WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


Disappearing and Reappearing Virus/Worm, Help needed

2 posters

descriptionDisappearing and Reappearing Virus/Worm, Help needed EmptyDisappearing and Reappearing Virus/Worm, Help needed9th November 2008, 5:42 am

more_horiz
Howdy Guys,

I was told this was the place to go if you need help removing malware. So heres the description of the problem from the start. I assume I got the malware from a bunch of dubious sites the other day while searching for rapidshare links, it first started off with the computer slowing down, especially in IE/FiFx and switching between windows. Thought not much of it until ZA antivirus notified me it had found Worm.Win32.AutoRun.rwr in two files windows.0\system32\fxsocm32.dll and windows.0\system32\trnsprov32.dll, which it couldnt clean quarantine or delete. I was told to run various tools to fix the worm (Smitfraud, Sdfix, SuperAntiSpyware, Malwarebytes' Anti-Malware, etc, and I can post the various logs if needed) however the notification from Za would come back after every reboot. Also using Spybot I found that the Host file had massive amounts of extra crap in it, which was then removed and has since not come back. Next I used a BartMe Kaspersky DVD to boot and then deleted the offending .dll files after running a complete virus scan which came up clean. A few reboots later it appears again along with some infections in the system restore folder (which I was then told to disable). Have run various online scans each giving me different results (some telling my I'm infected, others not, always with different things) however my computer is slowing down more and more, as well as sometimes it will randomly open a IE window which will sit there blank but looking likes its loading something. Other times I have looked in task manager and a million Firefox.exe/s have been running while none are or have been opened. A new one found just recently was Trojan.Win32.StartPage.cyk. which ZA picked up in the system32\taskmagr.exe. I have XP SP3 (it updated today) and I run ZA Suite for both Firewall and AV, Spybot and Windows Defender. Anyway theres the deelio and here Hijack this post,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:33:29, on 9/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS.0\system32\rundll32.exe
C:\WINDOWS.0\RTHDCPL.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\Documents and Settings\Administrator\My Documents\Azureus Downloads\za\za\Crack\Keygen.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS.0\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Administrator
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ForceField Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: ForceField Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /start_mode="auto"
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\ABIT\ABITEQ\ABITEQ.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223035557321
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223101955468
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CAAU - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CAAU.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS.0\system32\ZoneLabs\vsmon.exe

--
End of file - 9084 bytes

Cheers in Advance Guys!
Sandman28

Last edited by Belahzur on 11th November 2008, 11:52 am; edited 3 times in total (Reason for editing : Added info)

descriptionDisappearing and Reappearing Virus/Worm, Help needed EmptyRe: Disappearing and Reappearing Virus/Worm, Help needed9th November 2008, 1:40 pm

more_horiz
I see you were running a keygen when this log was taken, keygens are often full of infections. Can you open Task Manager and close the process of the keygen, it should be named keygen.exe.


  • Download combofix from here, use the top links - combofix.exe
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Disappearing and Reappearing Virus/Worm, Help needed RcAuto1

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes

    Disappearing and Reappearing Virus/Worm, Help needed Whatnext

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionDisappearing and Reappearing Virus/Worm, Help needed EmptyCombo Log Pt110th November 2008, 12:20 am

more_horiz
Howdy,

Thanks for the quick reply, Im assuming that keygens that I used may have been the source of this malware, I just wonder why ZA Antivirus active shield didn't detect them when the file was opened, anyway here is the combo log, also note I have changed form Za to Kaspersky Internet Suite. Sorry but will have to post in parts as it keeps saying message is too big (and I cant find a way to attach a text doco.

Cheers
Sandman28

Spoiler :

descriptionDisappearing and Reappearing Virus/Worm, Help needed EmptyCombo Log pt 210th November 2008, 12:21 am

more_horiz
Spoiler :

descriptionDisappearing and Reappearing Virus/Worm, Help needed EmptyCOmbo Log pt 310th November 2008, 12:22 am

more_horiz
Spoiler :

descriptionDisappearing and Reappearing Virus/Worm, Help needed EmptyRe: Disappearing and Reappearing Virus/Worm, Help needed10th November 2008, 12:34 am

more_horiz
Thank shifted most of it, but not done yet. Smile...
===

**Note** - Don't use spoiler tags, it makes it hard to read for me because it closes it everytime I click it. Use [Quote] tags on this next log.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows.0\system32\xwr10977.dll
c:\windows.0\system32\wr10977.dll
c:\windows.0\system32\xa6734453.exe
c:\windows.0\system32\xa6734265.exe
C:\SUPERAntiSpyware.exe
C:\mb.exe
C:\bee.exe
C:\bee.opt

DirLook::
C:\getservice
C:\SAV32CLI

Folder::
C:\SmitfraudFix
C:\SDFix

Driver::
CAAU

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{992A5751-8C16-3090-94B8-82A670D272A0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2694e582-a86e-11dd-95a5-000761c94d79}]


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Disappearing and Reappearing Virus/Worm, Help needed Sfxdaw

This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

descriptionDisappearing and Reappearing Virus/Worm, Help needed Empty2nd Combo Fix pt110th November 2008, 2:12 pm

more_horiz
Howdy Man,

Sorry bout the spoiler tag, just didn't want the page filled with log posting. Also I couldn't reply earlier today as I had a Final Uni Exam (funny how viruses know to infect at crucial times), but did you mention something about wanting to know what some of the programs I have installed were? Anyway I ran the combofix with the file you requested (personally I cant tell the difference so I hope it worked properly). Here it is:


