Smitfraud? infection - pop ups, etc.

S

sev2008

New Member
I have a problem very similar to someone posting just recently.
But the solution involved specific programs that are not on my computer.
I know I have the same recurring core.cache.dsk file in the drivers folder.
I have killed it in safe mode, I have killed it with Spybot and with SmitFraudFix but it keeps on coming back.
Any help will be greatly appreciated.

Here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:18 AM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\OpenVPN\bin\openvpn-gui.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Symantec\ACT\act.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\OpenVPN\bin\openvpn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\****This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref(".aim.general.im.enterCR", false);
user_pref(".aim.general.im.smilies", true);
user_pref(".aim.general.im.tabKey", false);
user_pref(".aim.general.im.timeStamp", false);
user_pref(".aim.mail.presence", true);
user_pref("Severian2004.aim.session.autologin", false);
user_pref("Severian2004.aim.session.connectionname", "AIM");
user_pref("Severian2004.aim.session.password", "0");
user_pref("Severian2004.aim.session.storepassword", false);
user_pref("aim.session.finishedwizard", true);
user_pref("aim.session.firsttime", false);
user_pref("aim.session.latestaimscreenname", "Severian2004");
user_pref("aim.session.screenname", "Severian2004");
user_
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref(".aim.general.im.enterCR", false);
user_pref(".aim.general.im.smilies", true);
user_pref(".aim.general.im.tabKey", false);
user_pref(".aim.general.im.timeStamp", false);
user_pref(".aim.mail.presence", true);
user_pref("Severian2004.aim.session.autologin", false);
user_pref("Severian2004.aim.session.connectionname", "AIM");
user_pref("Severian2004.aim.session.password", "0");
user_pref("Severian2004.aim.session.storepassword", false);
user_pref("aim.session.finishedwizard", true);
user_pref("aim.session.firsttime", false);
user_pref("aim.session.latestaimscreenname", "Severian2004");
user_pref("aim.session.screenname", "Severian2004");
user_
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-2745678790-3292650235-1482789601-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2745678790-3292650235-1482789601-1003\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe (User '?')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.napster.com/client/isetup.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 6768 bytes
 
This seems to be a popular infection at the moment.

1. Please download this file - ComboFix to your desktop
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply together with a new HijackThis log.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall
 
HijackThis Log

Here's the HIjack THis Log after running combofix.
The Combofix log I will have to cut into 2 parts because it's too large even as an attachment.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:26 AM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\OpenVPN\bin\openvpn-gui.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\****This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref(".aim.general.im.enterCR", false);
user_pref(".aim.general.im.smilies", true);
user_pref(".aim.general.im.tabKey", false);
user_pref(".aim.general.im.timeStamp", false);
user_pref(".aim.mail.presence", true);
user_pref("Severian2004.aim.session.autologin", false);
user_pref("Severian2004.aim.session.connectionname", "AIM");
user_pref("Severian2004.aim.session.password", "0");
user_pref("Severian2004.aim.session.storepassword", false);
user_pref("aim.session.finishedwizard", true);
user_pref("aim.session.firsttime", false);
user_pref("aim.session.latestaimscreenname", "Severian2004");
user_pref("aim.session.screenname", "Severian2004");
user_
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref(".aim.general.im.enterCR", false);
user_pref(".aim.general.im.smilies", true);
user_pref(".aim.general.im.tabKey", false);
user_pref(".aim.general.im.timeStamp", false);
user_pref(".aim.mail.presence", true);
user_pref("Severian2004.aim.session.autologin", false);
user_pref("Severian2004.aim.session.connectionname", "AIM");
user_pref("Severian2004.aim.session.password", "0");
user_pref("Severian2004.aim.session.storepassword", false);
user_pref("aim.session.finishedwizard", true);
user_pref("aim.session.firsttime", false);
user_pref("aim.session.latestaimscreenname", "Severian2004");
user_pref("aim.session.screenname", "Severian2004");
user_
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.napster.com/client/isetup.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 6169 bytes
 
Combofix log part 1

Here's part 1 of the Combofix log:

