\Program Files\QuickTime\QTTask        .exe
------w            15,360 2007-12-30 16:08:50  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((( snapshot_2008-01-04_13.47.41.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-01-30 16:21:34 128,813 ----a-w C:\WINDOWS\system32\atiicdxx.dat
+ 2007-11-06 14:19:00 158,080 ----a-w C:\WINDOWS\system32\atiicdxx.dat
+ 2007-12-05 02:33:27 3,107,788 ----a-w C:\WINDOWS\system32\ativva5x.dat
+ 2007-12-05 02:33:27 887,724 ----a-w C:\WINDOWS\system32\ativva6x.dat
- 2007-02-02 19:40:11 3,107,788 ----a-w C:\WINDOWS\system32\ativvaxx.dat
+ 2007-12-05 02:33:27 3,107,788 ----a-w C:\WINDOWS\system32\ativvaxx.dat
- 2007-02-02 19:20:28 348,160 -c--a-w C:\WINDOWS\system32\dllcache\ati2cqag.dll
+ 2007-12-05 02:11:18 499,712 -c--a-w C:\WINDOWS\system32\dllcache\ati2cqag.dll
- 2007-02-02 20:03:43 264,704 -c--a-w C:\WINDOWS\system32\dllcache\ati2dvag.dll
+ 2007-12-05 03:04:08 269,312 -c--a-w C:\WINDOWS\system32\dllcache\ati2dvag.dll
- 2007-02-02 20:03:25 1,975,296 -c--a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
+ 2007-12-05 05:26:40 2,782,208 -c--a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys
- 2007-02-02 19:46:45 2,827,968 -c--a-w C:\WINDOWS\system32\dllcache\ati3duag.dll
+ 2007-12-05 02:44:54 3,175,584 -c--a-w C:\WINDOWS\system32\dllcache\ati3duag.dll
- 2007-02-02 19:40:29 1,272,960 -c--a-w C:\WINDOWS\system32\dllcache\ativvaxx.dll
+ 2007-12-05 02:33:47 1,640,192 -c--a-w C:\WINDOWS\system32\dllcache\ativvaxx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-16 20:05:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" -atboottime

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.sys [2000-03-29 08:26]
S2 BTTUNER;BtTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\BTTUNER.sys [2000-03-29 08:26]
S2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.sys [2000-03-29 08:26]
S2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2005-06-10 08:01]
S3 BOCDRIVE;BOClean Kernel Monitor.;C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 15:10]
S3 PEEK5;PEEK5 Protocol Driver;C:\DOCUME~1\Admin\Desktop\WINDOW~1\AIRSNO~1.6_W\PEEK5.SYS []

*Newly Created Service* - BTTUNER
*Newly Created Service* - BTXBAR
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 11:16:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 11:17:39
ComboFix-quarantined-files.txt 2008-01-05 17:17:18
ComboFix2.txt 2008-01-05 16:13:48
ComboFix3.txt 2008-01-05 03:47:37
ComboFix4.txt 2008-01-05 03:05:11
ComboFix5.txt 2008-01-04 19:49:27
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:06 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\safer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1188054514343
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFEF4629-A2C2-4568-A4C4-7413D063E329}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\altera\72\quartus\bin\jtagserver.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7608 bytes
 
You must log in or register to reply here.
Back
Top