ComboFix 08-11-09.03 - Administrator 2008-11-10 23:14:08.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1554 [GMT 11:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\bee.exe
C:\bee.opt
C:\mb.exe
C:\SUPERAntiSpyware.exe
c:\windows.0\system32\wr10977.dll
c:\windows.0\system32\xa6734265.exe
c:\windows.0\system32\xa6734453.exe
c:\windows.0\system32\xwr10977.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bee.exe
C:\bee.opt
C:\mb.exe
C:\SDFix
c:\sdfix\a2cmd.zip
c:\sdfix\Add_DBFix_RunOnce_key.inf
c:\sdfix\apps\assosfix.reg
c:\sdfix\apps\Cghtme.exe
c:\sdfix\apps\clb1.txt
c:\sdfix\apps\cliptext.exe
c:\sdfix\apps\CSweg.exe
c:\sdfix\apps\DBFix.inf
c:\sdfix\apps\download.exe
c:\sdfix\apps\dummy.sys
c:\sdfix\apps\Enable_Command_Prompt.inf
c:\sdfix\apps\Enable_Command_Prompt.reg
c:\sdfix\apps\ERDNT.E_E
c:\sdfix\apps\ERDNTDOS.LOC
c:\sdfix\apps\ERDNTWIN.LOC
c:\sdfix\apps\ERUNT.EXE
c:\sdfix\apps\ERUNT.LOC
c:\sdfix\apps\fix.reg
c:\sdfix\apps\FixBeep.reg
c:\sdfix\apps\FixBH.reg
c:\sdfix\apps\FixComponents.reg
c:\sdfix\apps\FIXCU.reg
c:\sdfix\apps\FIXLM.reg
c:\sdfix\apps\FixPath.exe
c:\sdfix\apps\FixRedir.reg
c:\sdfix\apps\FixSchedule.reg
c:\sdfix\apps\FixWebCheck.reg
c:\sdfix\apps\fixXP.reg
c:\sdfix\apps\FixXPsp2.reg
c:\sdfix\apps\grep.exe
c:\sdfix\apps\HaxdFix.reg
c:\sdfix\apps\HPFix.reg
c:\sdfix\apps\HPFix2.reg
c:\sdfix\apps\HPFix3.reg
c:\sdfix\apps\HPFix4.reg
c:\sdfix\apps\HPFix5.reg
c:\sdfix\apps\HPFix6.reg
c:\sdfix\apps\HPFix7.reg
c:\sdfix\apps\HPFix8.reg
c:\sdfix\apps\HPFix9.reg
c:\sdfix\apps\Installed.txt
c:\sdfix\apps\isadmin.exe
c:\sdfix\apps\leg2.txt
c:\sdfix\apps\legacy.txt
c:\sdfix\apps\legacybk.txt
c:\sdfix\apps\locate.com
c:\sdfix\apps\LS.exe
c:\sdfix\apps\MD5File.exe
c:\sdfix\apps\moveex.exe
c:\sdfix\apps\MyGcpvFix.reg
c:\sdfix\apps\MyGkFix2.reg
c:\sdfix\apps\Process.exe
c:\sdfix\apps\procs.exe
c:\sdfix\apps\psservice.exe
c:\sdfix\apps\Rem.txt
c:\sdfix\apps\Rem2.txt
c:\sdfix\apps\Replace\regedit.exe
c:\sdfix\apps\Replace\w2k\AUTOEXEC.NT
c:\sdfix\apps\Replace\w2k\beep.sys
c:\sdfix\apps\Replace\w2k\command.com
c:\sdfix\apps\Replace\w2k\command.PIF
c:\sdfix\apps\Replace\w2k\CONFIG.NT
c:\sdfix\apps\Replace\w2k\null.sys
c:\sdfix\apps\Replace\xp\AUTOEXEC.NT
c:\sdfix\apps\Replace\xp\beep.sys
c:\sdfix\apps\Replace\xp\command.com
c:\sdfix\apps\Replace\xp\command.PIF
c:\sdfix\apps\Replace\xp\CONFIG.NT
c:\sdfix\apps\Replace\xp\null.sys
c:\sdfix\apps\Reset_AppInit_DLLs.reg
c:\sdfix\apps\RestartIt!.exe
c:\sdfix\apps\Restore_SafeBoot_Windows2000.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP2.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP3.reg
c:\sdfix\apps\Restore_SecurityCenter.reg
c:\sdfix\apps\Restore_SharedAccess.reg
c:\sdfix\apps\sc.exe
c:\sdfix\apps\sed.exe
c:\sdfix\apps\SF.exe
c:\sdfix\apps\shutdown.exe
c:\sdfix\apps\srv2.txt
c:\sdfix\apps\srv2bk.txt
c:\sdfix\apps\svc.txt
c:\sdfix\apps\svcbk.txt
c:\sdfix\apps\Swreg.exe
c:\sdfix\apps\swsc.exe
c:\sdfix\apps\UnRAR.exe
c:\sdfix\apps\unzip.exe
c:\sdfix\apps\vfind.exe
c:\sdfix\apps\WINMSG.EXE
c:\sdfix\apps\winsec.reg
c:\sdfix\apps\zip.exe
c:\sdfix\catchme.exe
c:\sdfix\DBFix.bat
c:\sdfix\dummy.sys
c:\sdfix\HOSTS.BAK
c:\sdfix\IDE\acespa-a.ide
c:\sdfix\IDE\agen-hnf.ide
c:\sdfix\IDE\agen-hny.ide
c:\sdfix\IDE\agen-hqg.ide
c:\sdfix\IDE\agen-hqm.ide
c:\sdfix\IDE\agen-hqq.ide
c:\sdfix\IDE\agen-hqs.ide
c:\sdfix\IDE\agen-hqw.ide
c:\sdfix\IDE\agen-hrd.ide
c:\sdfix\IDE\agen-hrf.ide
c:\sdfix\IDE\agen-hrh.ide
c:\sdfix\IDE\agen-hri.ide
c:\sdfix\IDE\agen-hrl.ide
c:\sdfix\IDE\agen-hrm.ide
c:\sdfix\IDE\agen-hro.ide
c:\sdfix\IDE\agen-hrp.ide
c:\sdfix\IDE\agen-hrs.ide
c:\sdfix\IDE\agen-hrw.ide
c:\sdfix\IDE\agen-hrx.ide
c:\sdfix\IDE\agen-hry.ide
c:\sdfix\IDE\agen-hsk.ide
c:\sdfix\IDE\agen-hsm.ide
c:\sdfix\IDE\agen-hst.ide
c:\sdfix\IDE\agen-htc.ide
c:\sdfix\IDE\agen-htk.ide
c:\sdfix\IDE\agen-hto.ide
c:\sdfix\IDE\agen-htv.ide
c:\sdfix\IDE\agen-hty.ide
c:\sdfix\IDE\agen-hub.ide
c:\sdfix\IDE\agen-hud.ide
c:\sdfix\IDE\agen-huf.ide
c:\sdfix\IDE\agen-hul.ide
c:\sdfix\IDE\agen-huq.ide
c:\sdfix\IDE\agen-hur.ide
c:\sdfix\IDE\agen-hvk.ide
c:\sdfix\IDE\agen-hvm.ide
c:\sdfix\IDE\agen-hvv.ide
c:\sdfix\IDE\agen-hwd.ide
c:\sdfix\IDE\agen-hwr.ide
c:\sdfix\IDE\agen-hwt.ide
c:\sdfix\IDE\agen-hwu.ide
c:\sdfix\IDE\agen-hwy.ide
c:\sdfix\IDE\agen-hxb.ide
c:\sdfix\IDE\agen-hxo.ide
c:\sdfix\IDE\agen-hxq.ide
c:\sdfix\IDE\agen-hxw.ide
c:\sdfix\IDE\agen-hxy.ide
c:\sdfix\IDE\agen-hyc.ide
c:\sdfix\IDE\agen-hym.ide
c:\sdfix\IDE\agen-hyo.ide
c:\sdfix\IDE\agen-hyv.ide
c:\sdfix\IDE\agen-hyy.ide
c:\sdfix\IDE\agen-hzb.ide
c:\sdfix\IDE\agen-hzu.ide
c:\sdfix\IDE\agen-iab.ide
c:\sdfix\IDE\agen-iaj.ide
c:\sdfix\IDE\agen-iam.ide
c:\sdfix\IDE\agen-iao.ide
c:\sdfix\IDE\agen-ias.ide
c:\sdfix\IDE\agen-iaw.ide
c:\sdfix\IDE\agen-iaz.ide
c:\sdfix\IDE\agen-ibh.ide
c:\sdfix\IDE\agen-ibm.ide
c:\sdfix\IDE\agen-ibw.ide
c:\sdfix\IDE\agen-ibz.ide
c:\sdfix\IDE\agen-ice.ide
c:\sdfix\IDE\agen-ich.ide
c:\sdfix\IDE\agen-icv.ide
c:\sdfix\IDE\agen-icw.ide
c:\sdfix\IDE\agen-icz.ide
c:\sdfix\IDE\agen-ida.ide
c:\sdfix\IDE\agen-idg.ide
c:\sdfix\IDE\agen-idp.ide
c:\sdfix\IDE\ambler-g.ide
c:\sdfix\IDE\arinj-a.ide
c:\sdfix\IDE\asp-c.ide
c:\sdfix\IDE\asp-d.ide
c:\sdfix\IDE\autoit-t.ide
c:\sdfix\IDE\autoit-v.ide
c:\sdfix\IDE\autor-jd.ide
c:\sdfix\IDE\autor-je.ide
c:\sdfix\IDE\autor-jf.ide
c:\sdfix\IDE\autor-ji.ide
c:\sdfix\IDE\autor-jk.ide
c:\sdfix\IDE\autor-jl.ide
c:\sdfix\IDE\autor-jm.ide
c:\sdfix\IDE\autor-jo.ide
c:\sdfix\IDE\autor-jp.ide
c:\sdfix\IDE\autor-ju.ide
c:\sdfix\IDE\autor-jv.ide
c:\sdfix\IDE\autor-jw.ide
c:\sdfix\IDE\autor-jy.ide
c:\sdfix\IDE\autor-ke.ide
c:\sdfix\IDE\autor-kf.ide
c:\sdfix\IDE\autor-kl.ide
c:\sdfix\IDE\autor-ku.ide
c:\sdfix\IDE\autor-kx.ide
c:\sdfix\IDE\autor-lb.ide
c:\sdfix\IDE\autor-ld.ide
c:\sdfix\IDE\autor-lf.ide
c:\sdfix\IDE\autor-li.ide
c:\sdfix\IDE\autor-lj.ide
c:\sdfix\IDE\autor-ln.ide
c:\sdfix\IDE\autor-lq.ide
c:\sdfix\IDE\autor-lr.ide
c:\sdfix\IDE\autor-lt.ide
c:\sdfix\IDE\autor-ly.ide
c:\sdfix\IDE\autor-lz.ide
c:\sdfix\IDE\autor-mb.ide
c:\sdfix\IDE\autor-mc.ide
c:\sdfix\IDE\autor-md.ide
c:\sdfix\IDE\autor-me.ide
c:\sdfix\IDE\autor-mf.ide
c:\sdfix\IDE\autor-ml.ide
c:\sdfix\IDE\autor-mo.ide
c:\sdfix\IDE\autor-nc.ide
c:\sdfix\IDE\autor-nj.ide
c:\sdfix\IDE\autor-nk.ide
c:\sdfix\IDE\autor-nn.ide
c:\sdfix\IDE\autor-no.ide