ComboFix 08-01-16.4 - Juan Mendizabal 2008-01-16 2:33:11.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.198 [GMT -8:00]
Running from: C:\Documents and Settings\Juan Mendizabal\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-16 02:59 . 2008-01-16 02:59 <DIR> d-------- C:\Temp\tn3
2008-01-16 02:57 . 2008-01-16 02:57 167,545 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-15 19:17 . 2008-01-15 19:17 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-01-15 14:48 . 2008-01-15 14:48 <DIR> d-------- C:\Documents and Settings\Juan Mendizabal\Application Data\Grisoft
2008-01-15 14:48 . 2008-01-15 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-15 11:47 . 2004-08-03 23:56 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-14 22:40 . 2008-01-16 00:35 <DIR> d-------- C:\Program Files\Safer Networking
2008-01-14 19:42 . 2008-01-14 19:42 <DIR> d-------- C:\Program Files\Panda Security
2008-01-14 17:03 . 2008-01-14 17:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-13 14:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 14:05 . 2008-01-14 19:50 <DIR> d-------- C:\Documents and Settings\Juan Mendizabal\Pavark
2008-01-13 12:13 . 2008-01-13 12:13 <DIR> d-------- C:\Program Files\Sun
2008-01-13 12:12 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-13 11:39 . 2008-01-13 11:43 <DIR> d-------- C:\Documents and Settings\Juan Mendizabal\.SunDownloadManager
2008-01-13 11:30 . 2008-01-13 11:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 10:29 . 2007-10-10 15:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-13 10:29 . 2007-06-30 19:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-13 10:29 . 2007-06-30 19:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-13 10:29 . 2007-10-10 15:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-13 10:29 . 2007-10-10 15:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-13 10:29 . 2007-10-10 15:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-13 10:29 . 2007-10-10 15:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-13 10:29 . 2007-10-10 15:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-13 10:29 . 2007-10-10 02:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-13 10:17 . 2006-06-03 03:40 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-13 05:09 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-13 05:09 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-13 05:09 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-13 03:18 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-12 18:25 . 2008-01-13 11:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-12 18:25 . 2008-01-12 18:25 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-12 11:49 . 2008-01-12 11:49 <DIR> d-------- C:\WINDOWS\peernet
2008-01-12 11:37 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-12 11:28 . 2008-01-12 11:28 <DIR> d-------- C:\WINDOWS\EHome
2008-01-12 11:26 . 2008-01-12 11:26 0 --a----t- C:\WINDOWS\003264_.tmp
2008-01-12 10:30 . 2004-08-03 21:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-01-12 10:25 . 2004-08-03 23:56 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-01-11 03:39 . 2008-01-11 03:39 <DIR> d-------- C:\Program Files\CCleaner
2008-01-11 03:21 . 2008-01-15 08:52 346 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-09 15:13 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-09 15:13 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-09 01:34 . 2008-01-09 01:34 335 --a------ C:\WINDOWS\compaq.reg
2008-01-08 22:47 . 2008-01-11 02:20 <DIR> d-------- C:\VundoFix Backups
2008-01-08 06:50 . 2008-01-08 06:50 <DIR> d-------- C:\Documents and Settings\lapo\Application Data\alot
2008-01-07 15:45 . 2008-01-07 23:38 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-07 15:45 . 2008-01-07 23:38 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-07 15:42 . 2008-01-07 15:42 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-07 15:42 . 2008-01-16 02:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-07 15:41 . 2008-01-16 02:58 23,919,648 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-07 15:41 . 2008-01-16 02:56 327,644 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-07 15:41 . 2008-01-16 03:00 250,400 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-07 15:41 . 2008-01-16 02:56 26,588 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-07 15:39 . 2008-01-07 15:39 <DIR> d-------- C:\KAV
2008-01-07 15:26 . 2008-01-07 15:26 250 --a------ C:\WINDOWS\gmer.ini
2008-01-07 03:21 . 2008-01-07 04:12 <DIR> d-------- C:\WINDOWS\system32\usmvt3
2008-01-07 03:21 . 2008-01-07 04:16 <DIR> d-------- C:\WINDOWS\system32\drivez4
2008-01-07 03:21 . 2008-01-07 04:12 <DIR> d-------- C:\WINDOWS\system32\comp2
2008-01-07 03:21 . 2008-01-07 03:21 <DIR> d-------- C:\WINDOWS\system32\cache3
2008-01-07 03:21 . 2008-01-07 04:16 <DIR> d--hs---- C:\WINDOWS\SnVhbiBNZW5kaXphYmFs
2008-01-07 03:21 . 2008-01-07 03:21 86,016 --a------ C:\WINDOWS\system32\drivers\pciidexx.sys
2008-01-07 03:20 . 2008-01-09 15:36 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2008-01-07 03:20 . 2008-01-07 03:21 <DIR> d-------- C:\Temp\cEeer12
2008-01-07 03:18 . 2008-01-07 03:24 <DIR> d-------- C:\Documents and Settings\Juan Mendizabal\Application Data\BitTorrent
2008-01-01 10:26 . 2008-01-01 10:26 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2007-12-30 20:33 . 2008-01-05 12:27 <DIR> d-------- C:\Documents and Settings\Juan Mendizabal\Application Data\Roxio
2007-12-30 20:26 . 2007-12-30 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-30 20:25 . 2007-12-30 20:25 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-12-30 20:17 . 2007-12-30 20:25 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-12-30 20:17 . 2008-01-01 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2007-12-29 21:33 . 2007-12-29 21:33 <DIR> d-------- C:\Program Files\MagicDVDRipper
2007-12-27 12:46 . 2007-12-29 18:01 0 --a------ C:\statistics.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 06:53 --------- d-----w C:\Program Files\Aldo's Pianito
2008-01-16 03:14 --------- d-----w C:\Program Files\Yahoo!
2008-01-15 05:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 20:27 --------- d-----w C:\Program Files\Java
2008-01-13 19:12 --------- d-----w C:\Documents and Settings\Juan Mendizabal\Application Data\alot
2008-01-11 12:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-11 08:09 --------- d-----w C:\Program Files\OpenVPN
2008-01-11 03:46 --------- d-----w C:\Program Files\Warcraft III
2008-01-11 03:36 --------- d-----w C:\Program Files\PHP Designer 2005
2008-01-09 08:33 --------- d-----w C:\Program Files\QuickTime
2008-01-08 09:01 --------- d-----w C:\Program Files\iTunes
2008-01-07 12:39 --------- d-----w C:\Program Files\BitTorrent
2008-01-05 05:25 --------- d-----w C:\Program Files\Common Files\Native Instruments
2008-01-01 18:24 --------- d-----w C:\Documents and Settings\Juan Mendizabal\Application Data\InstallShield
2007-12-31 04:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 04:34 --------- d-----w C:\Program Files\Sonic
2007-12-31 04:26 --------- d-----w C:\Program Files\Roxio
2007-12-31 04:17 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-12-15 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-14 22:43 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-11-28 09:28 --------- d-----w C:\Program Files\Lavasoft
2007-11-28 09:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-16 15:15 --------- d-----w C:\Program Files\Apple Software Update
2007-11-16 15:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-10-30 23:05 6,549 ----a-w C:\Documents and Settings\Juan Mendizabal\xrt_log.dat
2007-10-19 12:56 22 ----a-w C:\Documents and Settings\Juan Mendizabal\xrt_collect.zip
2006-08-29 06:15 1,542,144 ----a-w C:\Program Files\iannix 0.611.tar
2003-08-27 22:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.
Code: 
<pre>
----a-w            36,864 2008-01-07 22:56:52  C:\CPQS\scom\srmclean .exe
----a-w           180,269 2008-01-07 22:57:03  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w           228,088 2008-01-07 22:57:14  C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe
----a-w            28,672 2008-01-08 16:54:09  C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK .exe
----a-w           270,648 2008-01-07 22:57:03  C:\Program Files\iTunes\iTunesHelper .exe
----a-w            49,263 2008-01-07 22:56:51  C:\Program Files\Java\jre1.5.0_08\bin\jusched .exe
----a-w            99,328 2008-01-07 22:56:55  C:\Program Files\OpenVPN\bin\openvpn-gui .exe
----a-w           155,648 2008-01-07 22:56:53  C:\Program Files\VERITAS Software\Update Manager\sgtray .exe
</pre>
 
Combofix log part 2

Here is part 2:



((((((((((((((((((((((((((((( snapshot@2008-01-14_16.02.30.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-11 21:49:24 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\LibComm.dll
+ 2007-09-11 21:49:28 38,280 ----a-w C:\WINDOWS\Downloaded Program Files\NanoInst.dll
+ 2007-09-11 21:49:30 43,824 ----a-w C:\WINDOWS\Downloaded Program Files\PSComm.dll
+ 2007-09-11 21:49:34 100,656 ----a-w C:\WINDOWS\Downloaded Program Files\PSNAdbrk.dll
- 2008-01-13 22:36:36 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-16 10:31:17 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 22:36:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-16 10:31:17 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 22:36:38 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-16 10:31:17 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-13 22:36:39 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-16 10:31:18 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 22:36:41 9,809,920 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-16 10:31:19 10,100,736 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-13 22:36:43 299,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-16 10:31:19 299,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-12 17:21:54 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-15 01:03:55 9,809,920 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-01-15 01:03:55 299,008 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-01-12 17:21:54 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-15 01:03:40 9,809,920 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-01-15 01:03:41 299,008 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2007-08-14 02:39:20 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
+ 2004-08-04 07:56:41 61,440 ----a-w C:\WINDOWS\system32\admparse.dll
- 2007-10-10 23:55:51 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2004-08-04 07:56:41 99,840 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-08-14 02:35:46 346,624 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2007-10-11 06:13:44 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-10-10 23:55:51 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-10-11 06:13:44 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-10-10 23:55:51 132,608 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-10-11 06:13:44 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-10-10 05:46:55 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2001-08-18 12:00:00 221,184 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-08-14 02:44:02 69,120 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2007-10-10 11:16:27 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2007-08-14 02:54:10 191,488 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2007-10-11 06:13:44 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2007-08-14 02:39:02 92,672 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2007-10-11 06:13:44 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2007-08-14 02:38:04 491,520 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2007-11-14 07:26:56 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2007-10-10 23:55:56 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-10-11 06:13:44 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-10-31 13:12:30 3,590,656 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-10-30 10:16:33 3,058,688 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-10-10 23:55:58 478,208 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-10-11 06:13:45 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-08-14 02:54:10 156,160 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
+ 2001-08-18 12:00:00 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
- 2007-10-10 23:55:58 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-10-11 06:13:45 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-10-10 23:55:59 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-10-11 06:13:45 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-08-14 02:36:12 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2007-10-11 06:13:45 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-10-10 23:56:00 1,159,680 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-10-11 06:13:45 615,424 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-08-14 02:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-06-26 15:13:22 851,968 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2007-10-10 23:56:00 824,832 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-10-11 06:13:45 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2007-08-14 02:35:46 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2007-10-11 06:13:44 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-10-10 23:55:51 214,528 ------w C:\WINDOWS\system32\dxtrans.dll
+ 2007-10-11 06:13:44 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-10-10 23:55:51 132,608 ------w C:\WINDOWS\system32\extmgr.dll
+ 2007-10-11 06:13:44 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2007-10-10 10:59:40 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
+ 2004-08-04 07:56:50 34,304 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-10-10 23:55:51 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
+ 2004-08-04 07:56:42 139,264 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-10-10 23:55:51 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
+ 2004-08-04 07:56:42 216,576 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-10-10 05:46:55 161,792 ------w C:\WINDOWS\system32\ieakui.dll
+ 2001-08-18 12:00:00 221,184 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-10-10 23:55:52 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
+ 2004-08-04 07:56:42 323,584 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-08-14 02:45:18 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
+ 2004-08-04 07:56:42 81,920 ----a-w C:\WINDOWS\system32\ieencode.dll
- 2007-08-14 02:54:10 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2007-10-11 06:13:44 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2007-10-10 23:55:55 44,544 ------w C:\WINDOWS\system32\iernonce.dll
+ 2004-08-04 07:56:42 48,640 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-08-14 02:39:12 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
+ 2004-08-04 07:56:42 62,976 ----a-w C:\WINDOWS\system32\iesetup.dll
- 2007-08-14 02:36:06 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
+ 2004-08-04 07:56:42 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll
- 2007-08-14 02:39:02 92,672 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2007-10-11 06:13:44 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2007-08-14 02:38:04 491,520 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2007-11-14 07:26:56 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
- 2007-10-10 23:55:56 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
+ 2007-10-11 06:13:44 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2007-08-14 02:44:18 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
+ 2004-08-04 07:56:42 22,016 ----a-w C:\WINDOWS\system32\licmgr10.dll
- 2007-08-14 02:32:30 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
+ 2004-08-04 07:56:53 29,184 ----a-w C:\WINDOWS\system32\mshta.exe
- 2007-10-31 13:12:30 3,590,656 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-10-30 10:16:33 3,058,688 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-10-10 23:55:58 478,208 ------w C:\WINDOWS\system32\mshtmled.dll
+ 2007-10-11 06:13:45 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-08-14 02:01:12 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
+ 2004-08-04 07:56:14 56,832 ----a-w C:\WINDOWS\system32\mshtmler.dll
- 2007-08-14 02:54:10 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
+ 2001-08-18 12:00:00 146,432 ----a-w C:\WINDOWS\system32\msls31.dll
- 2007-10-10 23:55:58 193,024 ------w C:\WINDOWS\system32\msrating.dll
+ 2007-10-11 06:13:45 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-10-10 23:55:59 671,232 ------w C:\WINDOWS\system32\mstime.dll
+ 2007-10-11 06:13:45 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-10-10 23:55:59 102,400 ------w C:\WINDOWS\system32\occache.dll
+ 2004-08-04 07:56:44 96,256 ----a-w C:\WINDOWS\system32\occache.dll
- 2008-01-14 23:47:15 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-16 11:00:16 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-14 23:47:16 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-16 11:00:16 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-08-14 02:36:12 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2007-10-11 06:13:45 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-03-06 01:22:33 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-03-06 01:22:36 14,048 ------w C:\WINDOWS\system32\spmsg.dll
- 2007-10-10 23:55:59 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2004-08-04 07:56:46 37,888 ----a-w C:\WINDOWS\system32\url.dll
- 2007-10-10 23:56:00 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-10-11 06:13:45 615,424 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-08-14 02:54:10 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2004-08-04 07:56:46 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
- 2007-10-10 23:56:00 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2004-08-04 07:56:46 276,480 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-10-10 23:56:00 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-10-11 06:13:45 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"openvpn-gui"="C:\Program Files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 01:55 99328]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPQEASYACC]
--a------ 2001-10-10 17:14 28672 C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\loader]
--a------ 2004-08-03 23:56 73728 C:\Program Files\Windows Media Player\wmplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
-ra------ 2001-07-09 01:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
--a------ 2001-09-26 08:30 131072 C:\Program Files\COMPAQ\Coloreal\coloreal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyStartUp"=c:\Program Files\Microsoft Money\System\Money Startup.exe
"Yahoo! Pager"=C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"Smapp"=Smtray.exe
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe
"REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"ZingSpooler"=C:\Program Files\Common Files\Zing\ZingSpooler.exe
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe
"SM1BG"=C:\WINDOWS\SM1BG.EXE

R0 pnpshark;pnpshark;C:\WINDOWS\system32\DRIVERS\pnpshark.sys [2003-10-02 03:16]
R0 sojubus;sojubus;C:\WINDOWS\system32\DRIVERS\sojubus.sys [2003-10-05 10:41]
R0 sojuscsi;sojuscsi;C:\WINDOWS\system32\DRIVERS\sojuscsi.sys [2003-09-28 10:57]
R0 st3shark;st3shark;C:\WINDOWS\system32\DRIVERS\st3shark.sys [2003-09-27 14:37]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 10:35]
R1 pciidexx;pciidexx;C:\WINDOWS\system32\drivers\pciidexx.sys [2008-01-07 03:21]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 05:28]
R3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2004-06-23 18:54]
S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS []
S3 Gcr432;Gcr432;C:\WINDOWS\system32\Drivers\gcr432.sys [2001-09-06 13:05]
S4 avp ;avp ;"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp .exe" []
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection C:\Program Files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub
.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 00:12:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2002-02-01 05:56:58 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2002-02-01 05:56:58 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2002-02-01 05:56:58 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 03:00:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 3:12:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-16 11:12:33
ComboFix2.txt 2008-01-15 00:04:22
.
2008-01-16 03:34:43 --- E O F ---
 
  • Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\drivers\pciidexx.sys
C:\Program Files\OpenVPN\bin\openvpn-gui .exe

Folder::
C:\Temp\tn3
C:\VundoFix Backups
C:\WINDOWS\system32\usmvt3
C:\WINDOWS\system32\drivez4
C:\WINDOWS\system32\comp2
C:\WINDOWS\system32\cache3
C:\WINDOWS\SnVhbiBNZW5kaXphYmFs
C:\WINDOWS\system32\ardCo01
C:\Temp\cEeer12

RENV::
C:\CPQS\scom\srmclean .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched .exe
C:\Program Files\VERITAS Software\Update Manager\sgtray .exe

Driver::
pciidexx
  • Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.


    CFScript.gif



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log. How is your system running now?
CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.
 
Success!?! Combofix log part 1

The core.cache.dsk file is gone!
I'm not getting the pop ups under IE.
It's looking excellent so far!
Thank you so much.

One question - I got a notice from the anti virus program (Karsperky) after Combofix finished, letting me know that regedit.exe was trying to modify the registry.
I don't have regedit open. So I'm wondering if that's part of Combofix finishing up or if it's the trojan trying to reinstate itself?
Let me know.

Here's the first part of the Combofix log:

ComboFix 08-01-16.4 - Juan Mendizabal 2008-01-17 0:03:15.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.263 [GMT -8:00]
Running from: C:\Documents and Settings\Juan Mendizabal\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Juan Mendizabal\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\OpenVPN\bin\openvpn-gui .exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\pciidexx.sys
C:\WINDOWS\system32\tmp.reg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\OpenVPN\bin\openvpn-gui .exe
C:\Temp\cEeer12
C:\Temp\cEeer12\skAt.log
C:\temp\tn3
C:\VundoFix Backups
C:\WINDOWS\SnVhbiBNZW5kaXphYmFs
C:\WINDOWS\system32\ardCo01
C:\WINDOWS\system32\cache3
C:\WINDOWS\system32\cache3\vumpedll23.exe
C:\WINDOWS\system32\comp2
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\pciidexx.sys
C:\WINDOWS\system32\drivez4
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\usmvt3