Cheers
Sandman28

descriptionDisappearing and Reappearing Virus/Worm, Help needed Empty2nd Combofix pt 210th November 2008, 2:13 pm

more_horiz


c:\sdfix\IDE\backd-ab.ide
c:\sdfix\IDE\backd-ac.ide
c:\sdfix\IDE\backsp-a.ide
c:\sdfix\IDE\banc-bep.ide
c:\sdfix\IDE\bancb-qz.ide
c:\sdfix\IDE\banho-ab.ide
c:\sdfix\IDE\banhos-y.ide
c:\sdfix\IDE\banhos-z.ide
c:\sdfix\IDE\bank-e.ide
c:\sdfix\IDE\bank-end.ide
c:\sdfix\IDE\bank-ene.ide
c:\sdfix\IDE\bank-eni.ide
c:\sdfix\IDE\bank-enm.ide
c:\sdfix\IDE\bank-ens.ide
c:\sdfix\IDE\bank-ent.ide
c:\sdfix\IDE\bankd-dj.ide
c:\sdfix\IDE\banlo-fz.ide
c:\sdfix\IDE\bckd-qpt.ide
c:\sdfix\IDE\bckd-qpz.ide
c:\sdfix\IDE\bho-hc.ide
c:\sdfix\IDE\bho-hh.ide
c:\sdfix\IDE\bho-hj.ide
c:\sdfix\IDE\bho-hp.ide
c:\sdfix\IDE\bront-dw.ide
c:\sdfix\IDE\buzus-o.ide
c:\sdfix\IDE\buzus-p.ide
c:\sdfix\IDE\buzus-r.ide
c:\sdfix\IDE\click-ez.ide
c:\sdfix\IDE\delban-a.ide
c:\sdfix\IDE\delf-fbc.ide
c:\sdfix\IDE\delf-fbf.ide
c:\sdfix\IDE\delpdl-c.ide
c:\sdfix\IDE\dloa-bsb.ide
c:\sdfix\IDE\dloa-bsq.ide
c:\sdfix\IDE\dloa-bss.ide
c:\sdfix\IDE\dloa-btl.ide
c:\sdfix\IDE\dloa-btz.ide
c:\sdfix\IDE\dloa-bun.ide
c:\sdfix\IDE\dloa-bus.ide
c:\sdfix\IDE\dloa-bwh.ide
c:\sdfix\IDE\dloa-bwo.ide
c:\sdfix\IDE\dloa-bwr.ide
c:\sdfix\IDE\dloa-bwz.ide
c:\sdfix\IDE\dloa-bxb.ide
c:\sdfix\IDE\dloa-bxh.ide
c:\sdfix\IDE\dloa-bxj.ide
c:\sdfix\IDE\dloa-bxm.ide
c:\sdfix\IDE\dloa-bxp.ide
c:\sdfix\IDE\dloa-bxx.ide
c:\sdfix\IDE\dloa-byd.ide
c:\sdfix\IDE\dloa-byo.ide
c:\sdfix\IDE\dloa-byq.ide
c:\sdfix\IDE\dload-di.ide
c:\sdfix\IDE\dload-dk.ide
c:\sdfix\IDE\dload-ed.ide
c:\sdfix\IDE\dload-ef.ide
c:\sdfix\IDE\dorf-bu.ide
c:\sdfix\IDE\dorf-bv.ide
c:\sdfix\IDE\drop-az.ide
c:\sdfix\IDE\drop-bb.ide
c:\sdfix\IDE\drop-bg.ide
c:\sdfix\IDE\dropr-ac.ide
c:\sdfix\IDE\dwnl-hht.ide
c:\sdfix\IDE\dwnl-hie.ide
c:\sdfix\IDE\dwnl-hih.ide
c:\sdfix\IDE\dwnl-hin.ide
c:\sdfix\IDE\dwnl-his.ide
c:\sdfix\IDE\dwnl-hiw.ide
c:\sdfix\IDE\dwnl-hjg.ide
c:\sdfix\IDE\dwnl-hjh.ide
c:\sdfix\IDE\dwnl-hjp.ide
c:\sdfix\IDE\dwnl-hjq.ide
c:\sdfix\IDE\dwnl-hkb.ide
c:\sdfix\IDE\dwnld-e.ide
c:\sdfix\IDE\emold-a.ide
c:\sdfix\IDE\fakea-dh.ide
c:\sdfix\IDE\fakea-dm.ide
c:\sdfix\IDE\fakea-eb.ide
c:\sdfix\IDE\fakea-ed.ide
c:\sdfix\IDE\fakea-eh.ide
c:\sdfix\IDE\fakea-ei.ide
c:\sdfix\IDE\fakea-en.ide
c:\sdfix\IDE\fakea-et.ide
c:\sdfix\IDE\fakea-ev.ide
c:\sdfix\IDE\fakea-fp.ide
c:\sdfix\IDE\fakea-fs.ide
c:\sdfix\IDE\fakea-ft.ide
c:\sdfix\IDE\fakea-fx.ide
c:\sdfix\IDE\fakea-hd.ide
c:\sdfix\IDE\fakea-ho.ide
c:\sdfix\IDE\fakea-hq.ide
c:\sdfix\IDE\fakea-ht.ide
c:\sdfix\IDE\fakea-hu.ide
c:\sdfix\IDE\fakea-iy.ide
c:\sdfix\IDE\fakeal-a.ide
c:\sdfix\IDE\fakeav-l.ide
c:\sdfix\IDE\fakev-fy.ide
c:\sdfix\IDE\fakev-gf.ide
c:\sdfix\IDE\fakev-gh.ide
c:\sdfix\IDE\fakev-gl.ide
c:\sdfix\IDE\fakev-go.ide
c:\sdfix\IDE\fakev-gt.ide
c:\sdfix\IDE\fakev-gw.ide
c:\sdfix\IDE\fanbot-l.ide
c:\sdfix\IDE\fanbot-m.ide
c:\sdfix\IDE\formad-a.ide
c:\sdfix\IDE\freezo-d.ide
c:\sdfix\IDE\gaman-ch.ide
c:\sdfix\IDE\gaman-ci.ide
c:\sdfix\IDE\geezo-e.ide
c:\sdfix\IDE\geezo-f.ide
c:\sdfix\IDE\gimmiv-a.ide
c:\sdfix\IDE\he4hoo-g.ide
c:\sdfix\IDE\hostin-a.ide
c:\sdfix\IDE\ifgif-a.ide
c:\sdfix\IDE\ifram-bh.ide
c:\sdfix\IDE\imaut-d.ide
c:\sdfix\IDE\injec-cx.ide
c:\sdfix\IDE\injec-db.ide
c:\sdfix\IDE\ircb-acn.ide
c:\sdfix\IDE\ircb-acr.ide
c:\sdfix\IDE\ircb-acv.ide
c:\sdfix\IDE\jolly-a.ide
c:\sdfix\IDE\killa-ey.ide
c:\sdfix\IDE\kolabc-d.ide
c:\sdfix\IDE\legm-arx.ide
c:\sdfix\IDE\linea-fl.ide
c:\sdfix\IDE\linea-fs.ide
c:\sdfix\IDE\linea-fy.ide
c:\sdfix\IDE\linea-gc.ide
c:\sdfix\IDE\linea-gk.ide
c:\sdfix\IDE\looke-ej.ide
c:\sdfix\IDE\malas-h.ide
c:\sdfix\IDE\maldoc-f.ide
c:\sdfix\IDE\maldoc-o.ide
c:\sdfix\IDE\mdro-bwg.ide