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_PCIIDEXX
-------\pciidexx


((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-15 19:17 . 2008-01-15 19:17 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-01-15 14:48 . 2008-01-15 14:48 <DIR> d-------- C:\Documents and Settings\Juan Mendizabal\Application Data\Grisoft
2008-01-15 14:48 . 2008-01-15 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-15 11:47 . 2004-08-03 23:56 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-15 11:47 . 2004-08-03 23:56 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-14 22:40 . 2008-01-16 00:35 <DIR> d-------- C:\Program Files\Safer Networking
2008-01-14 19:42 . 2008-01-14 19:42 <DIR> d-------- C:\Program Files\Panda Security
2008-01-14 17:03 . 2008-01-14 17:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-13 14:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 14:05 . 2008-01-14 19:50 <DIR> d-------- C:\Documents and Settings\Juan Mendizabal\Pavark
2008-01-13 12:13 . 2008-01-13 12:13 <DIR> d-------- C:\Program Files\Sun
2008-01-13 12:12 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-13 11:39 . 2008-01-13 11:43 <DIR> d-------- C:\Documents and Settings\Juan Mendizabal\.SunDownloadManager
2008-01-13 11:30 . 2008-01-13 11:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 10:29 . 2007-10-10 15:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-13 10:29 . 2007-06-30 19:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-13 10:29 . 2007-06-30 19:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-13 10:29 . 2007-10-10 15:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-13 10:29 . 2007-10-10 15:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-13 10:29 . 2007-10-10 15:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-13 10:29 . 2007-10-10 15:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-13 10:29 . 2007-10-10 15:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-13 10:29 . 2007-10-10 02:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-13 10:17 . 2006-06-03 03:40 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-13 05:09 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-13 05:09 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-13 05:09 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-13 03:18 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-12 18:25 . 2008-01-13 11:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-12 18:25 . 2008-01-12 18:25 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-12 11:49 . 2008-01-12 11:49 <DIR> d-------- C:\WINDOWS\peernet
2008-01-12 11:37 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-12 11:28 . 2008-01-12 11:28 <DIR> d-------- C:\WINDOWS\EHome
2008-01-12 11:26 . 2008-01-12 11:26 0 --a----t- C:\WINDOWS\003264_.tmp
2008-01-12 10:30 . 2004-08-03 21:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-01-12 10:25 . 2004-08-03 23:56 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-01-11 03:39 . 2008-01-11 03:39 <DIR> d-------- C:\Program Files\CCleaner
2008-01-09 15:13 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-09 15:13 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-09 01:34 . 2008-01-09 01:34 335 --a------ C:\WINDOWS\compaq.reg
2008-01-08 06:50 . 2008-01-08 06:50 <DIR> d-------- C:\Documents and Settings\lapo\Application Data\alot
2008-01-07 15:45 . 2008-01-07 23:38 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-07 15:45 . 2008-01-07 23:38 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-07 15:42 . 2008-01-07 15:42 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-07 15:42 . 2008-01-17 00:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-07 15:41 . 2008-01-17 00:41 24,102,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-07 15:41 . 2008-01-17 00:16 331,112 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-07 15:41 . 2008-01-17 00:39 261,408 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-07 15:41 . 2008-01-17 00:16 28,664 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-07 15:39 . 2008-01-07 15:39 <DIR> d-------- C:\KAV
2008-01-07 15:26 . 2008-01-07 15:26 250 --a------ C:\WINDOWS\gmer.ini
2008-01-07 03:18 . 2008-01-07 03:24 <DIR> d-------- C:\Documents and Settings\Juan Mendizabal\Application Data\BitTorrent
2008-01-01 10:26 . 2008-01-01 10:26 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2007-12-30 20:33 . 2008-01-05 12:27 <DIR> d-------- C:\Documents and Settings\Juan Mendizabal\Application Data\Roxio
2007-12-30 20:26 . 2007-12-30 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-30 20:25 . 2007-12-30 20:25 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-12-30 20:17 . 2007-12-30 20:25 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-12-30 20:17 . 2008-01-01 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2007-12-29 21:33 . 2007-12-29 21:33 <DIR> d-------- C:\Program Files\MagicDVDRipper
2007-12-27 12:46 . 2007-12-29 18:01 0 --a------ C:\statistics.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 08:03 --------- d-----w C:\Program Files\iTunes
2008-01-16 06:53 --------- d-----w C:\Program Files\Aldo's Pianito
2008-01-16 03:14 --------- d-----w C:\Program Files\Yahoo!
2008-01-15 05:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 20:27 --------- d-----w C:\Program Files\Java
2008-01-13 19:12 --------- d-----w C:\Documents and Settings\Juan Mendizabal\Application Data\alot
2008-01-11 12:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-11 08:09 --------- d-----w C:\Program Files\OpenVPN
2008-01-11 03:46 --------- d-----w C:\Program Files\Warcraft III
2008-01-11 03:36 --------- d-----w C:\Program Files\PHP Designer 2005
2008-01-09 08:33 --------- d-----w C:\Program Files\QuickTime
2008-01-07 12:39 --------- d-----w C:\Program Files\BitTorrent
2008-01-05 05:25 --------- d-----w C:\Program Files\Common Files\Native Instruments
2008-01-01 18:24 --------- d-----w C:\Documents and Settings\Juan Mendizabal\Application Data\InstallShield
2007-12-31 04:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 04:34 --------- d-----w C:\Program Files\Sonic
2007-12-31 04:26 --------- d-----w C:\Program Files\Roxio
2007-12-31 04:17 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-12-15 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-14 22:43 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-11-28 09:28 --------- d-----w C:\Program Files\Lavasoft
2007-11-28 09:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-30 23:05 6,549 ----a-w C:\Documents and Settings\Juan Mendizabal\xrt_log.dat
2007-10-19 12:56 22 ----a-w C:\Documents and Settings\Juan Mendizabal\xrt_collect.zip
2006-08-29 06:15 1,542,144 ----a-w C:\Program Files\iannix 0.611.tar
2003-08-27 22:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
 
Combofix log part 2

((((((((((((((((((((((((((((( snapshot_2008-01-16_ 3.11.15.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 10:31:17 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-17 08:02:08 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-16 10:31:17 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 08:02:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-16 10:31:17 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-17 08:02:09 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-16 10:31:18 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-17 08:02:09 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-16 10:31:19 10,100,736 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-17 08:02:10 10,170,368 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-16 10:31:19 299,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-17 08:02:10 299,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-16 11:00:16 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-17 08:41:18 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-16 11:00:16 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-17 08:41:18 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"openvpn-gui"="C:\Program Files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 01:55 99328]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPQEASYACC]
--a------ 2008-01-08 08:54 28672 C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\loader]
--a------ 2004-08-03 23:56 73728 C:\Program Files\Windows Media Player\wmplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
-ra------ 2001-07-09 01:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
--a------ 2001-09-26 08:30 131072 C:\Program Files\COMPAQ\Coloreal\coloreal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyStartUp"=c:\Program Files\Microsoft Money\System\Money Startup.exe
"Yahoo! Pager"=C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"Smapp"=Smtray.exe
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe
"REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"ZingSpooler"=C:\Program Files\Common Files\Zing\ZingSpooler.exe
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe
"SM1BG"=C:\WINDOWS\SM1BG.EXE

R0 pnpshark;pnpshark;C:\WINDOWS\system32\DRIVERS\pnpshark.sys [2003-10-02 03:16]
R0 sojubus;sojubus;C:\WINDOWS\system32\DRIVERS\sojubus.sys [2003-10-05 10:41]
R0 sojuscsi;sojuscsi;C:\WINDOWS\system32\DRIVERS\sojuscsi.sys [2003-09-28 10:57]
R0 st3shark;st3shark;C:\WINDOWS\system32\DRIVERS\st3shark.sys [2003-09-27 14:37]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 10:35]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 05:28]
R3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2004-06-23 18:54]
S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS []
S3 Gcr432;Gcr432;C:\WINDOWS\system32\Drivers\gcr432.sys [2001-09-06 13:05]
S4 avp ;avp ;"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp .exe" []
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection C:\Program Files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub
.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 00:12:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2002-02-01 05:56:58 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2002-02-01 05:56:58 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2002-02-01 05:56:58 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 00:40:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 0:53:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-17 08:53:45
ComboFix2.txt 2008-01-16 11:12:46
ComboFix3.txt 2008-01-15 00:04:22
.
2008-01-16 03:34:43 --- E O F ---
 
HijackThis Log

Here's the Hijack This log.
I want to express my deepest appreciation for this help.
Thank you so much! :-)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:07 AM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\OpenVPN\bin\openvpn-gui.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\****This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref(".aim.general.im.enterCR", false);
user_pref(".aim.general.im.smilies", true);
user_pref(".aim.general.im.tabKey", false);
user_pref(".aim.general.im.timeStamp", false);
user_pref(".aim.mail.presence", true);
user_pref("Severian2004.aim.session.autologin", false);
user_pref("Severian2004.aim.session.connectionname", "AIM");
user_pref("Severian2004.aim.session.password", "0");
user_pref("Severian2004.aim.session.storepassword", false);
user_pref("aim.session.finishedwizard", true);
user_pref("aim.session.firsttime", false);
user_pref("aim.session.latestaimscreenname", "Severian2004");
user_pref("aim.session.screenname", "Severian2004");
user_
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref(".aim.general.im.enterCR", false);
user_pref(".aim.general.im.smilies", true);
user_pref(".aim.general.im.tabKey", false);
user_pref(".aim.general.im.timeStamp", false);
user_pref(".aim.mail.presence", true);
user_pref("Severian2004.aim.session.autologin", false);
user_pref("Severian2004.aim.session.connectionname", "AIM");
user_pref("Severian2004.aim.session.password", "0");
user_pref("Severian2004.aim.session.storepassword", false);
user_pref("aim.session.finishedwizard", true);
user_pref("aim.session.firsttime", false);
user_pref("aim.session.latestaimscreenname", "Severian2004");
user_pref("aim.session.screenname", "Severian2004");
user_
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.napster.com/client/isetup.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 6353 bytes
 
You're welcome, and your logfiles now appear to be clean. ComboFix itself shouldn't have needed to access regedit, however it's possible that other programs may have done so as a result of this fix. All the same, let's be sure that nothing has come back. Please reboot your PC, run ComboFix again by double clicking on it and post the log it produces.
 
New Combofix file Pt 1

ComboFix 08-01-16.4 - Juan Mendizabal 2008-01-18 4:32:39.4 - NTFSx86
Running from: C:\Documents and Settings\Juan Mendizabal\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-18 02:01 . 2008-01-18 02:04 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-18 00:58 . 2008-01-18 00:57 2,111,096 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-01-17 23:31 . 2008-01-17 23:31 <DIR> d-------- C:\Program Files\Google
2008-01-15 14:48 . 2008-01-15 14:48 <DIR> d-------- C:\Documents and Settings\Juan Mendizabal\Application Data\Grisoft
2008-01-15 14:48 . 2008-01-15 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-15 11:47 . 2004-08-03 23:56 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-15 11:47 . 2004-08-03 23:56 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-14 22:40 . 2008-01-16 00:35 <DIR> d-------- C:\Program Files\Safer Networking
2008-01-14 19:42 . 2008-01-14 19:42 <DIR> d-------- C:\Program Files\Panda Security
2008-01-14 17:03 . 2008-01-14 17:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-13 14:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 14:05 . 2008-01-14 19:50 <DIR> d-------- C:\Documents and Settings\Juan Mendizabal\Pavark
2008-01-13 12:13 . 2008-01-13 12:13 <DIR> d-------- C:\Program Files\Sun
2008-01-13 12:12 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-13 11:39 . 2008-01-13 11:43 <DIR> d-------- C:\Documents and Settings\Juan Mendizabal\.SunDownloadManager
2008-01-13 11:30 . 2008-01-13 11:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 10:29 . 2007-10-10 15:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-13 10:29 . 2007-06-30 19:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-13 10:29 . 2007-06-30 19:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-13 10:29 . 2007-10-10 15:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-13 10:29 . 2007-10-10 15:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-13 10:29 . 2007-10-10 15:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-13 10:29 . 2007-10-10 15:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-13 10:29 . 2007-10-10 15:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-13 10:29 . 2007-10-10 02:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-13 10:17 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-13 05:09 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-01-13 05:09 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-01-13 05:09 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-01-13 03:18 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-12 11:49 . 2008-01-12 11:49 <DIR> d-------- C:\WINDOWS\peernet
2008-01-12 11:37 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-12 11:28 . 2008-01-12 11:28 <DIR> d-------- C:\WINDOWS\EHome
2008-01-12 11:26 . 2008-01-12 11:26 0 --a----t- C:\WINDOWS\003264_.tmp
2008-01-12 10:30 . 2004-08-03 21:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-01-12 10:25 . 2004-08-03 23:56 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-01-11 03:39 . 2008-01-11 03:39 <DIR> d-------- C:\Program Files\CCleaner
2008-01-09 15:13 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-09 15:13 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-09 01:34 . 2008-01-09 01:34 335 --a------ C:\WINDOWS\compaq.reg
2008-01-08 06:50 . 2008-01-08 06:50 <DIR> d-------- C:\Documents and Settings\lapo\Application Data\alot
2008-01-07 15:45 . 2008-01-07 23:38 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-07 15:45 . 2008-01-07 23:38 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-07 15:42 . 2008-01-07 15:42 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-07 15:42 . 2008-01-18 01:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-07 15:41 . 2008-01-18 05:21 24,767,264 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-07 15:41 . 2008-01-18 01:54 336,392 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-07 15:41 . 2008-01-18 04:51 290,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-07 15:41 . 2008-01-18 01:54 31,724 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-07 15:39 . 2008-01-07 15:39 <DIR> d-------- C:\KAV
2008-01-07 15:26 . 2008-01-07 15:26 250 --a------ C:\WINDOWS\gmer.ini
2008-01-07 03:18 . 2008-01-07 03:24 <DIR> d-------- C:\Documents and Settings\Juan Mendizabal\Application Data\BitTorrent
2008-01-01 10:26 . 2008-01-01 10:26 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2007-12-30 20:33 . 2008-01-05 12:27 <DIR> d-------- C:\Documents and Settings\Juan Mendizabal\Application Data\Roxio
2007-12-30 20:26 . 2007-12-30 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2007-12-30 20:25 . 2007-12-30 20:25 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-12-30 20:17 . 2007-12-30 20:25 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-12-30 20:17 . 2008-01-01 10:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2007-12-29 21:33 . 2007-12-29 21:33 <DIR> d-------- C:\Program Files\MagicDVDRipper
2007-12-27 12:46 . 2007-12-29 18:01 0 --a------ C:\statistics.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 06:51 --------- d-----w C:\Program Files\Aldo's Pianito
2008-01-17 08:03 --------- d-----w C:\Program Files\iTunes
2008-01-16 03:14 --------- d-----w C:\Program Files\Yahoo!
2008-01-15 05:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 20:27 --------- d-----w C:\Program Files\Java
2008-01-13 19:12 --------- d-----w C:\Documents and Settings\Juan Mendizabal\Application Data\alot
2008-01-11 12:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-11 08:09 --------- d-----w C:\Program Files\OpenVPN
2008-01-11 03:46 --------- d-----w C:\Program Files\Warcraft III
2008-01-11 03:36 --------- d-----w C:\Program Files\PHP Designer 2005
2008-01-09 08:33 --------- d-----w C:\Program Files\QuickTime
2008-01-07 12:39 --------- d-----w C:\Program Files\BitTorrent
2008-01-05 05:25 --------- d-----w C:\Program Files\Common Files\Native Instruments
2008-01-01 18:24 --------- d-----w C:\Documents and Settings\Juan Mendizabal\Application Data\InstallShield
2007-12-31 04:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 04:34 --------- d-----w C:\Program Files\Sonic
2007-12-31 04:26 --------- d-----w C:\Program Files\Roxio
2007-12-31 04:17 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-12-15 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-14 22:43 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-11-28 09:28 --------- d-----w C:\Program Files\Lavasoft
2007-11-28 09:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-30 23:05 6,549 ----a-w C:\Documents and Settings\Juan Mendizabal\xrt_log.dat
2007-10-19 12:56 22 ----a-w C:\Documents and Settings\Juan Mendizabal\xrt_collect.zip
2006-08-29 06:15 1,542,144 ----a-w C:\Program Files\iannix 0.611.tar
2003-08-27 22:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.
 