c:\sdfix\IDE\mdro-bwh.ide
c:\sdfix\IDE\mdro-bwl.ide
c:\sdfix\IDE\mdro-bwn.ide
c:\sdfix\IDE\meredr-a.ide
c:\sdfix\IDE\meredr-b.ide
c:\sdfix\IDE\merein-a.ide
c:\sdfix\IDE\mourn-a.ide
c:\sdfix\IDE\ms0806-a.ide
c:\sdfix\IDE\ntroo-dy.ide
c:\sdfix\IDE\ntroo-dz.ide
c:\sdfix\IDE\ntroo-ea.ide
c:\sdfix\IDE\obfjs-bd.ide
c:\sdfix\IDE\obfjs-bf.ide
c:\sdfix\IDE\obfus-b.ide
c:\sdfix\IDE\offmsg-a.ide
c:\sdfix\IDE\onlin-be.ide
c:\sdfix\IDE\onlin-bf.ide
c:\sdfix\IDE\onlin-bh.ide
c:\sdfix\IDE\pdfex-aa.ide
c:\sdfix\IDE\pdfex-ac.ide
c:\sdfix\IDE\pdfex-w.ide
c:\sdfix\IDE\poiso-ad.ide
c:\sdfix\IDE\poiso-af.ide
c:\sdfix\IDE\poiso-ag.ide
c:\sdfix\IDE\psw-fw.ide
c:\sdfix\IDE\pswd-gen.ide
c:\sdfix\IDE\psyme-jw.ide
c:\sdfix\IDE\psyme-jx.ide
c:\sdfix\IDE\psyme-jy.ide
c:\sdfix\IDE\psyme-kd.ide
c:\sdfix\IDE\pushdo-w.ide
c:\sdfix\IDE\pushdo-x.ide
c:\sdfix\IDE\pws-atp.ide
c:\sdfix\IDE\pws-atr.ide
c:\sdfix\IDE\pws-att.ide
c:\sdfix\IDE\pws-atu.ide
c:\sdfix\IDE\pws-aty.ide
c:\sdfix\IDE\pws-aua.ide
c:\sdfix\IDE\pws-auf.ide
c:\sdfix\IDE\pws-aup.ide
c:\sdfix\IDE\pws-auq.ide
c:\sdfix\IDE\pws-aut.ide
c:\sdfix\IDE\pws-auy.ide
c:\sdfix\IDE\renos-be.ide
c:\sdfix\IDE\rexplo-d.ide
c:\sdfix\IDE\rootk-dr.ide
c:\sdfix\IDE\rootk-ds.ide
c:\sdfix\IDE\rootk-eb.ide
c:\sdfix\IDE\salit-an.ide
c:\sdfix\IDE\sdbo-dla.ide
c:\sdfix\IDE\silly-cr.ide
c:\sdfix\IDE\skintr-d.ide
c:\sdfix\IDE\smal-emq.ide
c:\sdfix\IDE\smal-emr.ide
c:\sdfix\IDE\snpves-c.ide
c:\sdfix\IDE\start-bn.ide
c:\sdfix\IDE\stayt-a.ide
c:\sdfix\IDE\swfdlr-b.ide
c:\sdfix\IDE\swfdlr-c.ide
c:\sdfix\IDE\swizz-og.ide
c:\sdfix\IDE\swizz-oj.ide
c:\sdfix\IDE\tibs-uw.ide
c:\sdfix\IDE\tileb-kz.ide
c:\sdfix\IDE\tiotua-w.ide
c:\sdfix\IDE\usract-a.ide
c:\sdfix\IDE\vb-ebe.ide
c:\sdfix\IDE\vb-ebj.ide
c:\sdfix\IDE\votera-b.ide
c:\sdfix\IDE\wimad-k.ide
c:\sdfix\IDE\wlhack-g.ide
c:\sdfix\IDE\wow-kd.ide
c:\sdfix\IDE\wowpw-bf.ide
c:\sdfix\IDE\yahlov-a.ide
c:\sdfix\IDE\ytkit-a.ide
c:\sdfix\IDE\zapch-eh.ide
c:\sdfix\IDE\zbot-ar.ide
c:\sdfix\IDE\zimeno-c.ide
c:\sdfix\IDE\zipcar-b.ide
c:\sdfix\IDE\zlob-anz.ide
c:\sdfix\IDE\zlob-aol.ide
c:\sdfix\IDE\zlob-aop.ide
c:\sdfix\IDE\zlob-aox.ide
c:\sdfix\IDE\zlob-apa.ide
c:\sdfix\IDE\zlob-apd.ide
c:\sdfix\IDE\zlob-ape.ide
c:\sdfix\IDE\zlob-apg.ide
c:\sdfix\IDE\zlob-api.ide
c:\sdfix\IDE\zlob-apn.ide
c:\sdfix\IDE\zlob-aqd.ide
c:\sdfix\IDE\zlob-aqj.ide
c:\sdfix\Norman_Malware_Cleaner.exe
c:\sdfix\RunThis.bat
c:\sdfix\SDFIX_ReadMe_Online.url
c:\sdfix\SophosReport.txt
c:\sdfix\W2K_VirusAlert_Repair.inf
c:\sdfix\XP_VirusAlert_Repair.inf
C:\SmitfraudFix
c:\smitfraudfix\404Fix.exe
c:\smitfraudfix\backups\HKCU_Domains.reg
c:\smitfraudfix\backups\HKCU_Ranges.reg
c:\smitfraudfix\backups\HKLM_Domains.reg
c:\smitfraudfix\backups\HKLM_Ranges.reg
c:\smitfraudfix\beep_2K_original.sys
c:\smitfraudfix\beep_XP_original.sys
c:\smitfraudfix\dumphive.exe
c:\smitfraudfix\exit.exe
c:\smitfraudfix\GenericRenosFix.exe
c:\smitfraudfix\HostsChk.exe
c:\smitfraudfix\IEDFix.C.exe
c:\smitfraudfix\IEDFix.exe
c:\smitfraudfix\o4Patch.exe
c:\smitfraudfix\Policies.exe
c:\smitfraudfix\Process.exe
c:\smitfraudfix\restart.exe
c:\smitfraudfix\SmitfraudFix.cmd
c:\smitfraudfix\SmiUpdate.exe
c:\smitfraudfix\SrchSTS.exe
c:\smitfraudfix\swreg.exe
c:\smitfraudfix\swsc.exe
c:\smitfraudfix\swxcacls.exe
c:\smitfraudfix\UIFix.exe
c:\smitfraudfix\unzip.exe
c:\smitfraudfix\VACFix.exe
c:\smitfraudfix\VCCLSID.exe
c:\smitfraudfix\WS2Fix.exe
C:\SUPERAntiSpyware.exe
c:\windows.0\system32\wr10977.dll
c:\windows.0\system32\xa6734265.exe
c:\windows.0\system32\xa6734453.exe
c:\windows.0\system32\xwr10977.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CAAU
-------\Service_CAAU
((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.

2008-11-09 23:12 . 2008-11-09 23:27 96,976 --a------ c:\windows.0\system32\drivers\klin.dat
2008-11-09 23:12 . 2008-11-09 23:12 87,855 --a------ c:\windows.0\system32\drivers\klick.dat
2008-11-09 23:11 . 2008-11-09 23:11 d-------- c:\program files\Kaspersky Lab
2008-11-09 23:11 . 2008-11-10 23:03 d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-09 23:11 . 2008-11-10 23:01 9,311,264 --ahs---- c:\windows.0\system32\drivers\fidbox.dat
2008-11-09 23:11 . 2008-11-10 23:01 393,248 --ahs---- c:\windows.0\system32\drivers\fidbox2.dat
2008-11-09 23:11 . 2008-11-10 23:01 74,872 --ahs---- c:\windows.0\system32\drivers\fidbox.idx
2008-11-09 23:11 . 2008-11-10 23:01 3,472 --ahs---- c:\windows.0\system32\drivers\fidbox2.idx
2008-11-09 22:53 . 2008-11-09 22:53 d-------- c:\program files\Kaspersky Internet Security
2008-11-09 22:27 . 2008-11-09 22:27 d-------- c:\program files\Kaspersky Anti-Virus
2008-11-09 18:27 . 2008-11-09 18:27 d-------- c:\documents and settings\Administrator\Application Data\Red Alert 3
2008-11-09 17:17 . 2008-11-09 17:17 d-------- c:\documents and settings\Administrator\Application Data\Bitdefender
2008-11-09 17:11 . 2008-11-10 13:40 81,984 --a------ c:\windows.0\system32\bdod.bin
2008-11-09 17:05 . 2008-11-09 17:05 d-------- c:\program files\Softwin
2008-11-09 17:05 . 2008-11-09 17:06 d-------- c:\documents and settings\All Users\Application Data\BitDefender
2008-11-09 17:03 . 2008-11-09 17:05 d-------- c:\program files\Common Files\Softwin
2008-11-09 16:46 . 2008-11-09 16:46 d-a------ C:\getservice
2008-11-09 16:39 . 2007-09-05 23:22 289,144 --a------ c:\windows.0\system32\VCCLSID.exe
2008-11-09 16:39 . 2006-04-27 16:49 288,417 --a------ c:\windows.0\system32\SrchSTS.exe
2008-11-09 16:39 . 2008-10-01 14:51 87,552 --a------ c:\windows.0\system32\VACFix.exe
2008-11-09 16:39 . 2008-10-10 07:58 82,944 --a------ c:\windows.0\system32\o4Patch.exe
2008-11-09 16:39 . 2008-05-18 20:40 82,944 --a------ c:\windows.0\system32\IEDFix.exe
2008-11-09 16:39 . 2008-10-10 07:58 82,944 --a------ c:\windows.0\system32\IEDFix.C.exe
2008-11-09 16:39 . 2008-08-18 11:19 82,432 --a------ c:\windows.0\system32\404Fix.exe
2008-11-09 16:39 . 2003-06-05 20:13 53,248 --a------ c:\windows.0\system32\Process.exe
2008-11-09 16:39 . 2004-07-31 17:50 51,200 --a------ c:\windows.0\system32\dumphive.exe
2008-11-09 16:39 . 2007-10-03 23:36 25,600 --a------ c:\windows.0\system32\WS2Fix.exe
2008-11-09 16:33 . 2008-11-09 16:33 401,720 --a------ C:\HiJackThis.exe
2008-11-09 15:26 . 2008-11-09 15:26 d-------- c:\documents and settings\Administrator\Application Data\WinCare2008
2008-11-09 13:32 . 2008-11-09 13:32 d-------- c:\program files\Windows Media Connect 2
2008-11-09 13:29 . 2008-11-09 13:29 d-------- c:\windows.0\system32\LogFiles
2008-11-09 13:29 . 2008-11-09 13:30 d-------- c:\windows.0\system32\drivers\UMDF
2008-11-09 13:28 . 2001-08-17 13:57 16,128 --a------ c:\windows.0\system32\drivers\MODEMCSA.sys
2008-11-09 13:27 . 2008-11-09 13:27 d-------- c:\program files\CONEXANT
2008-11-09 12:45 . 2008-11-09 12:45 d-------- c:\windows.0\system32\xircom
2008-11-09 12:45 . 2008-11-09 12:45 d-------- c:\program files\microsoft frontpage
2008-11-09 10:09 . 2008-11-09 10:09 d-------- c:\windows.0\system32\scripting
2008-11-09 10:09 . 2008-11-09 10:09 d-------- c:\windows.0\system32\en
2008-11-09 10:09 . 2008-11-09 10:09 d-------- c:\windows.0\system32\bits
2008-11-09 10:09 . 2008-11-09 10:09 d-------- c:\windows.0\l2schemas
2008-11-09 10:07 . 2008-11-09 10:10 d-------- c:\windows.0\ServicePackFiles
2008-11-08 18:19 . 2008-11-08 20:29 d-------- c:\program files\Security Task Manager
2008-11-08 18:19 . 2008-11-09 23:21 d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-11-08 17:54 . 2008-11-08 17:57 64 --a------ c:\windows.0\system32\Unlocker.cfg
2008-11-08 00:22 . 2008-11-09 10:38 d-------- c:\program files\Windows Live Safety Center
2008-11-08 00:20 . 2008-11-08 00:35 d-------- c:\documents and settings\Administrator\SmitfraudFix
2008-11-07 14:57 . 2008-11-07 15:30 d-------- C:\MGtools
2008-11-07 14:57 . 2008-11-07 15:30 67,510 --a------ C:\MGlogs.zip
2008-11-07 14:57 . 2005-01-14 13:41 11,254 --a------ c:\windows.0\system32\locate.com
2008-11-07 09:16 . 2008-11-07 09:16 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-07 09:16 . 2008-11-07 09:16 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-07 09:16 . 2008-11-07 09:16 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-07 09:16 . 2008-10-22 16:28 38,496 --a------ c:\windows.0\system32\drivers\mbamswissarmy.sys
2008-11-07 09:16 . 2008-10-22 16:28 15,504 --a------ c:\windows.0\system32\drivers\mbam.sys
2008-11-07 09:10 . 2008-11-07 09:10 d-------- c:\program files\SUPERAntiSpyware
2008-11-07 09:10 . 2008-11-07 09:10 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-07 09:10 . 2008-11-07 09:10 d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-11-07 09:09 . 2008-11-07 09:09 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-07 09:06 . 2008-11-07 09:07 1,312,578 --a------ C:\MGtools.exe
2008-11-07 09:04 . 2008-11-07 09:04 25,200 --a------ C:\attachment.htm
2008-11-07 08:59 . 2008-11-07 08:59 d-------- c:\program files\CCleaner
2008-11-07 00:44 . 2008-11-07 00:44 d-------- C:\SAV32CLI
2008-11-07 00:28 . 2008-11-07 00:28 47,596 --a------ c:\windows.0\system32\drivers\REGSYS701.SYS
2008-11-06 23:28 . 2008-11-09 15:19 d-------- C:\Downloads
2008-11-06 23:25 . 2008-11-09 16:16 d-------- c:\program files\FlashGet
2008-11-06 23:11 . 2008-11-09 18:05 d-------- c:\program files\Electronic Arts
2008-11-06 22:38 . 2008-11-06 22:38 d-------- c:\program files\SEGA
2008-11-06 20:14 . 2008-11-09 16:39 2,896 --a------ c:\windows.0\system32\tmp.reg
2008-11-06 19:32 . 2008-11-06 19:32 dr-h----- c:\documents and settings\Administrator\Application Data\SecuROM
2008-11-06 19:27 . 2008-11-06 19:32 107,888 --a------ c:\windows.0\system32\CmdLineExt.dll
2008-11-06 19:15 . 2008-11-06 19:15 d-------- c:\program files\Ubisoft