New Combifix file Pt 2

((((((((((((((((((((((((((((( snapshot_2008-01-16_ 3.11.15.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 10:31:17 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-17 08:02:08 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-16 10:31:17 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 08:02:08 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-16 10:31:17 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-17 08:02:09 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-16 10:31:18 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-17 08:02:09 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-16 10:31:19 10,100,736 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-17 08:02:10 10,170,368 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-16 10:31:19 299,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-17 08:02:10 299,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-11 02:28:41 7,645 ----a-w C:\WINDOWS\extend.dat
+ 2008-01-18 10:28:12 7,645 ----a-w C:\WINDOWS\extend.dat
+ 2004-08-04 07:56:41 61,440 -c--a-w C:\WINDOWS\ie7\admparse.dll
+ 2004-08-04 07:56:41 99,840 -c--a-w C:\WINDOWS\ie7\advpack.dll
+ 2004-08-04 07:56:41 35,328 -c--a-w C:\WINDOWS\ie7\corpol.dll
+ 2006-06-03 11:40:49 33,792 -c--a-w C:\WINDOWS\ie7\custsat.dll
+ 2007-10-11 06:13:44 357,888 -c--a-w C:\WINDOWS\ie7\dxtmsft.dll
+ 2007-10-11 06:13:44 205,312 -c--a-w C:\WINDOWS\ie7\dxtrans.dll
+ 2007-10-11 06:13:44 55,808 -c--a-w C:\WINDOWS\ie7\extmgr.dll
+ 2004-08-04 07:56:42 38,912 -c--a-w C:\WINDOWS\ie7\hmmapi.dll
+ 2004-08-04 07:56:50 34,304 -c--a-w C:\WINDOWS\ie7\ie4uinit.exe
+ 2004-08-04 07:56:42 139,264 -c--a-w C:\WINDOWS\ie7\ieakeng.dll
+ 2004-08-04 07:56:42 216,576 -c--a-w C:\WINDOWS\ie7\ieaksie.dll
+ 2001-08-18 12:00:00 221,184 -c--a-w C:\WINDOWS\ie7\ieakui.dll
+ 2004-08-04 07:56:42 323,584 -c--a-w C:\WINDOWS\ie7\iedkcs32.dll
+ 2007-10-10 11:16:27 18,432 -c--a-w C:\WINDOWS\ie7\iedw.exe
+ 2004-08-04 07:56:42 81,920 -c--a-w C:\WINDOWS\ie7\ieencode.dll
+ 2007-10-11 06:13:44 251,392 -c--a-w C:\WINDOWS\ie7\iepeers.dll
+ 2004-08-04 07:56:42 48,640 -c--a-w C:\WINDOWS\ie7\iernonce.dll
+ 2004-08-04 07:56:42 62,976 -c--a-w C:\WINDOWS\ie7\iesetup.dll
+ 2004-08-04 07:56:50 93,184 -c--a-w C:\WINDOWS\ie7\iexplore.exe
+ 2004-08-04 07:56:42 35,840 -c--a-w C:\WINDOWS\ie7\imgutil.dll
+ 2007-10-11 06:13:44 96,256 -c--a-w C:\WINDOWS\ie7\inseng.dll
+ 2007-11-14 07:26:56 450,560 -c--a-w C:\WINDOWS\ie7\jscript.dll
+ 2007-10-11 06:13:44 16,384 -c--a-w C:\WINDOWS\ie7\jsproxy.dll
+ 2004-08-04 07:56:42 22,016 -c--a-w C:\WINDOWS\ie7\licmgr10.dll
+ 2004-08-04 07:56:53 29,184 -c--a-w C:\WINDOWS\ie7\mshta.exe
+ 2007-10-30 10:16:33 3,058,688 -c--a-w C:\WINDOWS\ie7\mshtml.dll
+ 2007-10-11 06:13:45 449,024 -c--a-w C:\WINDOWS\ie7\mshtmled.dll
+ 2004-08-04 07:56:14 56,832 -c--a-w C:\WINDOWS\ie7\mshtmler.dll
+ 2001-08-18 12:00:00 146,432 -c--a-w C:\WINDOWS\ie7\msls31.dll
+ 2007-10-11 06:13:45 146,432 -c--a-w C:\WINDOWS\ie7\msrating.dll
+ 2007-10-11 06:13:45 532,480 -c--a-w C:\WINDOWS\ie7\mstime.dll
+ 2004-08-04 07:56:44 96,256 -c--a-w C:\WINDOWS\ie7\occache.dll
+ 2007-10-11 06:13:45 39,424 -c--a-w C:\WINDOWS\ie7\pngfilt.dll
+ 2007-08-14 02:54:42 32,960 -c--a-w C:\WINDOWS\ie7\spuninst\iecustom.dll
+ 2007-08-14 02:52:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
+ 2006-09-07 01:43:16 213,216 -c--a-w C:\WINDOWS\ie7\spuninst\spuninst.exe
+ 2006-09-07 01:43:18 371,424 -c--a-w C:\WINDOWS\ie7\spuninst\updspapi.dll
+ 2004-08-04 07:56:46 37,888 -c--a-w C:\WINDOWS\ie7\url.dll
+ 2007-10-11 06:13:45 615,424 -c--a-w C:\WINDOWS\ie7\urlmon.dll
+ 2004-08-04 07:56:46 417,792 -c--a-w C:\WINDOWS\ie7\vbscript.dll
+ 2007-06-26 15:13:22 851,968 -c--a-w C:\WINDOWS\ie7\vgx.dll
+ 2004-08-04 07:56:46 276,480 -c--a-w C:\WINDOWS\ie7\webcheck.dll
+ 2007-10-11 06:13:45 659,456 -c--a-w C:\WINDOWS\ie7\wininet.dll
+ 2007-08-14 02:39:00 123,904 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\advpack.dll
+ 2007-08-14 02:39:00 123,904 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\advpack.dll.000
+ 2007-08-14 02:35:38 214,528 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\dxtrans.dll
+ 2007-08-14 02:54:10 131,584 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\extmgr.dll
+ 2007-08-14 02:36:26 61,952 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\icardie.dll
+ 2007-08-14 02:39:06 54,784 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ie4uinit.exe
+ 2007-08-14 02:39:06 54,784 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ie4uinit.exe.000
+ 2007-08-14 02:39:26 152,064 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakeng.dll
+ 2007-08-14 02:39:26 152,064 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakeng.dll.000
+ 2007-08-14 02:39:54 229,376 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieaksie.dll
+ 2007-08-14 02:39:54 229,376 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieaksie.dll.000
+ 2007-08-14 01:56:54 161,792 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakui.dll
+ 2007-02-13 00:10:12 2,451,312 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieapfltr.dat
+ 2007-07-11 20:27:48 383,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieapfltr.dll
+ 2007-08-14 02:39:50 382,976 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iedkcs32.dll
+ 2007-08-14 02:39:50 382,976 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iedkcs32.dll.000
+ 2007-08-14 02:54:10 6,049,280 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieframe.dll
+ 2007-08-14 02:39:10 43,008 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iernonce.dll
+ 2007-08-14 02:39:10 43,008 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iernonce.dll.000
+ 2007-08-14 02:34:04 266,752 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iertutil.dll
+ 2007-08-14 02:39:10 13,312 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieudinit.exe
+ 2007-08-14 02:43:56 622,080 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iexplore.exe
+ 2007-08-14 02:43:56 622,080 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iexplore.exe.000
+ 2007-08-14 02:54:10 27,136 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\jsproxy.dll
+ 2007-08-14 02:54:10 458,752 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeeds.dll
+ 2007-08-14 02:54:10 50,688 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeedsbs.dll
+ 2007-08-14 02:54:12 3,578,368 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtml.dll
+ 2007-08-14 02:54:10 475,648 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtmled.dll
+ 2007-08-14 02:44:26 192,000 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msrating.dll
+ 2007-08-14 02:54:10 670,720 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mstime.dll
+ 2007-08-14 02:44:06 101,376 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\occache.dll
+ 2007-08-14 02:44:06 101,376 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\occache.dll.000
+ 2007-03-06 01:22:31 22,752 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spcustom.dll
+ 2007-03-06 01:22:33 14,048 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spmsg.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst.exe
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe
+ 2007-06-30 20:22:56 371,424 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\updspapi.dll
+ 2007-03-06 01:22:56 716,000 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\update.exe
+ 2007-06-30 20:22:56 371,424 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\updspapi.dll
+ 2007-08-14 02:44:30 105,984 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\url.dll
+ 2007-08-14 02:44:30 105,984 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\url.dll.000
+ 2007-08-14 02:54:10 1,162,240 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\urlmon.dll
+ 2007-08-14 02:54:10 231,424 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\webcheck.dll
+ 2007-08-14 02:54:10 231,424 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\webcheck.dll.000
+ 2007-08-14 02:54:10 818,688 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
+ 2005-01-28 21:44:28 396,528 ----a-w C:\WINDOWS\LastGood\system32\wmadmod.dll
+ 2005-01-28 21:44:28 774,904 ----a-w C:\WINDOWS\LastGood\system32\wmsdmod.dll
+ 2005-01-28 21:44:28 413,944 ----a-w C:\WINDOWS\LastGood\system32\wmspdmod.dll
+ 2005-01-28 21:44:28 1,218,808 ----a-w C:\WINDOWS\LastGood\system32\wmvadvd.dll
+ 2005-01-28 21:44:28 895,736 ----a-w C:\WINDOWS\LastGood\system32\wmvdmod.dll
- 2006-08-17 16:26:44 17,699 ----a-w C:\WINDOWS\mozver.dat
+ 2008-01-18 10:07:36 18,333 ----a-w C:\WINDOWS\mozver.dat
- 2005-01-28 21:44:28 396,528 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmadmod.dll
+ 2004-08-11 09:45:04 380,144 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmadmod.dll
- 2005-01-28 21:44:28 774,904 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmsdmod.dll
+ 2004-08-11 09:45:04 773,368 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmsdmod.dll
- 2005-01-28 21:44:28 413,944 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmspdmod.dll
+ 2004-08-11 09:45:06 531,192 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmspdmod.dll
- 2005-01-28 21:44:28 1,218,808 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmvadvd.dll
+ 2004-08-11 09:45:06 1,181,944 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmvadvd.dll
- 2005-01-28 21:44:28 895,736 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmvdmod.dll
+ 2004-08-11 09:45:06 871,160 ----a-w C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\wmvdmod.dll
- 2004-08-04 07:56:41 61,440 ----a-w C:\WINDOWS\system32\admparse.dll
+ 2007-08-14 02:39:20 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
- 2004-08-04 07:56:41 99,840 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2007-10-10 23:55:51 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2007-08-14 02:39:20 71,680 -c----w C:\WINDOWS\system32\dllcache\admparse.dll
+ 2007-10-10 23:55:51 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2007-08-14 02:42:54 17,408 -c----w C:\WINDOWS\system32\dllcache\corpol.dll
- 2007-10-11 06:13:44 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2007-08-14 02:35:46 346,624 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-10-11 06:13:44 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-10-10 23:55:51 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-10-11 06:13:44 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-10-10 23:55:51 132,608 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-08-14 02:18:02 60,416 -c----w C:\WINDOWS\system32\dllcache\hmmapi.dll
+ 2007-10-10 10:59:40 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2007-10-10 23:55:51 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2007-10-10 23:55:51 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2001-08-18 12:00:00 221,184 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2007-10-10 05:46:55 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2007-10-10 23:55:52 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-10-10 11:16:27 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2007-08-14 02:44:02 69,120 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2007-08-14 02:45:18 78,336 -c----w C:\WINDOWS\system32\dllcache\ieencode.dll
- 2007-10-11 06:13:44 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2007-08-14 02:54:10 191,488 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2007-10-10 23:55:55 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2007-08-14 02:39:12 55,296 -c----w C:\WINDOWS\system32\dllcache\iesetup.dll
+ 2007-10-10 10:59:52 625,152 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2007-08-14 02:36:06 36,352 -c----w C:\WINDOWS\system32\dllcache\imgutil.dll
- 2007-10-11 06:13:44 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2007-08-14 02:39:02 92,672 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2007-11-14 07:26:56 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2007-08-14 02:38:04 491,520 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2007-10-11 06:13:44 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-08-14 02:44:18 40,960 -c----w C:\WINDOWS\system32\dllcache\licmgr10.dll
+ 2007-08-14 02:32:30 45,568 -c----w C:\WINDOWS\system32\dllcache\mshta.exe
- 2007-10-30 10:16:33 3,058,688 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-10-31 13:12:30 3,590,656 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-10-11 06:13:45 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-08-14 02:01:12 48,128 -c----w C:\WINDOWS\system32\dllcache\mshtmler.dll
- 2001-08-18 12:00:00 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
+ 2007-08-14 02:54:10 156,160 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
- 2007-10-11 06:13:45 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-10-10 23:55:58 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-10-11 06:13:45 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-10-10 23:55:59 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-10-10 23:55:59 102,400 -c----w C:\WINDOWS\system32\dllcache\occache.dll
- 2007-10-11 06:13:45 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2007-08-14 02:36:12 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2007-10-10 23:55:59 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
- 2007-10-11 06:13:45 615,424 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-10-10 23:56:00 1,159,680 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-08-14 02:54:10 413,696 -c----w C:\WINDOWS\system32\dllcache\vbscript.dll
- 2007-06-26 15:13:22 851,968 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2007-08-14 02:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-10-10 23:56:00 232,960 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-10-11 06:13:45 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-10-10 23:56:00 824,832 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
- 2005-01-28 21:44:28 396,528 -c--a-w C:\WINDOWS\system32\dllcache\wmadmod.dll
+ 2004-08-11 09:45:04 380,144 -c--a-w C:\WINDOWS\system32\dllcache\wmadmod.dll
- 2005-01-28 21:44:28 774,904 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmod.dll
+ 2004-08-11 09:45:04 773,368 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmod.dll
+ 2004-08-11 09:45:06 531,192 -c--a-w C:\WINDOWS\system32\dllcache\wmspdmod.dll
- 2005-01-28 21:44:28 895,736 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmod.dll
+ 2004-08-11 09:45:06 871,160 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmod.dll
- 2007-10-11 06:13:44 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2007-08-14 02:35:46 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-10-11 06:13:44 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-10-10 23:55:51 214,528 ------w C:\WINDOWS\system32\dxtrans.dll
- 2007-10-11 06:13:44 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-10-10 23:55:51 132,608 ------w C:\WINDOWS\system32\extmgr.dll
+ 2007-10-10 23:55:51 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2004-08-04 07:56:50 34,304 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2007-10-10 10:59:40 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
- 2004-08-04 07:56:42 139,264 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2007-10-10 23:55:51 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
- 2004-08-04 07:56:42 216,576 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2007-10-10 23:55:51 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
- 2001-08-18 12:00:00 221,184 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2007-10-10 05:46:55 161,792 ------w C:\WINDOWS\system32\ieakui.dll
+ 2007-07-01 03:31:33 2,455,488 ----a-w C:\WINDOWS\system32\ieapfltr.dat
+ 2007-10-10 23:55:52 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2004-08-04 07:56:42 323,584 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2007-10-10 23:55:52 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
- 2004-08-04 07:56:42 81,920 ----a-w C:\WINDOWS\system32\ieencode.dll
+ 2007-08-14 02:45:18 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
+ 2007-10-10 23:55:54 6,065,664 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-10-11 06:13:44 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2007-08-14 02:54:10 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2004-08-04 07:56:42 48,640 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2007-10-10 23:55:55 44,544 ------w C:\WINDOWS\system32\iernonce.dll
+ 2007-10-10 23:55:55 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2004-08-04 07:56:42 62,976 ----a-w C:\WINDOWS\system32\iesetup.dll
+ 2007-08-14 02:39:12 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
+ 2007-08-14 02:54:10 180,736 ------w C:\WINDOWS\system32\ieui.dll
- 2004-08-04 07:56:42 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll
+ 2007-08-14 02:36:06 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
- 2007-10-11 06:13:44 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2007-08-14 02:39:02 92,672 ----a-w C:\WINDOWS\system32\inseng.dll
- 2007-11-14 07:26:56 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2007-08-14 02:38:04 491,520 ----a-w C:\WINDOWS\system32\jscript.dll
- 2007-10-11 06:13:44 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
- 2004-08-04 07:56:42 22,016 ----a-w C:\WINDOWS\system32\licmgr10.dll
+ 2007-08-14 02:44:18 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
+ 2007-12-04 00:39:18 112,016 ----a-w C:\WINDOWS\system32\Macromed\Download\Download.dll
+ 2007-12-04 00:39:16 67,984 ----a-w C:\WINDOWS\system32\Macromed\Download\Download.exe
+ 2007-12-04 00:39:18 59,717 ----a-w C:\WINDOWS\system32\Macromed\Download\Install.exe
+ 2007-11-21 00:04:14 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
+ 2007-11-21 00:52:00 2,884,992 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2007-11-21 00:52:00 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-01-18 10:04:51 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2007-10-10 23:55:56 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2007-10-10 23:55:56 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2007-08-14 02:36:40 12,288 ------w C:\WINDOWS\system32\msfeedssync.exe
- 2004-08-04 07:56:53 29,184 ----a-w C:\WINDOWS\system32\mshta.exe
+ 2007-08-14 02:32:30 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
- 2007-10-30 10:16:33 3,058,688 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-10-31 13:12:30 3,590,656 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-10-11 06:13:45 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 ------w C:\WINDOWS\system32\mshtmled.dll
- 2004-08-04 07:56:14 56,832 ----a-w C:\WINDOWS\system32\mshtmler.dll
+ 2007-08-14 02:01:12 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
- 2001-08-18 12:00:00 146,432 ----a-w C:\WINDOWS\system32\msls31.dll
+ 2007-08-14 02:54:10 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
- 2007-10-11 06:13:45 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-10-10 23:55:58 193,024 ------w C:\WINDOWS\system32\msrating.dll
- 2007-10-11 06:13:45 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-10-10 23:55:59 671,232 ------w C:\WINDOWS\system32\mstime.dll
- 2004-08-04 07:56:44 96,256 ----a-w C:\WINDOWS\system32\occache.dll
+ 2007-10-10 23:55:59 102,400 ------w C:\WINDOWS\system32\occache.dll
- 2008-01-16 11:00:16 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-18 10:01:17 52,764 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-16 11:00:16 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-18 10:01:17 380,350 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-10-11 06:13:45 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2007-08-14 02:36:12 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-03-06 01:22:36 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-03-06 01:22:33 14,048 ------w C:\WINDOWS\system32\spmsg.dll
- 2004-08-04 07:56:46 37,888 ----a-w C:\WINDOWS\system32\url.dll
+ 2007-10-10 23:55:59 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-10-11 06:13:45 615,424 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-10-10 23:56:00 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2004-08-04 07:56:46 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2007-08-14 02:54:10 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
- 2004-08-04 07:56:46 276,480 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2007-10-10 23:56:00 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2007-08-14 02:45:16 206,336 ------w C:\WINDOWS\system32\WinFXDocObj.exe
- 2007-10-11 06:13:45 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-10-10 23:56:00 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
- 2005-01-28 21:44:28 396,528 ----a-w C:\WINDOWS\system32\wmadmod.dll
+ 2004-08-11 09:45:04 380,144 ----a-w C:\WINDOWS\system32\wmadmod.dll
- 2005-01-28 21:44:28 774,904 ----a-w C:\WINDOWS\system32\wmsdmod.dll
+ 2004-08-11 09:45:04 773,368 ----a-w C:\WINDOWS\system32\wmsdmod.dll
- 2005-01-28 21:44:28 413,944 ----a-w C:\WINDOWS\system32\wmspdmod.dll
+ 2004-08-11 09:45:06 531,192 ----a-w C:\WINDOWS\system32\wmspdmod.dll
- 2005-01-28 21:44:28 1,218,808 ----a-w C:\WINDOWS\system32\wmvadvd.dll
+ 2004-08-11 09:45:06 1,181,944 ----a-w C:\WINDOWS\system32\wmvadvd.dll
- 2005-01-28 21:44:28 895,736 ----a-w C:\WINDOWS\system32\wmvdmod.dll
+ 2004-08-11 09:45:06 871,160 ----a-w C:\WINDOWS\system32\wmvdmod.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-17 23:31 171448]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"openvpn-gui"="C:\Program Files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 01:55 99328]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPQEASYACC]
--a------ 2008-01-08 08:54 28672 C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\loader]
--a------ 2004-08-03 23:56 73728 C:\Program Files\Windows Media Player\wmplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
-ra------ 2001-07-09 01:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
--a------ 2001-09-26 08:30 131072 C:\Program Files\COMPAQ\Coloreal\coloreal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyStartUp"=c:\Program Files\Microsoft Money\System\Money Startup.exe
"Yahoo! Pager"=C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"Smapp"=Smtray.exe
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe
"BJCFD"=C:\Program Files\BroadJump\Client Foundation\CFD.exe
"REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
"ZingSpooler"=C:\Program Files\Common Files\Zing\ZingSpooler.exe
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe
"SM1BG"=C:\WINDOWS\SM1BG.EXE