descriptionDisappearing and Reappearing Virus/Worm, Help needed EmptyCombo Fix pt 310th November 2008, 2:14 pm

more_horiz
2008-11-06 17:19 . 2008-11-06 17:31 d-------- c:\documents and settings\All Users\Application Data\Bluetooth
2008-11-06 16:51 . 2008-04-14 11:12 16,384 --a------ c:\windows.0\system32\ipsink.ax
2008-11-06 16:51 . 2008-04-14 05:46 15,232 --a------ c:\windows.0\system32\drivers\streamip.sys
2008-11-06 16:51 . 2008-04-14 05:46 11,136 --a------ c:\windows.0\system32\drivers\slip.sys
2008-11-06 16:51 . 2008-04-14 05:46 10,880 --a------ c:\windows.0\system32\drivers\ndisip.sys
2008-11-06 16:50 . 2008-04-14 05:46 85,248 --a------ c:\windows.0\system32\drivers\nabtsfec.sys
2008-11-06 16:50 . 2008-04-14 05:46 19,200 --a------ c:\windows.0\system32\drivers\wstcodec.sys
2008-11-06 16:50 . 2008-04-14 05:46 17,024 --a------ c:\windows.0\system32\drivers\ccdecode.sys
2008-11-06 16:50 . 2008-04-14 05:39 5,504 --a------ c:\windows.0\system32\drivers\mstee.sys
2008-11-06 16:49 . 2004-08-04 00:56 90,624 --a------ c:\windows.0\system32\drivers\kswdmcap.ax
2008-11-06 16:49 . 2004-08-04 00:56 61,952 --a------ c:\windows.0\system32\drivers\kstvtune.ax
2008-11-06 16:49 . 2004-08-04 00:56 53,760 --a------ c:\windows.0\system32\drivers\vfwwdm32.dll
2008-11-06 16:49 . 2004-08-04 00:56 43,008 --a------ c:\windows.0\system32\drivers\ksxbar.ax
2008-11-06 16:49 . 2004-08-04 00:56 28,672 --a------ c:\windows.0\system32\drivers\vidcap.ax
2008-11-06 16:47 . 2007-11-14 15:18 553 --a------ c:\windows.0\USetup.iss
2008-11-06 16:44 . 2007-06-26 21:13 86,016 -ra------ c:\windows.0\system32\drivers\SCBaud.w9x
2008-11-06 16:44 . 2007-06-26 21:13 77,824 -ra------ c:\windows.0\system32\drivers\SioUi2k.dll
2008-11-06 16:44 . 2007-06-26 21:13 73,728 -ra------ c:\windows.0\system32\drivers\SCBaud.cpl
2008-11-06 16:44 . 2007-06-26 21:13 63,488 -ra------ c:\windows.0\system32\drivers\wssbtr1f.sys
2008-11-06 16:44 . 2007-06-26 21:13 51,169 -ra------ c:\windows.0\system32\drivers\OXSER.SYS
2008-11-06 16:44 . 2007-06-26 21:13 48,556 -ra------ c:\windows.0\system32\drivers\SktBt2k.sys
2008-11-06 16:44 . 2007-06-26 21:13 48,076 -ra------ c:\windows.0\system32\drivers\Sio9502k.sys
2008-11-06 16:44 . 2007-06-26 21:13 40,960 -ra------ c:\windows.0\system32\drivers\SCTray.exe
2008-11-06 16:44 . 2007-06-26 21:13 16,486 -ra------ c:\windows.0\system32\drivers\sktsio9x.vxd
2008-11-06 16:44 . 2007-06-26 21:13 14,380 -ra------ c:\windows.0\system32\drivers\OXSER.VXD
2008-11-06 16:44 . 2007-06-26 21:13 5,787 -ra------ c:\windows.0\system32\drivers\SCTB.VXD
2008-11-06 16:44 . 2007-06-26 21:13 208 -ra------ c:\windows.0\system32\drivers\vssver.scc
2008-11-06 16:43 . 2008-11-06 16:43 d-------- c:\program files\IVT Corporation
2008-11-06 16:41 . 2008-08-05 20:10 1,684,736 --a------ c:\windows.0\system32\drivers\Ambfilt.sys
2008-11-06 16:41 . 2006-01-04 15:41 1,389,056 --a------ c:\windows.0\system32\drivers\Monfilt.sys
2008-11-06 16:41 . 2008-10-27 18:12 34,816 --a------ c:\windows.0\system32\RtkCoInstXP.dll
2008-11-05 11:08 . 2008-11-07 21:14 571 --a------ c:\windows.0\switch.inf
2008-11-03 20:02 . 2008-11-03 20:02 d-------- c:\program files\Common Files\Stardock
2008-11-03 20:02 . 2000-10-10 13:01 198,656 --a------ c:\windows.0\system32\comdlg32.ocx
2008-11-03 20:02 . 2000-05-17 09:52 187,392 --a------ c:\windows.0\system32\JPGUtils.dll
2008-11-03 20:02 . 2008-11-10 23:20 24 --a------ c:\windows.0\LogonStudio.ini
2008-11-03 14:19 . 2008-11-03 14:19 d-------- c:\program files\IrfanView
2008-11-03 13:30 . 2008-04-14 11:12 1,737,856 --------- c:\windows.0\system32\mtxparhd.dll
2008-11-03 13:29 . 2008-04-14 11:11 1,888,992 --------- c:\windows.0\system32\ati3duag.dll
2008-11-03 13:23 . 2008-08-14 21:11 2,189,184 -----c--- c:\windows.0\system32\dllcache\ntoskrnl.exe
2008-11-03 13:23 . 2008-08-14 21:09 2,145,280 -----c--- c:\windows.0\system32\dllcache\ntkrnlmp.exe
2008-11-03 13:23 . 2008-08-14 20:33 2,066,048 -----c--- c:\windows.0\system32\dllcache\ntkrnlpa.exe
2008-11-03 13:23 . 2008-08-14 20:33 2,023,936 -----c--- c:\windows.0\system32\dllcache\ntkrpamp.exe
2008-11-03 13:23 . 2008-09-15 23:12 1,846,400 -----c--- c:\windows.0\system32\dllcache\win32k.sys
2008-11-03 13:23 . 2008-09-08 21:41 333,824 -----c--- c:\windows.0\system32\dllcache\srv.sys
2008-11-03 13:22 . 2008-10-16 03:34 337,408 -----c--- c:\windows.0\system32\dllcache\netapi32.dll
2008-11-03 13:14 . 2008-07-18 22:07 270,880 --a------ c:\windows.0\system32\mucltui.dll
2008-11-03 13:14 . 2008-07-18 22:07 29,728 --a------ c:\windows.0\system32\mucltui.dll.mui
2008-11-02 20:30 . 2008-11-03 17:59 d-------- c:\program files\Stardock
2008-11-02 20:29 . 2008-11-02 20:29 d-------- c:\program files\WinCustomize
2008-11-02 19:54 . 2008-11-03 12:57 d-------- c:\windows.0\Ice Crystal Uninstaller
2008-11-02 19:54 . 2007-07-15 14:57 2,551 --a------ c:\windows.0\Ice Crystal.c2
2008-11-02 19:54 . 2007-07-15 18:32 1,712 --a------ c:\windows.0\Ice Crystal.swf
2008-11-02 19:54 . 2007-07-15 18:41 676 --a------ c:\windows.0\Ice Crystal.c3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-10 12:15 --------- d-----w c:\program files\PeerGuardian2
2008-11-09 12:01 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-09 12:01 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-06 11:38 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-06 07:04 --------- d-----w c:\program files\Zoom Player
2008-11-06 05:41 --------- d-----w c:\program files\Realtek
2008-11-05 12:52 --------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2008-11-01 23:38 --------- d-----w c:\program files\QuickTime Alternative
2008-10-31 00:38 4,942,336 ----a-w c:\windows.0\system32\drivers\RtkHDAud.sys
2008-10-28 06:18 17,331,200 ----a-w c:\windows.0\RTHDCPL.EXE
2008-10-18 01:23 --------- d-----w c:\documents and settings\All Users\Application Data\MailFrontier
2008-10-15 02:25 --------- d-----w c:\program files\Java
2008-10-04 23:52 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-10-04 23:37 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2008-10-04 11:26 --------- d-----w c:\program files\DVD Shrink
2008-10-04 07:06 --------- d-----w c:\program files\DAEMON Tools
2008-10-04 07:02 --------- d-----w c:\program files\MSXML 4.0
2008-10-04 06:54 --------- d-----w c:\program files\Vuze
2008-10-04 06:39 --------- d-----w c:\program files\RealMedia
2008-10-04 06:39 --------- d-----w c:\program files\OpenSource Flash Video Splitter
2008-10-04 06:39 --------- d-----w c:\program files\Haali
2008-10-04 06:39 --------- d-----w c:\program files\DSP-worx