R0 pnpshark;pnpshark;C:\WINDOWS\system32\DRIVERS\pnpshark.sys [2003-10-02 03:16]
R0 sojubus;sojubus;C:\WINDOWS\system32\DRIVERS\sojubus.sys [2003-10-05 10:41]
R0 sojuscsi;sojuscsi;C:\WINDOWS\system32\DRIVERS\sojuscsi.sys [2003-09-28 10:57]
R0 st3shark;st3shark;C:\WINDOWS\system32\DRIVERS\st3shark.sys [2003-09-27 14:37]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 10:35]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 05:28]
R3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2004-06-23 18:54]
S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS []
S3 Gcr432;Gcr432;C:\WINDOWS\system32\Drivers\gcr432.sys [2001-09-06 13:05]
S4 avp ;avp ;"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp .exe" []
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection C:\Program Files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub
.
Contents of the 'Scheduled Tasks' folder
"2008-01-01 00:12:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2002-02-01 05:56:58 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2002-02-01 05:56:58 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2002-02-01 05:56:58 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 05:52:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-18 6:02:51
ComboFix-quarantined-files.txt 2008-01-18 14:02:42
ComboFix2.txt 2008-01-17 08:53:55
ComboFix3.txt 2008-01-16 11:12:46
ComboFix4.txt 2008-01-15 00:04:22
.
2008-01-18 08:09:35 --- E O F ---
 
MIssing file

The computer seems to be running ok, except for one file:
msacm32.drv

It got removed during one of the cleanups. It's now in a "quarantine" folder.
It's the file needed to run audio on flash.
Do you know how I can get a new one?

Thanks again for all your help.
 
The new log is clean as well.

With regards to msacm32.drv, I believe it's a bug in a particular version of ComboFix. You can restore that file:

Please navigate to C:\qoobox\Quarantine\C\WINDOWS\system32. Right click on msacm32.drv.vir and chose Rename. Remove the .vir extension from the end leaving only msacm32.drv and press Enter. The .drv extension will likely disappear, showing only msacm32 as follows. This is normal:

msacm32.jpg
.

Please right click on the file and choose Copy.
Please navigate to C:\Windows\System32. Click on the Edit menu -> Paste.

Has that restored your ability to play sound files?
 
Everything Working!

Set the file back and everything seems to be working fine.
The local expert had assured me that I would have to reformat the whole computer... now I know better! Thank you so much.
If you send me your address, I would like to send you one of my CDs as a thank you gift. I make experimental electronic music.
I really appreciate your help!

Sev
 
Thank you for your very kind offer, but it's really not necessary. Helping here is reward enough.

It is unfortunate that a number of "experts" will suggest a full format as the only option where they are unable to solve a malware problem.

Below I have included some ideas on how to prevent future infections.

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Some good free firewalls are ZoneAlarm, Kerio, or Outpost. All of these will provide a far greater level of protection than the firewall built into Windows.
A tutorial on understanding and using firewalls may be found here.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's
Immunize and TeaTimer features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)
 
Thank you!

I just want to say thank you again.
So much of my work depends on the computer running well that your help has been very crucial to me in so many ways.
I have Spybot and Kasperky (or however it's spelled) installed now.
I only have the WIndows firewall. I had Zone Alarm before and I had some problems with some sites with it so I removed it.
I will try one of the other ones.
Thanks again and my offer stands if you change your mind.
 
You must log in or register to reply here.
Back
Top