2008-10-04 06:39 --------- d-----w c:\program files\DScaler5
2008-10-04 06:39 --------- d-----w c:\program files\CD Audio Reader Filter
2008-10-04 06:22 --------- d-----w c:\program files\LimeWire
2008-10-04 06:18 --------- d-----w c:\program files\DirectVobSub
2008-10-04 06:17 --------- d-----w c:\program files\iTunes
2008-10-04 06:17 --------- d-----w c:\program files\iPod
2008-10-04 06:16 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-04 06:15 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-10-04 06:15 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2008-10-04 06:14 --------- d-----w c:\program files\Shutter
2008-10-04 06:13 682,232 ----a-w c:\windows.0\system32\drivers\sptd.sys
2008-10-04 06:11 --------- d-----w c:\program files\Xvid
2008-10-04 00:43 --------- d-----w c:\program files\Windows Live
2008-10-04 00:42 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-10-04 00:41 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-10-03 14:43 --------- d-----w c:\program files\Gravity
2008-10-03 12:05 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-03 12:05 --------- d-----w c:\program files\ABIT
2008-10-03 12:04 --------- d-----w c:\program files\ITE
2008-10-03 11:30 --------- d-----w c:\program files\Activision
2008-10-03 11:26 --------- d-----w c:\program files\Real Alternative
2008-10-03 11:26 --------- d-----w c:\program files\Common Files\Ahead
2008-10-03 11:26 --------- d-----w c:\program files\Common Files\Adobe
2008-10-03 11:26 --------- d-----w c:\program files\Ahead
2008-10-03 11:25 --------- d-----w c:\program files\Media Player Classic
2008-10-03 11:25 --------- d-----w c:\program files\K-Lite Codec Pack
2008-10-03 11:25 --------- d-----w c:\program files\Common Files\Java
2008-09-30 05:38 2,168,320 ----a-w c:\windows.0\MicCal.exe
2008-09-19 06:48 1,200,128 ----a-w c:\windows.0\RtlUpd.exe
2008-09-17 13:55 6,132,576 ----a-w c:\windows.0\system32\drivers\nv4_mini.sys
2008-08-25 05:17 528,384 ----a-w c:\windows.0\RtlExUpd.dll
2008-08-19 02:26 77,824 ----a-w c:\windows.0\SOUNDMAN.EXE
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\getservice ----

2008-11-09 16:46 56590 --a------ c:\getservice\getservice.txt
2008-07-29 15:31 109 --a------ c:\getservice\getservice.bat
2008-07-29 15:27 139264 --a------ c:\getservice\swsc.exe

---- Directory of C:\SAV32CLI ----

2008-10-23 09:36 10612 --a------ c:\sav32cli\READCLI.TXT
2008-10-08 16:17 87036 --a------ c:\sav32cli\APPC01.VDB
2008-10-08 16:17 1004405 --a------ c:\sav32cli\VDL.DAT
2008-10-08 16:16 5338 --a------ c:\sav32cli\SUS01.VDB
2008-10-08 11:13 774614 --a------ c:\sav32cli\VDL48.VDB
2008-10-08 11:13 766256 --a------ c:\sav32cli\VDL32.VDB
2008-10-08 11:13 76031 --a------ c:\sav32cli\VDL42.VDB
2008-10-08 11:13 715594 --a------ c:\sav32cli\VDL33.VDB
2008-10-08 11:13 66194 --a------ c:\sav32cli\VDL43.VDB
2008-10-08 11:13 620174 --a------ c:\sav32cli\VDL36.VDB
2008-10-08 11:13 597474 --a------ c:\sav32cli\VDL31.VDB
2008-10-08 11:13 595020 --a------ c:\sav32cli\VDL34.VDB
2008-10-08 11:13 594971 --a------ c:\sav32cli\VDL40.VDB
2008-10-08 11:13 572366 --a------ c:\sav32cli\VDL35.VDB
2008-10-08 11:13 525517 --a------ c:\sav32cli\VDL37.VDB
2008-10-08 11:13 423007 --a------ c:\sav32cli\VDL38.VDB
2008-10-08 11:13 349949 --a------ c:\sav32cli\VDL01.VDB
2008-10-08 11:13 313035 --a------ c:\sav32cli\VDL02.VDB
2008-10-08 11:13 310586 --a------ c:\sav32cli\VDL22.VDB
2008-10-08 11:13 305489 --a------ c:\sav32cli\VDL16.VDB
2008-10-08 11:13 292911 --a------ c:\sav32cli\VDL28.VDB
2008-10-08 11:13 289845 --a------ c:\sav32cli\VDL23.VDB
2008-10-08 11:13 286021 --a------ c:\sav32cli\VDL29.VDB
2008-10-08 11:13 281792 --a------ c:\sav32cli\VDL17.VDB
2008-10-08 11:13 279731 --a------ c:\sav32cli\VDL45.VDB
2008-10-08 11:13 265965 --a------ c:\sav32cli\VDL24.VDB
2008-10-08 11:13 260691 --a------ c:\sav32cli\VDL03.VDB
2008-10-08 11:13 254226 --a------ c:\sav32cli\VDL27.VDB
2008-10-08 11:13 252888 --a------ c:\sav32cli\VDL39.VDB
2008-10-08 11:13 245604 --a------ c:\sav32cli\VDL13.VDB
2008-10-08 11:13 243428 --a------ c:\sav32cli\VDL14.VDB
2008-10-08 11:13 242645 --a------ c:\sav32cli\VDL18.VDB
2008-10-08 11:13 241467 --a------ c:\sav32cli\VDL19.VDB
2008-10-08 11:13 240774 --a------ c:\sav32cli\VDL25.VDB
2008-10-08 11:13 237948 --a------ c:\sav32cli\VDL20.VDB
2008-10-08 11:13 235946 --a------ c:\sav32cli\VDL05.VDB
2008-10-08 11:13 235176 --a------ c:\sav32cli\VDL04.VDB
2008-10-08 11:13 234503 --a------ c:\sav32cli\VDL12.VDB
2008-10-08 11:13 200235 --a------ c:\sav32cli\VDL15.VDB
2008-10-08 11:13 198876 --a------ c:\sav32cli\VDL11.VDB
2008-10-08 11:13 197598 --a------ c:\sav32cli\VDL26.VDB
2008-10-08 11:13 185689 --a------ c:\sav32cli\VDL06.VDB
2008-10-08 11:13 170636 --a------ c:\sav32cli\VDL21.VDB
2008-10-08 11:13 169362 --a------ c:\sav32cli\VDL08.VDB
2008-10-08 11:13 162917 --a------ c:\sav32cli\VDL07.VDB
2008-10-08 11:13 157694 --a------ c:\sav32cli\VDL10.VDB
2008-10-08 11:13 150458 --a------ c:\sav32cli\VDL41.VDB
2008-10-08 11:13 143967 --a------ c:\sav32cli\VDL46.VDB

descriptionDisappearing and Reappearing Virus/Worm, Help needed EmptyCombo Fix part 410th November 2008, 2:15 pm

more_horiz
There really needs to be an easier way to post long logs, or attach txt files. Anyway here is the final part:

2008-10-08 11:13 142218 --a------ c:\sav32cli\VDL09.VDB
2008-10-08 11:13 108338 --a------ c:\sav32cli\VDL30.VDB
2008-10-08 11:13 1082174 --a------ c:\sav32cli\VDL49.VDB
2008-10-08 11:13 106156 --a------ c:\sav32cli\VDL47.VDB
2008-10-08 11:13 101918 --a------ c:\sav32cli\VDL44.VDB
2008-09-30 12:16 31 --a------ c:\sav32cli\SVEXT.DAT
2008-09-29 15:44 224312 --a------ c:\sav32cli\SAV32CLI.EXE
2008-09-29 13:38 1699903 --a------ c:\sav32cli\VEEX.DLL
2008-09-29 13:38 131072 --a------ c:\sav32cli\SAVMSCM.DLL
2008-09-29 13:34 483391 --a------ c:\sav32cli\SAVI.DLL
2008-09-29 13:34 118847 --a------ c:\sav32cli\OSDP.DLL


((((((((((((((((((((((((((((( snapshot@2008-11-10_10.12.17.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-09 22:58:40 64,576 ----a-w c:\windows.0\system32\perfc009.dat
+ 2008-11-10 12:06:41 64,576 ----a-w c:\windows.0\system32\perfc009.dat
- 2008-11-09 22:58:40 409,562 ----a-w c:\windows.0\system32\perfh009.dat
+ 2008-11-10 12:06:41 409,562 ----a-w c:\windows.0\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ABIT uGuruIII"="c:\program files\ABIT\ABITEQ\ABITEQ.exe" [2006-02-22 417792]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-04 165784]
"ctfmon.exe"="c:\windows.0\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows.0\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows.0\system32\NvCpl.dll" [2008-09-18 13574144]
"NvMediaCenter"="c:\windows.0\system32\NvMcTray.dll" [2008-09-18 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-04-09 2595792]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-04-09 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-04-09 136472]
"QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" [2007-10-19 286720]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2008-07-24 445688]
"BDAgent"="c:\program files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 69632]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
"nwiz"="nwiz.exe" [2008-09-18 c:\windows.0\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows.0\system32\bthprops.cpl]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-28 c:\windows.0\RTHDCPL.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 c:\windows.0\KHALMNPR.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 c:\windows.0\KHALMNPR.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2008-11-06 1183744]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-26 784912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\WINDOWS.0\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 10:10 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.3iv2"= c:\progra~1\K-LITE~1\codecs\3IVXVF~1.DLL
"VIDC.VP60"= c:\progra~1\K-LITE~1\codecs\vp6vfw.dll
"VIDC.VP61"= c:\progra~1\K-LITE~1\codecs\vp6vfw.dll
"VIDC.VP62"= c:\progra~1\K-LITE~1\codecs\vp6vfw.dll
"VIDC.VP70"= c:\progra~1\K-LITE~1\codecs\vp7vfw.dll
"VIDC.VP31"= c:\progra~1\K-LITE~1\codecs\vp31vfw.dll
"msacm.ac3acm"= c:\progra~1\K-LITE~1\codecs\ac3acm.acm
"msacm.l3fhg"= c:\progra~1\K-LITE~1\codecs\l3codecp.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Kaspersky Internet Security\\setup.exe"=

R0 ABIT-IO;ABIT-IO;c:\windows.0\system32\Drivers\ABIT-IO.sys [2005-12-08 4608]
R0 iteraid;ITERAID_Service_Install;c:\windows.0\system32\DRIVERS\iteraid.sys [2005-08-05 26112]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows.0\system32\drivers\klbg.sys [2008-01-29 32784]
R2 IswSvc;ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2008-07-24 195832]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows.0\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows.0\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [2008-07-24 35072]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows.0\system32\drivers\mbamswissarmy.sys [2008-10-22 38496]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 23:19:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows.0\system32\savedump.exe
c:\program files\Common Files\Logishrd\Bluetooth\LBTServ.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows.0\system32\nvsvc32.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
c:\program files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
c:\program files\Softwin\BitDefender10\vsserv.exe
c:\windows.0\system32\rundll32.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\windows.0\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-11-10 23:22:45 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-11-10 12:22:41
ComboFix2.txt 2008-11-09 23:12:42
ComboFix3.txt 2008-11-07 04:12:31

Pre-Run: 165,798,957,056 bytes free
Post-Run: 165,731,082,240 bytes free

885 --- E O F --- 2008-11-09 09:46:17

descriptionDisappearing and Reappearing Virus/Worm, Help needed EmptyRe: Disappearing and Reappearing Virus/Worm, Help needed10th November 2008, 2:34 pm

more_horiz
Hello. No problem with the exam, real life comes first, so just take your time. Goofy

Yeah, I wanted to know what the mgtools were, but the good Doc. Inferno told me where they something to do with Majorgeeks, so I removed them.

Log looks much better, how's everything now?
====

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 update 10.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 10".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe that you downloaded to install the newest version.


Make sure the new version of Java is installed before you run Javara.

Please download JavaRa from here

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.

descriptionDisappearing and Reappearing Virus/Worm, Help needed EmptyJavaRa Log11th November 2008, 12:09 am

more_horiz
Howdy,

System seems to be functioning well this morning, I am suprised how much more malware Kaspersky has found that ZA never picked up. Anyway heres the log, and once again thanks for your help!!

P.S I was also wondering, do you think it is worth it to run something like Zone Alarm Force feild or should a Kaspersky Firewall and AntiV be enough?

JavaRa 1.11 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Tue Nov 11 11:06:48 2008

Found and removed: C:\Program Files\Java\jre1.6.0_07

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\JavaPlugin.150_05

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.



descriptionDisappearing and Reappearing Virus/Worm, Help needed EmptyRe: Disappearing and Reappearing Virus/Worm, Help needed11th November 2008, 12:13 am

more_horiz
Zonealarm was never ment to be a person AV, but a firewall that stops incoming traffic.
Aslong as you stay away from keygens and keep Zonealarm and Kaspersky AV up to date, you'll be fine.

Everything looks great.
Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck. Big Grin

descriptionDisappearing and Reappearing Virus/Worm, Help needed EmptyThanks for all your help.11th November 2008, 4:05 am

more_horiz
Howdy,

Thanks for all your help, I now feel safe that I can log into things on this comp without worrying I will get keylogged. About ZA, I wonder how many people out there that had the antivirus and firewall suite think their safe from viruses like I did Evil or enraged.As for your reccomendations, I had been following them all (before the virus), however with Kaspersky now (includes both the AV and the Firewall) it wont let me install spybot as it 'conflicts' with Kaspersky. Kaspersky has an antispyware thing in it so I hope that will be enough. Guess I just got unlucky with the files I downloaded, oh well, I know now where to come next time!! LOL Banner

Thank You!

Once again many thanks, thread solved~!
Cheers
Sandman28

descriptionDisappearing and Reappearing Virus/Worm, Help needed EmptyRe: Disappearing and Reappearing Virus/Worm, Help needed11th November 2008, 11:52 am

more_horiz
Hello.
Glad to hear all is well.
I'll add a solved tag to the topic and leave it open for a few days incase anything goes wrong.

@ Kaspersky - Yeah, it says that with many things, can be a real pain sometimes. Spybot won't conflict with it, but don't install it non-the-less.

descriptionDisappearing and Reappearing Virus/Worm, Help needed EmptyRe: Disappearing and Reappearing Virus/Worm, Help needed

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum