# Looking for advice



## ryanryan007 (Jan 6, 2008)

Hi, im about to reformat computer due to a massive trojan problem, ive tried everything to get rid of it but ive lost hope after countless attempts. (its stuck in my system volume). so before i reformat i want to make sure i have a great combo of secuirty programs to avoid this problem again. I am curently using the programs: Spyware Doctor, Avast professional, Tuneup Utilties2007, adaware SE professional. 

can ne1 offer more or alternate programs, becuase these programs arent as secure i hoped them to be


----------



## leroys1000 (Aug 16, 2007)

A firewall.
You might start by downloading zonealarm free and go from there.


----------



## hewee (Oct 26, 2001)

Yea a good firewall and even a router. Download or have on a CD Spyware Doctor, Avast professional, Tuneup Utilties2007, adaware SE professional.

Well read this page here and it should help out a lot. This is on Reformatting Windows XP but even if it is not XP the order in doing things are the same.

http://spyware-free.us/tutorials/reformat/

Zone Alarm free is not all that good either and Windows Firewall XP SP2 is the worse. 
http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php

Then a good hosts file can help out too by keeping you from bad sites where things can come from.


----------



## ryanryan007 (Jan 6, 2008)

I used to have zone alarm, but my internet company told me not to use it any more becuase it was causing some disturbances in my area. do you kno of any other good firewalls, im currently using the default windows one.


----------



## lunarlander (Sep 22, 2007)

If you are using XP then Comodo is a good firewall. I cannot recommend Comodo for Vista cause after I installed it, several things failed to work properly.


----------



## ryanryan007 (Jan 6, 2008)

any suggestions on an antivirus program and spyware removal...or are the ones i already have good?


----------



## leroys1000 (Aug 16, 2007)

Avast is good,so is AVG.


----------



## ryanryan007 (Jan 6, 2008)

what do u mean a good host file Hewee?


----------



## metweek (Jun 7, 2003)

Man that is alot of programs running. All I use is a NAT firewall. I also run as a regular user (NOT administrator). Not running as administrator all the time should save you alot of trouble. I use the shift+right click to run as administrator when needed.


----------



## hewee (Oct 26, 2001)

ryanryan007 said:


> what do u mean a good host file Hewee?


Good hosts files are ones that are updated.
Blocking Unwanted Parasites with a Hosts File

Good ones are hpHosts and mvps hosts.

I use HostsMan to manage the hosts file and make backups etc. It also lets you have more then one hosts file and then make sure you don't have duplicates.
http://www.abelhadigital.com/

Great to help out in not only help to protect you but can help keep tracking from going on because it blocks out tracking, ad sites. Pages can load so much faster because they are not going out and getting ads etc. 
If you get hostsman read the help after you install it.


----------



## r3drock3t88 (Jan 13, 2007)

To remove the virus did you boot into safe mode and turn off your system restore by chance? Just wondering.

Anywho, the firewall I have come to like a lot is the Sygate Personal Firewall...
http://filehippo.com/download_sygate_personal_firewall/

Also, when I reformat computers for people, I always install the following (free) applications.

Sygate Personal Firewall - http://filehippo.com/download_sygate_personal_firewall/
AVG Anti-Virus -http://free.grisoft.com/
Spybot Search and Destroy - http://www.safer-networking.org/en/index.html
CCleaner - www.ccleaner.com
Mozilla Firefox - http://www.mozilla.com/en-US/

Sygate PF as stated before is a very nice, powerful, easy to use firewall.
AVG Anti-Virus - Awesome anti virus software. (avast! in my opinion is better but I believe it is only a 60 day trial)
Spybot S&D is like it says, anti-spyware. Very powerful utility.
CCleaner cleans out all the unnecessary junk that builds up on your PC. (cleaned 4 gigs off someones computer)
Firefox has excellent security and is in my opinion the best web browser out there.

Good luck, hopefully all of our opinions help you out


----------



## Byteman (Jan 24, 2002)

r3drock3t88 said:


> To remove the virus did you boot into safe mode and turn off your system restore by chance? Just wondering.


 If a virus or malware scan detected something in Restore, you simply remove those Restore Points, all of them...

Provided the infections have been cleaned up in the rest of the hard drive, you may not have to format and reinstall it all....there is no way to be 100 per cent sure, but this may give you some time to try it out, backup files you may need, etc.

You usually can turn off System Restore from Normal Mode....

*Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab. ( If there is a check in "Turn Off System Restore...."= it is Off.)
Check Turn off System Restore.
Click Apply, and then click OK.Wait for hourglass to stop and it says
"Turned Off"

Restart your computer, turn System Restore back on and create a restore point.
To turn System Restore back on, take the checkmark out of the box where you did.
Wait till you see "Monitoring" for the status.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

Now- try all of the things you scanned with before and see what they find. If you still get infected items but not in System Volume (Restore) you can do this:

Let's have you post a log from Hijackthis and maybe we can spot anything out of place:
go to *Click here* to download HJTsetup.exe
On that page, select one of the servers in the list under the *Free Downloads heading*
Save HJTsetup.exe to your *desktop.*
Double click on the *HJTsetup.exe icon* on your desktop.
By default it will install to *C:\Program Files\Hijack This.* 
Continue to click *Next * in the setup dialogue boxes until you get to the *Select Additional Tasks dialogue.*
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then save the log and then the log will open in Notepad.
Click on *"Edit > Select All" * then click on *"Edit > Copy" *to copy the entire contents of the log.
Paste the log in your next reply.
*Don't* use the Analyse This button, its findings are dangerous if misinterpreted. 
DO *NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
*Please also do this:*

Open *Hijack This* and click on the "Open the Misc Tools section" button. 
Click on the "*Open Uninstall Manager*" button.
Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. 
*Copy and paste that list here in your reply*

*If you do not wish to continue to try to clean the malware, we understand completely- but, you should make a note of what to do if a scan in the future....detects items only in Restore, there would be no need to format just because they were found there*


----------



## ryanryan007 (Jan 6, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:09 AM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\firefoxupdateg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7822058A-1C84-4A8A-979A-0B1189930CA6} - C:\WINDOWS\system32\cbxwurq.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {DD0C8F29-FCF5-4884-AB4C-3ECB2A4F9949} - C:\WINDOWS\system32\awvtu.dll (file missing)
O2 - BHO: {27189456-efe9-6f38-5564-a5d547c9298e} - {e8929c74-5d5a-4655-83f6-9efe65498172} - C:\WINDOWS\system32\sqlmfvwd.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [firefox] firefoxupdateg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [a8ee4813] rundll32.exe "C:\WINDOWS\system32\idbwxnut.dll",b
O4 - HKLM\..\RunServices: [firefox] firefoxupdateg.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Post-it® Digital Notes.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14ffe564509ecf4f7f06/netzip/RdxIE601.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/FacebookPhotoUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: cbxwurq - C:\WINDOWS\SYSTEM32\cbxwurq.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 8975 bytes


----------



## ryanryan007 (Jan 6, 2008)

My trojan is still here, and i havent refomatted just yet. i scanned with avast and i found it in C:/WINDOWS/system32/awtss.dll

ive treid to quarantine or delete it but avast will not allow me becuase "the file is not packed" any ideas on how to overcome this troublesome trojan?


----------



## Byteman (Jan 24, 2002)

Hi, I'd be glad to see if we can get this cleaned up....none of your programs are going to be able to handle the infection, it takes a combination of tools, scans etc to get rid of.

First: I guess you missed this part of my last reply:

Note: You can wait to post this list, *or do it now*, and down below the directions, there is something to do>>



> *Please also do this:*
> 
> Open *Hijack This* and click on the "Open the Misc Tools section" button.
> Click on the "*Open Uninstall Manager*" button.
> ...


 In this next part, you are asked to turn off Spyware Doctor (after getting the VundoFix tool downloaded)....this is because I am not sure what version, free or pay for you have. It would pay to have it turned off, anyhow-

Spyware Doctor:
From within Spyware Doctor, click the "OnGuard" button on the left side. 
Uncheck "Activate OnGuard." If you don't have OnGuard, and you are using the free version of Spyware Doctor, then we will just continue....

VUNDO FIX

Please download *VundoFix.exe* to your desktop.
Double-click *VundoFix.exe* to run it.
Click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click *OK*.
Turn your computer back on.
Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. 
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.


----------



## millburyst (Jan 9, 2008)

win32.trojan.killproc remove? abandon? quarantine?? or other?????????????????

{Moderator Note: **Hi millburyst- Kindly explain what you are posting about and I will try to help....you have jumped into a thread where I am helping ryanryan007..... I think you might have downloaded VundoFix and got an alert from an antivirus program, perhaps? I assure you it is a safe tool, but one that you do not want to use on your own....

if you are having malware problems, I suggest you post your Hijackthis log and a brief description of the problem in the Malware Removal forum- thanks!}


----------



## ryanryan007 (Jan 6, 2008)

Ad-Aware SE Professional
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.7
Apple Mobile Device Support
Apple Software Update
Ashampoo Burning Studio 7.10
Audacity 1.2.6
avast! Antivirus
Canon MP Drivers
Canon MP Toolbox 4.1.1.0.mp10
ConvertXtoDVD 2.0.12
Cucusoft Zune Video Converter 5.07
DivX
DivX Converter
DivX Player
DivX Web Player
Folder Lock
Hamachi 1.0.2.2
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Intel Application Accelerator
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
ISO Recorder
IsoBuster 2.2
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
LimeWire PRO 4.12.3
Magic ISO Maker v5.4 (build 0251)
MediaMonkey 2.5
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Enterprise 2007 (Beta)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Picture It! Photo Premium 9
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIRC
MOVAVI VideoSuite 3.5
Mozilla Firefox (2.0.0.11)
MP3-Info extension V3.4.23
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero 6 Ultra Edition
PerfectDisk
Post-it® Digital Notes
QuickTime
RealPlayer
Realtek AC'97 Audio
Registry Mechanic 6.0
Ross Histology
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Security Update for Excel 2007 (KB936509)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Office 2007 (KB934062)
Security Update for Office 2007 (KB936514)
Security Update for Publisher 2007 (KB936646)
Security Update for the 2007 Microsoft Office System (KB936960)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Smart Menus (Windows Live Toolbar)
Spyware Doctor 5.0
Starcraft
Steam
TuneUp Utilities 2007
TVUPlayer 2.3.4.1
Update for Office 2007 (KB932080)
Update for Office 2007 (KB934391)
Update for Office 2007 (KB934393)
Update for Outlook 2007 (KB937608)
Update for Outlook 2007 Junk Email Filter (kb943597)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Word 2007 (KB934173)
Ventrilo Client
VideoLAN VLC media player 0.8.4a
Westwood Shared Internet Components
Window Washer
Windows Communication Foundation
Windows Driver Package - Microsoft WPD (12/01/2006 1.2.0.0)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
WinZip
Yahoo! Toolbar
Yahoo! Toolbar
Zune


----------



## ryanryan007 (Jan 6, 2008)

VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 12:22:44 AM 1/10/2008

Listing files found while scanning....

C:\WINDOWS\FLV Player\uninstall.exe
C:\WINDOWS\system32\aeeasvaa.dll
C:\WINDOWS\system32\ahmhxcnc.dll
C:\WINDOWS\system32\asbdieyg.dll
C:\WINDOWS\system32\bikxmeir.dll
C:\WINDOWS\system32\bkrpbhbi.dll
C:\WINDOWS\system32\cbxwurq.dll
C:\WINDOWS\system32\cinieuhu.dll
C:\WINDOWS\system32\daigykjr.dll
C:\WINDOWS\system32\dbdwhkjd.dll
C:\WINDOWS\system32\ddcbywx.dll
C:\WINDOWS\system32\esfphwyx.dll
C:\WINDOWS\system32\eyxlwhjf.ini
C:\WINDOWS\system32\fjhwlxye.dll
C:\WINDOWS\system32\gainqhua.dll
C:\WINDOWS\system32\gwvuxydl.dll
C:\WINDOWS\system32\gyeidbsa.ini
C:\WINDOWS\system32\hoffmkhi.dll
C:\WINDOWS\system32\horygoqb.dll
C:\WINDOWS\system32\htuhxvcv.dll
C:\WINDOWS\system32\idbwxnut.dll
C:\WINDOWS\system32\ilwfefcb.dll
C:\WINDOWS\system32\iutqagki.dll
C:\WINDOWS\system32\jkiprudb.dll
C:\WINDOWS\system32\jtqdrocy.dll
C:\WINDOWS\system32\khfcdcd.dll
C:\WINDOWS\system32\lborcqrq.dll
C:\WINDOWS\system32\mljiifg.dll
C:\WINDOWS\system32\msvxcnsq.dll
C:\WINDOWS\system32\mxcwfleu.dll
C:\WINDOWS\system32\nmxgljnw.dll
C:\WINDOWS\system32\nyyxjqxk.dll
C:\WINDOWS\system32\oyiewouo.dll
C:\WINDOWS\system32\pfvrrsoh.dll
C:\WINDOWS\system32\qpqsavmg.dll
C:\WINDOWS\system32\ruxsojhm.dll
C:\WINDOWS\system32\sdaxukgi.dll
C:\WINDOWS\system32\sqlmfvwd.dll
C:\WINDOWS\system32\srcwjwyh.dll
C:\WINDOWS\system32\tmkurvqr.dll
C:\WINDOWS\system32\uoyshubt.dll
C:\WINDOWS\system32\vvgbuesh.dll
C:\WINDOWS\system32\wdgageyn.dll
C:\WINDOWS\system32\yqycqldr.dll
C:\WINDOWS\system32\yvwydwvc.dll

Beginning removal...

Attempting to delete C:\WINDOWS\FLV Player\uninstall.exe
C:\WINDOWS\FLV Player\uninstall.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\aeeasvaa.dll
C:\WINDOWS\system32\aeeasvaa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ahmhxcnc.dll
C:\WINDOWS\system32\ahmhxcnc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\asbdieyg.dll
C:\WINDOWS\system32\asbdieyg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bikxmeir.dll
C:\WINDOWS\system32\bikxmeir.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bkrpbhbi.dll
C:\WINDOWS\system32\bkrpbhbi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxwurq.dll
C:\WINDOWS\system32\cbxwurq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\cinieuhu.dll
C:\WINDOWS\system32\cinieuhu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\daigykjr.dll
C:\WINDOWS\system32\daigykjr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dbdwhkjd.dll
C:\WINDOWS\system32\dbdwhkjd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcbywx.dll
C:\WINDOWS\system32\ddcbywx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\esfphwyx.dll
C:\WINDOWS\system32\esfphwyx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\eyxlwhjf.ini
C:\WINDOWS\system32\eyxlwhjf.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fjhwlxye.dll
C:\WINDOWS\system32\fjhwlxye.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gainqhua.dll
C:\WINDOWS\system32\gainqhua.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gwvuxydl.dll
C:\WINDOWS\system32\gwvuxydl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gyeidbsa.ini
C:\WINDOWS\system32\gyeidbsa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hoffmkhi.dll
C:\WINDOWS\system32\hoffmkhi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\horygoqb.dll
C:\WINDOWS\system32\horygoqb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\htuhxvcv.dll
C:\WINDOWS\system32\htuhxvcv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\idbwxnut.dll
C:\WINDOWS\system32\idbwxnut.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ilwfefcb.dll
C:\WINDOWS\system32\ilwfefcb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iutqagki.dll
C:\WINDOWS\system32\iutqagki.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkiprudb.dll
C:\WINDOWS\system32\jkiprudb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jtqdrocy.dll
C:\WINDOWS\system32\jtqdrocy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfcdcd.dll
C:\WINDOWS\system32\khfcdcd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lborcqrq.dll
C:\WINDOWS\system32\lborcqrq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljiifg.dll
C:\WINDOWS\system32\mljiifg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\msvxcnsq.dll
C:\WINDOWS\system32\msvxcnsq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mxcwfleu.dll
C:\WINDOWS\system32\mxcwfleu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nmxgljnw.dll
C:\WINDOWS\system32\nmxgljnw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nyyxjqxk.dll
C:\WINDOWS\system32\nyyxjqxk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oyiewouo.dll
C:\WINDOWS\system32\oyiewouo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pfvrrsoh.dll
C:\WINDOWS\system32\pfvrrsoh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qpqsavmg.dll
C:\WINDOWS\system32\qpqsavmg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ruxsojhm.dll
C:\WINDOWS\system32\ruxsojhm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sdaxukgi.dll
C:\WINDOWS\system32\sdaxukgi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sqlmfvwd.dll
C:\WINDOWS\system32\sqlmfvwd.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\srcwjwyh.dll
C:\WINDOWS\system32\srcwjwyh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmkurvqr.dll
C:\WINDOWS\system32\tmkurvqr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uoyshubt.dll
C:\WINDOWS\system32\uoyshubt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vvgbuesh.dll
C:\WINDOWS\system32\vvgbuesh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wdgageyn.dll
C:\WINDOWS\system32\wdgageyn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yqycqldr.dll
C:\WINDOWS\system32\yqycqldr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yvwydwvc.dll
C:\WINDOWS\system32\yvwydwvc.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cbxwurq.dll
C:\WINDOWS\system32\cbxwurq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\idbwxnut.dll
C:\WINDOWS\system32\idbwxnut.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\sqlmfvwd.dll
C:\WINDOWS\system32\sqlmfvwd.dll Has been deleted!

Performing Repairs to the registry.
Done!


----------



## Byteman (Jan 24, 2002)

Hi, Looks like you missed this part of my last reply:



> Please post the contents of C:\vundofix.txt and a new HiJackThis log.


Post the new HJThis log please.

Keep the computer off the Internet as much as possible- if you could use another computer to check messages here it will help.

Only use the infected one to get and run the fixes if possible.

There of course will be fixes that require the Internet such as online scans...

After you post that new Hijackthis log, please do this:

((Note: If you have the free version of Spyware Doctor, it will not be able to remove anything unless you purchase it. I suggest you get SUPERAntispyware Free Home edition, and keep it. You can uninstall Spyware Doctor, unless it is the paid for version and you want to continue using and subscribing to it.))

We will get and scan with SuperAntispyware now-

*You should again turn off Spyware Doctor before you install SAS- and keep it off during the scan.*

*Download * *SUPERAntiSpyware* Free for Home Users
*alternate site*
Double-click *SUPERAntiSpyware.exe* to install and use the default settings for installation.
Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Run SUPERAntiSpyware and update the definitions before scanning by selecting "*Check for Udates*".
When done, select "*Scan for Harmful Software*".
There are three scanning options available. Choose "*Perform Complete Scan*" and click "*Next*".
When done, a Scan Summary will appear with potentially harmful items that were detected. Click "*OK*".
Place a checkmark next to items you wish to remove/quarantine and Click "*Next*".
A notification will appear that "Quarantine and Removal is Complete". Click "*OK*" and then click the "*Finish*" button to return to the main menu.
If asked to Reboot, please do.
After Reboot, double-click on SuperAnti-Spyware icon on your Desktop.
Click Preferences, Click the Statistics/Logs Tab.
Under Scanner logs, Double-click SuperAnti-Spyware Scan Log.
It will open in your default test editor (such as Notepad or WordPad).
Please Highlight everything in the Notepad, then right-click and choose copy.
In your next reply, please post those results and include a fresh Hijackthis log.
Select close to exit the program.
_Note: If you encounter any problems while downloading the updates, manually download and unzip them from *here*._

*Post the log from SAS and one from Hijackthis made afterward.*


----------



## ryanryan007 (Jan 6, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:19 PM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\firefoxupdateg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7822058A-1C84-4A8A-979A-0B1189930CA6} - C:\WINDOWS\system32\cbxwurq.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {DD0C8F29-FCF5-4884-AB4C-3ECB2A4F9949} - C:\WINDOWS\system32\awvtu.dll (file missing)
O2 - BHO: {27189456-efe9-6f38-5564-a5d547c9298e} - {e8929c74-5d5a-4655-83f6-9efe65498172} - C:\WINDOWS\system32\sqlmfvwd.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [firefox] firefoxupdateg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [a8ee4813] rundll32.exe "C:\WINDOWS\system32\idbwxnut.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [firefox] firefoxupdateg.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Post-it® Digital Notes.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14ffe564509ecf4f7f06/netzip/RdxIE601.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/FacebookPhotoUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 9227 bytes


----------



## Byteman (Jan 24, 2002)

Hi, Do what is in my other reply about SUPERAntispyware please.

That will determine what is left to remove manually.


----------



## ryanryan007 (Jan 6, 2008)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/11/2008 at 03:47 AM

Application Version : 3.9.1008

Core Rules Database Version : 3377
Trace Rules Database Version: 1371

Scan type : Complete Scan
Total Scan Time : 73:78:68

Memory items scanned : 513
Memory threats detected : 2
Registry items scanned : 6523
Registry threats detected : 40
File items scanned : 47712
File threats detected : 76

Adware.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\CBXWURQ.DLL
C:\WINDOWS\SYSTEM32\CBXWURQ.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000064.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000078.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000080.DLL

Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\IDBWXNUT.DLL
C:\WINDOWS\SYSTEM32\IDBWXNUT.DLL
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\SSOULXTA.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000056.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000057.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000058.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000059.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000060.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000061.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000062.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000063.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000065.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000067.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000068.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000069.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000071.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000072.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000073.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000074.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000075.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000076.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000077.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000079.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000081.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000082.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000083.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000084.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000085.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000086.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000087.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000088.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000089.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000090.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000091.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000092.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000093.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000094.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000095.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0000096.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP2\A0001017.DLL
C:\WINDOWS\SYSTEM32\GPTAMQBE.DLL
C:\WINDOWS\SYSTEM32\IOFNSJXO.DLL
C:\WINDOWS\SYSTEM32\PYCJGBMW.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{7822058A-1C84-4A8A-979A-0B1189930CA6}
HKCR\CLSID\{7822058A-1C84-4A8A-979A-0B1189930CA6}
HKCR\CLSID\{7822058A-1C84-4A8A-979A-0B1189930CA6}\InprocServer32
HKCR\CLSID\{7822058A-1C84-4A8A-979A-0B1189930CA6}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7822058A-1C84-4A8A-979A-0B1189930CA6}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{7822058A-1C84-4A8A-979A-0B1189930CA6}
HKCR\CLSID\{7822058A-1C84-4A8A-979A-0B1189930CA6}
C:\WINDOWS\SYSTEM32\AWTSR.DLL

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{DD0C8F29-FCF5-4884-AB4C-3ECB2A4F9949}
HKCR\CLSID\{DD0C8F29-FCF5-4884-AB4C-3ECB2A4F9949}
HKCR\CLSID\{DD0C8F29-FCF5-4884-AB4C-3ECB2A4F9949}\InprocServer32
HKCR\CLSID\{DD0C8F29-FCF5-4884-AB4C-3ECB2A4F9949}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWVTU.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DD0C8F29-FCF5-4884-AB4C-3ECB2A4F9949}

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet003\Services\oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Driver
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Trojan.Unclassifed/AffiliateBundle
C:\VUNDOFIX BACKUPS\CBXWURQ.DLL.BAD
C:\VUNDOFIX BACKUPS\DDCBYWX.DLL.BAD
C:\VUNDOFIX BACKUPS\KHFCDCD.DLL.BAD
C:\VUNDOFIX BACKUPS\MLJIIFG.DLL.BAD


----------



## Byteman (Jan 24, 2002)

Hi, One reason you have most of this infection is you are using a very outdated version of Sun Java Plugin do this:








Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. *Beware it is NOT supported for use in 9x or ME and probably will not install in those systems*

*Upgrading Java*: 

Download the latest version of *Java Runtime Environment (JRE) 6 Update 3*.
Scroll down to where it says "*The J2SE Runtime Environment (JRE) allows end-users to run Java applications*".
Click the "*Download*" button to the right.
Check the box that says: "*Accept License Agreement*".
The page will refresh.
Click on the link to download *Windows Offline Installation* with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

*Also please- post a brand new Hijackthis log-*


----------



## ryanryan007 (Jan 6, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:47 AM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\firefoxupdateg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: {27189456-efe9-6f38-5564-a5d547c9298e} - {e8929c74-5d5a-4655-83f6-9efe65498172} - C:\WINDOWS\system32\sqlmfvwd.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [firefox] firefoxupdateg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [a8ee4813] rundll32.exe "C:\WINDOWS\system32\idbwxnut.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\RunServices: [firefox] firefoxupdateg.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Post-it® Digital Notes.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14ffe564509ecf4f7f06/netzip/RdxIE601.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/FacebookPhotoUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 8843 bytes

BY THE WAY..I DID ANOTHER SAS SCAN..AND I GOT LIKE ANOTHER 50 INFECTIONS..Y ARENT THEY BEING REMOVED? OR ARE THEY NEW ONES?


----------



## Byteman (Jan 24, 2002)

Hi, If you post the newest SUPERantispyware log I will take a look and compare it to the first one.

The infection you have will take more than one scan, and more than one tool, to fix.


----------



## ryanryan007 (Jan 6, 2008)

More than 1 tool? what other suggested programs should i use?


----------



## Byteman (Jan 24, 2002)

Hi, I was trying to calm you down.....



> BY THE WAY..I DID ANOTHER SAS SCAN..AND I GOT LIKE ANOTHER 50 INFECTIONS..Y ARENT THEY BEING REMOVED? OR ARE THEY NEW ONES?


 This is a bad trojan that can recreate itself, especially if you turn off and/or restart the computer a lot, or leave it running connected to the Internet such as with broadband service which is always ON....

What I meant was, we will no doubt have to use some other scans...with SUPER A/S, and other things that I will post. But, I need to see that newest log with the 50 items.... the trojan can create new file names, for example....each time you restart.

Please try to post that SUPERantispyware log and I can tell if the things are new or the same.


----------



## ryanryan007 (Jan 6, 2008)

lol the caps lock was on so it would grab ur attention..not cuz i was soo worried..i just started another scan..and it seems to be much better..its almost done and its only found 2 traces so far compared to the 50 it found during its last scan


----------



## Byteman (Jan 24, 2002)

Just try not to restart, at least for tonight if you are going to be around, perhaps we can wind it up now.

As soon as this scan is finished, I need to see the other log with those 50 things, it's quite important that I have the things detected!

As well as the current scan log....and, a brand new Hijackthis log, made after this new scan, please.

It will take only a minute or so for me to post the next step, so don't go offline, and do not restart unless my directions say to.


----------



## ryanryan007 (Jan 6, 2008)

k ill stay on


----------



## Byteman (Jan 24, 2002)

Yes, at least get the new scan done and logs posted...I will then post the next step, which doesn't take too long. Usually about 15 minutes after you have the directions and the small file downloaded, the new tool takes that long in most situations.

Then, you post a log from that scan....and I check that...etc.

The entire fix might run hours, so I don't expect you to stay that long, we can pick it up tomorrow, but at least you should run this next part, using a new tool that I will post.


----------



## ryanryan007 (Jan 6, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:35 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\firefoxupdateg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: {27189456-efe9-6f38-5564-a5d547c9298e} - {e8929c74-5d5a-4655-83f6-9efe65498172} - C:\WINDOWS\system32\sqlmfvwd.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [firefox] firefoxupdateg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [a8ee4813] rundll32.exe "C:\WINDOWS\system32\idbwxnut.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\RunServices: [firefox] firefoxupdateg.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Post-it® Digital Notes.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14ffe564509ecf4f7f06/netzip/RdxIE601.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/FacebookPhotoUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 9080 bytes

the super a/s should be posted within the next 5 min


----------



## ryanryan007 (Jan 6, 2008)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/12/2008 at 02:36 AM

Application Version : 3.9.1008

Core Rules Database Version : 3377
Trace Rules Database Version: 1371

Scan type : Quick Scan
Total Scan Time : 00:37:49

Memory items scanned : 498
Memory threats detected : 0
Registry items scanned : 731
Registry threats detected : 26
File items scanned : 52060
File threats detected : 21

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet003\Services\oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#*NewlyCreated*
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt


----------



## ryanryan007 (Jan 6, 2008)

Memory items scanned : 520
Memory threats detected : 0
Registry items scanned : 6517
Registry threats detected : 25
File items scanned : 28404
File threats detected : 25

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#*NewlyCreated*
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP7\A0002042.DLL

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP7\A0002043.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP7\A0002044.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP7\A0002045.DLL


----------



## ryanryan007 (Jan 6, 2008)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/12/2008 at 11:00 PM

Application Version : 3.9.1008

Core Rules Database Version : 3377
Trace Rules Database Version: 1371

Scan type : Complete Scan
Total Scan Time : 02:17:12

Memory items scanned : 516
Memory threats detected : 0
Registry items scanned : 6615
Registry threats detected : 0
File items scanned : 144826
File threats detected : 5

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

Unclassified.Oreans32
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP11\A0006042.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP11\A0008019.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP8\A0005120.SYS


----------



## Byteman (Jan 24, 2002)

Hi, Thank you!

Please download ComboFix from *Here* or *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Close any open browsers. 
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Double click on *combofix.exe* & follow the prompts.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" * in your next reply..
***Note: Do not mouseclick combofix's window while it's running. That may cause it to stall***


----------



## ryanryan007 (Jan 6, 2008)

ComboFix 08-01-13.1 - Owner 2008-01-12 23:28:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.216 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\acwuncof.ini
C:\WINDOWS\system32\aghtaweq.ini
C:\WINDOWS\system32\bduydtwv.ini
C:\WINDOWS\system32\blgobvwj.ini
C:\WINDOWS\system32\bqogyroh.ini
C:\WINDOWS\system32\deposit.dll
C:\WINDOWS\system32\ejrxbvyo.ini
C:\WINDOWS\system32\fjmacbjf.ini
C:\WINDOWS\system32\gjtibopy.ini
C:\WINDOWS\system32\gpbdjuwi.ini
C:\WINDOWS\system32\gqrpadxt.ini
C:\WINDOWS\system32\hnarlrjp.ini
C:\WINDOWS\system32\ikgaqtui.ini
C:\WINDOWS\system32\kengggei.ini
C:\WINDOWS\system32\koxwgixt.ini
C:\WINDOWS\system32\kyauvocu.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nffjuppv.ini
C:\WINDOWS\system32\nrsrttjq.ini
C:\WINDOWS\system32\qfrxnrtd.ini
C:\WINDOWS\system32\qutemcap.ini
C:\WINDOWS\system32\rfajlrhm.ini
C:\WINDOWS\system32\rpoetsxa.ini
C:\WINDOWS\system32\sgejybuw.ini
C:\WINDOWS\system32\smsohsjc.ini
C:\WINDOWS\system32\sqqcpqup.ini
C:\WINDOWS\system32\tpisfvnb.ini
C:\WINDOWS\system32\tunxwbdi.ini
C:\WINDOWS\system32\uelfwcxm.ini
C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\utvwa.ini2
C:\WINDOWS\system32\vgthruqu.ini
C:\WINDOWS\system32\vkstjgue.ini
C:\WINDOWS\system32\wraudqqd.ini
C:\WINDOWS\system32\xwqruhnf.ini
C:\WINDOWS\system32\yxfqhwpt.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-12 23:28 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-12 23:04 . 2008-01-12 23:04	33,952	--a------	C:\WINDOWS\system32\drivers\oreans32.sys
2008-01-12 15:29 . 2008-01-12 15:29 d--------	C:\Program Files\WinPcap
2008-01-12 15:27 . 2008-01-12 23:02 d--------	C:\Program Files\WMR11
2008-01-12 01:56 . 2007-12-14 01:59	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2008-01-12 01:55 . 2008-01-12 01:55 d--------	C:\Program Files\Common Files\Java
2008-01-10 12:35 . 2008-01-10 12:35 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-10 12:34 . 2008-01-12 23:06 d--------	C:\Program Files\SUPERAntiSpyware
2008-01-10 12:34 . 2008-01-10 12:34 d--------	C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-10 01:27 . 2008-01-12 23:37	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-01-10 01:27 . 2008-01-10 01:27	1,409	--a------	C:\WINDOWS\QTFont.for
2008-01-10 01:26 . 2008-01-10 01:26 d--------	C:\Program Files\iTunes
2008-01-10 01:26 . 2008-01-10 01:26 d--------	C:\Program Files\iPod
2008-01-10 01:22 . 2008-01-11 03:40 d--------	C:\WINDOWS\SxsCaPendDel
2008-01-10 00:22 . 2008-01-10 01:09 d--------	C:\VundoFix Backups
2008-01-09 09:02 . 2008-01-09 09:02 d--------	C:\Program Files\Trend Micro
2008-01-05 19:31 . 2008-01-05 19:28	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-05 19:28 . 2008-01-05 19:34 d--------	C:\Documents and Settings\Owner\.housecall6.6
2008-01-01 13:35 . 2008-01-01 13:51 d--------	C:\Program Files\mIRC
2008-01-01 13:35 . 2008-01-01 14:05 d--------	C:\Documents and Settings\Owner\Application Data\mIRC
2007-12-23 00:43 . 2007-12-23 00:43 d--------	C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-12-23 00:43 . 2007-12-23 00:45 d--------	C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 00:05	---------	d-----w	C:\Documents and Settings\Owner\Application Data\uTorrent
2008-01-12 09:56	---------	d-----w	C:\Program Files\Java
2008-01-10 20:34	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 09:24	---------	d-----w	C:\Program Files\QuickTime
2008-01-10 09:22	---------	d-----w	C:\Program Files\Apple Software Update
2008-01-07 13:00	---------	d-----w	C:\Program Files\Folder Lock
2008-01-06 13:59	---------	d-----w	C:\Program Files\uTorrent
2008-01-06 01:47	---------	d-----w	C:\Program Files\TVUPlayer
2008-01-02 03:13	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Vso
2007-12-24 02:04	---------	d-----w	C:\Documents and Settings\Owner\Application Data\LimeWire
2007-12-23 08:43	---------	d-----w	C:\Program Files\Yahoo!
2007-12-21 22:10	---------	d-----w	C:\Program Files\Messenger Plus! Live
2007-12-17 07:33	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-12-13 11:08	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-09 06:34	---------	d-----w	C:\Program Files\Microsoft Works
2007-12-09 06:33	---------	d-----w	C:\Program Files\MSBuild
2007-12-09 06:29	---------	d-----w	C:\Program Files\Microsoft.NET
2007-12-09 06:23	---------	d-----w	C:\Program Files\Microsoft Visual Studio 8
2007-12-04 14:56	93,264	----a-w	C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55	94,544	----a-w	C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53	23,152	----a-w	C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51	42,912	----a-w	C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49	26,624	----a-w	C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 11:21	---------	d-----w	C:\Program Files\Windows Live Toolbar
2007-12-03 10:29	---------	d-----w	C:\Program Files\Common Files\Raxco
2007-12-03 10:29	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Raxco
2007-12-02 18:38	---------	d-----w	C:\Program Files\Alex Feinman
2007-12-02 09:19	---------	d-----w	C:\Program Files\MagicISO
2007-12-02 07:38	---------	d-----w	C:\Program Files\MP3Gain
2007-12-02 06:56	---------	d-----w	C:\Program Files\Smart Projects
2007-12-02 06:49	---------	d-----w	C:\Program Files\Common Files\Ahead
2007-12-02 06:49	---------	d-----w	C:\Program Files\Ahead
2007-12-02 06:31	---------	d-----w	C:\Program Files\MediaMonkey
2007-12-01 01:19	---------	d-----w	C:\Documents and Settings\Owner\Application Data\TVU Networks
2007-11-30 09:15	---------	d-----w	C:\Documents and Settings\Owner\Application Data\dvdcss
2007-11-29 20:10	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-11-29 20:10	---------	d-----w	C:\Program Files\Ross Histology
2007-11-25 09:25	---------	d-----w	C:\Program Files\MP3ext
2007-11-25 09:15	---------	d-----w	C:\Program Files\Winamp
2007-11-25 09:15	---------	d-----w	C:\Program Files\Mp3tag
2007-11-24 22:07	---------	d-----w	C:\Program Files\MSN Messenger
2007-11-13 10:25	20,480	----a-w	C:\WINDOWS\system32\drivers\secdrv.sys
2007-02-14 05:07	784	----a-w	C:\Documents and Settings\Owner\Application Data\mpauth.dat
2004-10-06 08:52	22,555,648	----a-w	C:\Program Files\setup.exe
2004-10-05 20:54	27,494	----a-w	C:\Program Files\Readme.txt
2004-09-22 17:07	25,047	------w	C:\Program Files\License.rtf
2005-07-14 18:31	27,648	--sha-w	C:\WINDOWS\system32\AVSredirect.dll
2007-06-13 10:23	1,276,928	--sha-r	C:\WINDOWS\system32\firefoxupdateg.exe
2007-07-30 00:58	16,753,440	--sha-w	C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-26 10:09	548,896	--sha-w	C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e8929c74-5d5a-4655-83f6-9efe65498172}]
C:\WINDOWS\system32\sqlmfvwd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 16:03 24104]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-06 06:49 185632]
"firefox"="firefoxupdateg.exe" [2007-06-13 02:23 1276928 C:\WINDOWS\system32\firefoxupdateg.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"a8ee4813"="C:\WINDOWS\system32\idbwxnut.dll" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"firefox"="firefoxupdateg.exe" [2007-06-13 02:23 1276928 C:\WINDOWS\system32\firefoxupdateg.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Post-itr Digital Notes.lnk - C:\Program Files\3M\PDNotes\PDNotes.exe [2006-03-21 13:23:30]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Window Washer"=C:\Program Files\Webroot\Washer\wwDisp.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
"SoundMan"=SOUNDMAN.EXE
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-01-12 23:04]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2002-10-16 00:11]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 09:31]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 01:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-10 09:22:55 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-13 07:26:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 23:37:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\catchme]
"ImagePath"="\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys"
.
Completion time: 2008-01-12 23:39:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 07:38:49
.


----------



## Byteman (Jan 24, 2002)

Hi,

Sorry for the holdup- one file in question needs to be scanned at a site where you can scan just one file..

Make sure you have these settings done:



> Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
> Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"
> 
> Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
> Click "Apply" then "OK"


Go here *http://virusscan.jotti.org/*

Use the *Browse* button and navigate to the file which is here:

C:\WINDOWS\SYSTEM32\DRIVERS\*OREANS32.SYS* <<highlight this file by clicking once with the mouse cursor--the path then will show up in the space at the Jotti site....hit *Submit* button to upload the file for a very quick exam

Then, you MUST post back the results, so copy and paste them while you have them up on your screen


----------



## Byteman (Jan 24, 2002)

Hi- Had to make a change to my reply, about hidden files etc make sure you set those settings so you can actually find that file to have scanned....


----------



## Byteman (Jan 24, 2002)

Hi, I have more information now- the oreans32.sys driver file can be legitimately used as file protection, some games include copy protection....from Themida.... our problem is, is the service being used, to hide the definite trojans you have had....so it gets a little hard to determine what to do.

The file, oreans32.sys itself, should scan at Jotti as clean, or as a Fileprotector or " Rootkit ".... we will see later today probably.

There's a lot of conflicting ideas about how to tell just when it's bad, and when not.

It should not do any harm to remove it, and here's the scoop on how we can tell>>> Is there one of the games you play that does not start now? ((When oreans32.sys is removed))

And, after you play the game that is suspect, that file appears again...then, it probably is OK to leave alone.

It also might depend, on where you got the game from, if downloaded (be sincere now) through a filesharing P2P program, it might be being used to disguise malware, and you sure had a lot of that. Malware makers are wise to drivers that are being not detected by most antivirus programs, and use them or their processes to get the malware skipped, or so I am reading.

At this point, if everything works, and nothing else is being found except the oreans32.sys>> that is, no more Vundo etc, then you should be OK but only time will tell.

Maybe by now, you recall that yesterday, you started up one game, and that was when the SUPERAntispyware picked up *all the oreans32.sys* items.... just before those scans with SUPER antispyware were done--- ring any bells?

*Do this next:*

Open *notepad* and copy/paste the text in the codebox below into it:
Save this as *CFScript.txt* and, Save As Type: *All Files (*.*)*


```
File::
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\system32\sqlmfvwd.dll
C:\WINDOWS\system32\idbwxnut.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e8929c74-5d5a-4655-83f6-9efe65498172}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"a8ee4813"=-
```
*Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.*










This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of *Combofix.txt* in your next reply together with a *new HijackThis log*.


----------



## Metaphor (Jan 13, 2008)

Well this all started about two weeks ago when my connection just started dropping randomly or more like every 5 minutes but i play xbox live alot so i only really noticed it there but i think its my router i have all of the ports in use and also im running my laptop on wireless but when i play on xbox live i get disconnected but as weird as it is i can just connect instantly after i disconnect i dont know what the problem is its not just xbox live it affects my internet as well i cant watch movies or listen to songs or anything on my cpu so let me know if you know what might be causing it..im new here so please send it in a message.


----------



## ryanryan007 (Jan 6, 2008)

Service load: 
0% 100%
File: oreans32.sys
Status: 
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: aad837bf3b475092fd515cd0842334e9
Packers detected: 
-
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 13 Jan 2008 11:00:11 (GMT)
AntiVir 
Found nothing
ArcaVir 
Found nothing
Avast 
Found nothing
AVG Antivirus 
Found nothing
BitDefender 
Found nothing
ClamAV 
Found nothing
CPsecure 
Found nothing
Dr.Web 
Found nothing
F-Prot Antivirus 
Found nothing
F-Secure Anti-Virus 
Found nothing
Fortinet 
Found nothing
Ikarus 
Found nothing
Kaspersky Anti-Virus 
Found nothing
NOD32 
Found nothing
Norman Virus Control 
Found nothing
Panda Antivirus 
Found nothing
Rising Antivirus 
Found nothing
Sophos Antivirus 
Found nothing
VirusBuster 
Found nothing
VBA32 
Found nothing


----------



## ryanryan007 (Jan 6, 2008)

ComboFix 08-01-13.1 - Owner 2008-01-13 3:09:22.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.226 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*

FILE
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\idbwxnut.dll
C:\WINDOWS\system32\sqlmfvwd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-12 23:28 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-12 23:04 . 2008-01-12 23:04	33,952	--a------	C:\WINDOWS\system32\drivers\oreans32.sys
2008-01-12 15:29 . 2008-01-12 15:29 d--------	C:\Program Files\WinPcap
2008-01-12 15:27 . 2008-01-12 23:02 d--------	C:\Program Files\WMR11
2008-01-12 01:56 . 2007-12-14 01:59	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2008-01-12 01:55 . 2008-01-12 01:55 d--------	C:\Program Files\Common Files\Java
2008-01-10 12:35 . 2008-01-10 12:35 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-10 12:34 . 2008-01-12 23:06 d--------	C:\Program Files\SUPERAntiSpyware
2008-01-10 12:34 . 2008-01-10 12:34 d--------	C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-10 01:26 . 2008-01-10 01:26 d--------	C:\Program Files\iTunes
2008-01-10 01:26 . 2008-01-10 01:26 d--------	C:\Program Files\iPod
2008-01-10 01:22 . 2008-01-11 03:40 d--------	C:\WINDOWS\SxsCaPendDel
2008-01-10 00:22 . 2008-01-10 01:09 d--------	C:\VundoFix Backups
2008-01-09 09:02 . 2008-01-09 09:02 d--------	C:\Program Files\Trend Micro
2008-01-05 19:31 . 2008-01-05 19:28	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-05 19:28 . 2008-01-05 19:34 d--------	C:\Documents and Settings\Owner\.housecall6.6
2008-01-01 13:35 . 2008-01-01 13:51 d--------	C:\Program Files\mIRC
2008-01-01 13:35 . 2008-01-01 14:05 d--------	C:\Documents and Settings\Owner\Application Data\mIRC
2007-12-23 00:43 . 2007-12-23 00:43 d--------	C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-12-23 00:43 . 2007-12-23 00:45 d--------	C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 00:05	---------	d-----w	C:\Documents and Settings\Owner\Application Data\uTorrent
2008-01-12 09:56	---------	d-----w	C:\Program Files\Java
2008-01-10 20:34	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 09:24	---------	d-----w	C:\Program Files\QuickTime
2008-01-10 09:22	---------	d-----w	C:\Program Files\Apple Software Update
2008-01-07 13:00	---------	d-----w	C:\Program Files\Folder Lock
2008-01-06 13:59	---------	d-----w	C:\Program Files\uTorrent
2008-01-06 01:47	---------	d-----w	C:\Program Files\TVUPlayer
2008-01-02 03:13	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Vso
2007-12-24 02:04	---------	d-----w	C:\Documents and Settings\Owner\Application Data\LimeWire
2007-12-23 08:43	---------	d-----w	C:\Program Files\Yahoo!
2007-12-21 22:10	---------	d-----w	C:\Program Files\Messenger Plus! Live
2007-12-17 07:33	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-12-13 11:08	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-09 06:34	---------	d-----w	C:\Program Files\Microsoft Works
2007-12-09 06:33	---------	d-----w	C:\Program Files\MSBuild
2007-12-09 06:29	---------	d-----w	C:\Program Files\Microsoft.NET
2007-12-09 06:23	---------	d-----w	C:\Program Files\Microsoft Visual Studio 8
2007-12-04 14:56	93,264	----a-w	C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55	94,544	----a-w	C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53	23,152	----a-w	C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51	42,912	----a-w	C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49	26,624	----a-w	C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04	837,496	----a-w	C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54	95,608	----a-w	C:\WINDOWS\system32\AvastSS.scr
2007-12-04 11:21	---------	d-----w	C:\Program Files\Windows Live Toolbar
2007-12-03 10:29	---------	d-----w	C:\Program Files\Common Files\Raxco
2007-12-03 10:29	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Raxco
2007-12-02 18:38	---------	d-----w	C:\Program Files\Alex Feinman
2007-12-02 09:19	---------	d-----w	C:\Program Files\MagicISO
2007-12-02 07:38	---------	d-----w	C:\Program Files\MP3Gain
2007-12-02 06:56	---------	d-----w	C:\Program Files\Smart Projects
2007-12-02 06:49	---------	d-----w	C:\Program Files\Common Files\Ahead
2007-12-02 06:49	---------	d-----w	C:\Program Files\Ahead
2007-12-02 06:31	---------	d-----w	C:\Program Files\MediaMonkey
2007-12-01 01:19	---------	d-----w	C:\Documents and Settings\Owner\Application Data\TVU Networks
2007-11-30 09:15	---------	d-----w	C:\Documents and Settings\Owner\Application Data\dvdcss
2007-11-29 20:10	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-11-29 20:10	---------	d-----w	C:\Program Files\Ross Histology
2007-11-25 09:25	---------	d-----w	C:\Program Files\MP3ext
2007-11-25 09:15	---------	d-----w	C:\Program Files\Winamp
2007-11-25 09:15	---------	d-----w	C:\Program Files\Mp3tag
2007-11-24 22:07	---------	d-----w	C:\Program Files\MSN Messenger
2007-11-13 10:25	20,480	----a-w	C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26	721,920	----a-w	C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43	1,287,680	----a-w	C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40	222,720	----a-w	C:\WINDOWS\system32\wmasf.dll
2007-03-28 04:23	89,052	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_27_21_21_20_small.dmp.zip
2007-03-28 04:23	22,656,498	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_27_21_20_56_full.dmp.zip
2007-03-27 05:03	22,655,457	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_25_21_15_31_full.dmp.zip
2007-03-24 20:36	22,396,790	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_22_22_47_09_full.dmp.zip
2007-03-13 21:29	93,084	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_13_14_11_54_small.dmp.zip
2007-03-09 02:07	105,147	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_06_18_12_33_small.dmp.zip
2007-03-07 04:53	88,047	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_06_20_32_00_small.dmp.zip
2007-02-26 00:41	93,830	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_24_15_05_10_small.dmp.zip
2007-02-16 19:17	89,836	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_16_11_13_47_small.dmp.zip
2007-02-14 05:07	784	----a-w	C:\Documents and Settings\Owner\Application Data\mpauth.dat
2004-10-06 08:52	22,555,648	----a-w	C:\Program Files\setup.exe
2004-10-05 20:54	27,494	----a-w	C:\Program Files\Readme.txt
2004-09-22 17:07	25,047	------w	C:\Program Files\License.rtf
2005-07-14 18:31	27,648	--sha-w	C:\WINDOWS\system32\AVSredirect.dll
2007-06-13 10:23	1,276,928	--sha-r	C:\WINDOWS\system32\firefoxupdateg.exe
2007-07-30 00:58	16,753,440	--sha-w	C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-26 10:09	548,896	--sha-w	C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( [email protected]_23.38.35.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 07:28:47	233,472	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 11:09:16	233,472	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 07:28:47	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 11:09:16	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 07:28:47	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-13 11:09:16	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-13 07:28:47	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 11:09:16	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 07:28:47	6,254,592	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-13 11:09:17	6,303,744	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-13 07:28:47	299,008	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 11:09:17	299,008	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 16:03 24104]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-06 06:49 185632]
"firefox"="firefoxupdateg.exe" [2007-06-13 02:23 1276928 C:\WINDOWS\system32\firefoxupdateg.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"firefox"="firefoxupdateg.exe" [2007-06-13 02:23 1276928 C:\WINDOWS\system32\firefoxupdateg.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Post-itr Digital Notes.lnk - C:\Program Files\3M\PDNotes\PDNotes.exe [2006-03-21 13:23:30]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Window Washer"=C:\Program Files\Webroot\Washer\wwDisp.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
"SoundMan"=SOUNDMAN.EXE
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-01-12 23:04]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2002-10-16 00:11]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 09:31]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME 
.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 01:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-10 09:22:55 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-13 10:26:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 03:12:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

**************************************************************************
.
Completion time: 2008-01-13 3:14:16
ComboFix-quarantined-files.txt 2008-01-13 11:13:24
ComboFix2.txt 2008-01-13 07:39:45
.
2008-01-13 11:01:08	--- E O F ---

ps. i deleted the oreaons.32 file after i did the scan..i hope that doesnt skew the results


----------



## ryanryan007 (Jan 6, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:37 AM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\firefoxupdateg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [firefox] firefoxupdateg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\RunServices: [firefox] firefoxupdateg.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Post-it® Digital Notes.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14ffe564509ecf4f7f06/netzip/RdxIE601.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/FacebookPhotoUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 8697 bytes


----------



## Byteman (Jan 24, 2002)

Hi, The latest log looks good. I want to wait before we do anything further with oreans32.sys, it's OK if you tried to delete it, as it will return usually anyhow.

See what games or software doesn't work- make a note of them.

If you've been up all night, best if you take a break.

I'm going to ask for some opionions about the file and that will take a bit of time, so check back later for my reply.

In the meantime, if you want to do anything further, do one of these online scans and post the results from it:

*Housecall online scan:*
*http://www.trendsecure.com/portal/en-US/tools/security_tools*

*HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

Get some rest and check back later!


----------



## ryanryan007 (Jan 6, 2008)

i started a panda scan..and during the scan i got a virus/worm detection and avast made me abort connection..here is the screenshot of wat i happened

http://img122.imageshack.us/my.php?image=viruscl8.jpg


----------



## Byteman (Jan 24, 2002)

You will have to turn off Avast, during the scan, similar to when we used ComboFix.....

The file detected says it was part of Panda activescan.


----------



## ryanryan007 (Jan 6, 2008)

nothing found 

http://img91.imageshack.us/my.php?image=scanzz4.jpg


----------



## Byteman (Jan 24, 2002)

Hi, Good- just this left to fix:

One of the security experts would like to examine a copy of this file which may still be on your computer

C:\WINDOWS\system32\*firefoxupdateg.exe*

Any idea where it came from, or if it was some extension or something? There is no information found for it which makes it a suspect and some antivirus sites detect it as an SDBot worm, so we need to look at it closer.

You need these settings made, unless you still have it this way:



> Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
> Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"
> 
> Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
> Click "Apply" then "OK"


Download suspicious file packer from http://www.safer-networking.org/en/tools/index.html (direct download http://www.safer-networking.org/files/sfp.zip )

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

please upload that to http://www.thespykiller.co.uk/index.php?board=1.0 so we can examine the files

Just press *new topic,* fill in the needed details and just *give a link to your post here* & then press the *browse button* and then navigate to & select the files on your computer, When the file is listed in the windows press *Send* to upload the zipped-up file shown below:

C:\WINDOWS\system32\*firefoxupdateg.exe* (which will look like a folder and have the .zip extension after you zip it.)

It will be a day or so till we get the results unless they get to it sooner, so sit tight until then.

Let me know if anything else is a problem, but don't rush and try to fix things, post here.


----------



## ryanryan007 (Jan 6, 2008)

im running another super a/s scan and im still picking up alot of trojans...all of which are coming from the vundofix backup..should i delete it somehow or sumting?


----------



## Byteman (Jan 24, 2002)

Hi, Yes, but they are *harmless* there, if it bugs you delete the entire VundoFix and the backups....if you have to use VundoFix later, we need to download a brand new copy because they update the files it finds every day almost!

Same for ComboFix, you should re-download a new copy, not hang onto the old one.

We usually post what to get rid of, as one of the last steps in fixing malware.

You also will be instructed to empty the System Restore Points, malware will be backed up inthere too, if you have Restore on.

You then create a new, clean Restore Point...all this will be done as one of the last steps.


----------



## ryanryan007 (Jan 6, 2008)

heres the post..i wasnt sure exactly wat u wanted me to upload..so i hope this is correct
http://thespykiller.co.uk/index.php...ew?PHPSESSID=fa181474879fa2edc7febe50878eec7d

ps..i found another 35 traces in my super a/s scan..so its all been quarantined..how do i delete it from my system or should i keep them quarantined


----------



## Byteman (Jan 24, 2002)

Well, first, as always, you Post the log here so I can see what is going on...if they are Cookies, that is normal, you will always have those....

I need to see the file locations and file names to advise.

RE> Upload, you were asked to upload this file:
C:\WINDOWS\system32\*firefoxupdateg.exe* this file in BOLD

After we are done fixing, in the future- you can always leave any item in Quarantine, with any of the programs you use, and actually it's safer to do that, because you never know what might be a false positive.

Leaving them Quarantined assures that you can get something back that was detected wrong.


----------



## ryanryan007 (Jan 6, 2008)

whenever i restart my computer i get the pop up

http://img101.imageshack.us/my.php?image=erroryr6.jpg


----------



## ryanryan007 (Jan 6, 2008)

http://thespykiller.co.uk/index.php...ew?PHPSESSID=82a045322576cc6d2f23f658f0b4ae9d

here is hte newest sas log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/13/2008 at 04:16 PM

Application Version : 3.9.1008

Core Rules Database Version : 3377
Trace Rules Database Version: 1371

Scan type : Complete Scan
Total Scan Time : 01:10:36

Memory items scanned : 494
Memory threats detected : 0
Registry items scanned : 6618
Registry threats detected : 26
File items scanned : 46172
File threats detected : 9

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet003\Services\oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP15\A0011175.SYS

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt


----------



## Byteman (Jan 24, 2002)

Ryan- You probably did it right- I cannot see what you uploaded, as they are hidden when you send them in.

But, I do not see a link to our thread here, so here is one you should copy and paste INTO your post at Spykiller forums:

http://forums.techguy.org/general-security/668603-looking-advice.html

*Copy that link to your post where you uploaded the file... you have to do that so they can post here to let us know what the file actually is, bad or good....*

Right click it when you have a page open, (maybe you can Edit your post there, I am not sure as different forums work differently....) and select "Copy Shortcut" then, at spykiller, click into the space in the reply, and right click and select "Paste" so the link itself, appears on the reply....submit your post, making sure you also Upload the file

*firefoxupdateg.exe* again using the directions.

Perhaps put a short note about why you re-posted....forgot the link to our TechGuy thread....it will be OK.

or, you can make a new reply and include the file again, with a link.

You might have only copied the text *line*....but again, I can't tell as they do not show to anyone.

C:\WINDOWS\system32\firefoxupdateg.exe

Use the Browse button you see at spykiller.....you then find the file in question, by going to your System32 folder, and highlight the *firefoxupdateg.exe* file there once with your mouse....that sends the path to the file into the Submit line, when you hit Submit or UPload, it sends a copy of that file, to the site...

It's like making an attachment in emails, see.

RE:

the popup>

Let me see a brand new ComboFix log please, and also a new Hijackthis log, one that you create *after finishing ComboFix*

Remember to follow the same directions when you run ComboFix as I had in my other replies...look back to find them unless you have them printed out or saved.


----------



## ryanryan007 (Jan 6, 2008)

heres the latest forum post..i hope everything is done correctly this time

http://thespykiller.co.uk/index.php/topic,5710.new.html#new


----------



## Byteman (Jan 24, 2002)

Hi, I can see you posted a link to our thread here, that's fine...and, as long as you attached the file we want them to look at, that is OK...but, I can't tell as no one can *see the attached file*

If you followed this, then it should be there:



> This is just a place to upload files that have been asked for from other forums.
> Please start a new post and Just give a link to your posts on the other forum & then press attach and upload the files.
> Files can be uploaded by anybody but not seen or downloaded by anybody except for those users that have been given special permissions
> You DO NOT need to be a member to upload, anybody can upload the files


 Now, we just have to wait to hear back, they are in the United Kingdom so it may be tomorrow.

In the meantime, do the new scan with ComboFix etc


----------



## ryanryan007 (Jan 6, 2008)

ComboFix 08-01-13.1 - Owner 2008-01-13 16:55:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.211 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*

FILE
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\idbwxnut.dll
C:\WINDOWS\system32\sqlmfvwd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn

.
((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-13 16:34 . 2008-01-13 16:34	33,952	--a------	C:\WINDOWS\system32\drivers\oreans32.sys
2008-01-13 15:56 . 2008-01-13 14:54 d--------	C:\WINDOWS\system32\ActiveScan
2008-01-12 23:28 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-12 15:29 . 2008-01-12 15:29 d--------	C:\Program Files\WinPcap
2008-01-12 15:27 . 2008-01-12 23:02 d--------	C:\Program Files\WMR11
2008-01-12 01:56 . 2007-12-14 01:59	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2008-01-12 01:55 . 2008-01-12 01:55 d--------	C:\Program Files\Common Files\Java
2008-01-10 12:35 . 2008-01-10 12:35 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-10 12:34 . 2008-01-13 16:41 d--------	C:\Program Files\SUPERAntiSpyware
2008-01-10 12:34 . 2008-01-10 12:34 d--------	C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-10 01:26 . 2008-01-13 16:53 d--------	C:\Program Files\iTunes
2008-01-10 01:26 . 2008-01-10 01:26 d--------	C:\Program Files\iPod
2008-01-10 01:22 . 2008-01-11 03:40 d--------	C:\WINDOWS\SxsCaPendDel
2008-01-10 00:22 . 2008-01-13 15:51 d--------	C:\VundoFix Backups
2008-01-09 09:02 . 2008-01-09 09:02 d--------	C:\Program Files\Trend Micro
2008-01-05 19:31 . 2008-01-05 19:28	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-05 19:28 . 2008-01-05 19:34 d--------	C:\Documents and Settings\Owner\.housecall6.6
2008-01-01 13:35 . 2008-01-01 13:51 d--------	C:\Program Files\mIRC
2008-01-01 13:35 . 2008-01-01 14:05 d--------	C:\Documents and Settings\Owner\Application Data\mIRC
2007-12-23 00:43 . 2007-12-23 00:43 d--------	C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-12-23 00:43 . 2007-12-23 00:45 d--------	C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 00:53	---------	d-----w	C:\Program Files\Zune
2008-01-14 00:53	---------	d-----w	C:\Program Files\TuneUp Utilities 2007
2008-01-14 00:53	---------	d-----w	C:\Program Files\QuickTime
2008-01-14 00:53	---------	d-----w	C:\Program Files\MSN Messenger
2008-01-14 00:53	---------	d-----w	C:\Program Files\Messenger Plus! Live
2008-01-14 00:53	---------	d-----w	C:\Program Files\MagicISO
2008-01-14 00:53	---------	d-----w	C:\Program Files\Common Files\Webroot Shared
2008-01-14 00:52	---------	d-----w	C:\Program Files\Windows Live Toolbar
2008-01-13 00:05	---------	d-----w	C:\Documents and Settings\Owner\Application Data\uTorrent
2008-01-12 09:56	---------	d-----w	C:\Program Files\Java
2008-01-10 20:34	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 09:22	---------	d-----w	C:\Program Files\Apple Software Update
2008-01-07 13:00	---------	d-----w	C:\Program Files\Folder Lock
2008-01-06 13:59	---------	d-----w	C:\Program Files\uTorrent
2008-01-06 01:47	---------	d-----w	C:\Program Files\TVUPlayer
2008-01-02 03:13	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Vso
2007-12-24 02:04	---------	d-----w	C:\Documents and Settings\Owner\Application Data\LimeWire
2007-12-23 08:43	---------	d-----w	C:\Program Files\Yahoo!
2007-12-17 07:33	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-12-13 11:08	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-09 06:34	---------	d-----w	C:\Program Files\Microsoft Works
2007-12-09 06:33	---------	d-----w	C:\Program Files\MSBuild
2007-12-09 06:29	---------	d-----w	C:\Program Files\Microsoft.NET
2007-12-09 06:23	---------	d-----w	C:\Program Files\Microsoft Visual Studio 8
2007-12-04 14:56	93,264	----a-w	C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55	94,544	----a-w	C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53	23,152	----a-w	C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51	42,912	----a-w	C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49	26,624	----a-w	C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04	837,496	----a-w	C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54	95,608	----a-w	C:\WINDOWS\system32\AvastSS.scr
2007-12-03 10:29	---------	d-----w	C:\Program Files\Common Files\Raxco
2007-12-03 10:29	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Raxco
2007-12-02 18:38	---------	d-----w	C:\Program Files\Alex Feinman
2007-12-02 07:38	---------	d-----w	C:\Program Files\MP3Gain
2007-12-02 06:56	---------	d-----w	C:\Program Files\Smart Projects
2007-12-02 06:49	---------	d-----w	C:\Program Files\Common Files\Ahead
2007-12-02 06:49	---------	d-----w	C:\Program Files\Ahead
2007-12-02 06:31	---------	d-----w	C:\Program Files\MediaMonkey
2007-12-01 01:19	---------	d-----w	C:\Documents and Settings\Owner\Application Data\TVU Networks
2007-11-30 09:15	---------	d-----w	C:\Documents and Settings\Owner\Application Data\dvdcss
2007-11-29 20:10	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-11-29 20:10	---------	d-----w	C:\Program Files\Ross Histology
2007-11-25 09:25	---------	d-----w	C:\Program Files\MP3ext
2007-11-25 09:15	---------	d-----w	C:\Program Files\Winamp
2007-11-25 09:15	---------	d-----w	C:\Program Files\Mp3tag
2007-11-07 09:26	721,920	----a-w	C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43	1,287,680	----a-w	C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40	222,720	----a-w	C:\WINDOWS\system32\wmasf.dll
2007-03-28 04:23	89,052	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_27_21_21_20_small.dmp.zip
2007-03-28 04:23	22,656,498	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_27_21_20_56_full.dmp.zip
2007-03-27 05:03	22,655,457	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_25_21_15_31_full.dmp.zip
2007-03-24 20:36	22,396,790	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_22_22_47_09_full.dmp.zip
2007-03-13 21:29	93,084	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_13_14_11_54_small.dmp.zip
2007-03-09 02:07	105,147	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_06_18_12_33_small.dmp.zip
2007-03-07 04:53	88,047	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_06_20_32_00_small.dmp.zip
2007-02-26 00:41	93,830	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_24_15_05_10_small.dmp.zip
2007-02-16 19:17	89,836	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_16_11_13_47_small.dmp.zip
2007-02-14 05:07	784	----a-w	C:\Documents and Settings\Owner\Application Data\mpauth.dat
2004-10-06 08:52	22,555,648	----a-w	C:\Program Files\setup.exe
2004-10-05 20:54	27,494	----a-w	C:\Program Files\Readme.txt
2004-09-22 17:07	25,047	------w	C:\Program Files\License.rtf
2005-07-14 18:31	27,648	--sha-w	C:\WINDOWS\system32\AVSredirect.dll
2007-06-13 10:23	1,276,928	--sha-r	C:\WINDOWS\system32\firefoxupdateg.exe
2007-07-30 00:58	16,753,440	--sha-w	C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-26 10:09	548,896	--sha-w	C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( [email protected]_23.38.35.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 16:28:54	141,424	----a-w	C:\WINDOWS\Downloaded Program Files\asinst.dll
- 2008-01-13 07:28:47	233,472	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-14 00:55:30	233,472	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 07:28:47	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-14 00:55:30	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 07:28:47	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-14 00:55:30	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-13 07:28:47	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-14 00:55:30	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 07:28:47	6,254,592	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-14 00:55:30	6,316,032	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-13 07:28:47	299,008	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-14 00:55:30	299,008	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2007-06-25 05:34:08	803,908	----a-w	C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-01-13 22:55:10	238,176	----a-w	C:\WINDOWS\system32\Restore\rstrlog.dat
- 2008-01-13 07:34:15	16,384	----atw	C:\WINDOWS\Temp\Perflib_Perfdata_788.dat
+ 2008-01-14 00:34:29	16,384	----atw	C:\WINDOWS\Temp\Perflib_Perfdata_788.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 16:03 24104]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-06 06:49 185632]
"firefox"="firefoxupdateg.exe" [2007-06-13 02:23 1276928 C:\WINDOWS\system32\firefoxupdateg.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"firefox"="firefoxupdateg.exe" [2007-06-13 02:23 1276928 C:\WINDOWS\system32\firefoxupdateg.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Post-itr Digital Notes.lnk - C:\Program Files\3M\PDNotes\PDNotes.exe [2006-03-21 13:23:30]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Window Washer"=C:\Program Files\Webroot\Washer\wwDisp.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
"SoundMan"=SOUNDMAN.EXE
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-01-13 16:34]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2002-10-16 00:11]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 09:31]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - OREANS32 
.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 01:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-10 09:22:55 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-14 00:26:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 16:58:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

**************************************************************************
.
Completion time: 2008-01-13 16:59:22
ComboFix-quarantined-files.txt 2008-01-14 00:58:30
ComboFix2.txt 2008-01-13 11:14:16
ComboFix3.txt 2008-01-13 07:39:45
.
2008-01-13 11:01:08	--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:52 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\firefoxupdateg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [firefox] firefoxupdateg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\RunServices: [firefox] firefoxupdateg.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Post-it® Digital Notes.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14ffe564509ecf4f7f06/netzip/RdxIE601.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/FacebookPhotoUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 8829 bytes


----------



## Byteman (Jan 24, 2002)

Hi

Did you use CFScript in that scan with ComboFix? I didn't post any to use- you don't do that every time. 

I just wanted to see a ComboFix log. 

I'm looking back through the other scans to see if there is a registry entry to remove that pointed to the deleted file your are getting the popups for.


----------



## ryanryan007 (Jan 6, 2008)

yes i used that notepad file..should i do it again by just double clicking hte combofix icon?


----------



## Byteman (Jan 24, 2002)

Hi, yes please.


----------



## ryanryan007 (Jan 6, 2008)

ComboFix 08-01-13.1 - Owner 2008-01-13 21:01:11.3 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-13 16:34 . 2008-01-13 16:34	33,952	--a------	C:\WINDOWS\system32\drivers\oreans32.sys
2008-01-13 15:56 . 2008-01-13 14:54 d--------	C:\WINDOWS\system32\ActiveScan
2008-01-12 23:28 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-12 15:29 . 2008-01-12 15:29 d--------	C:\Program Files\WinPcap
2008-01-12 15:27 . 2008-01-13 17:22 d--------	C:\Program Files\WMR11
2008-01-12 01:56 . 2007-12-14 01:59	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2008-01-12 01:55 . 2008-01-12 01:55 d--------	C:\Program Files\Common Files\Java
2008-01-10 12:35 . 2008-01-10 12:35 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-10 12:34 . 2008-01-13 16:41 d--------	C:\Program Files\SUPERAntiSpyware
2008-01-10 12:34 . 2008-01-10 12:34 d--------	C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-10 01:26 . 2008-01-13 16:53 d--------	C:\Program Files\iTunes
2008-01-10 01:26 . 2008-01-10 01:26 d--------	C:\Program Files\iPod
2008-01-10 01:22 . 2008-01-11 03:40 d--------	C:\WINDOWS\SxsCaPendDel
2008-01-10 00:22 . 2008-01-13 15:51 d--------	C:\VundoFix Backups
2008-01-09 09:02 . 2008-01-09 09:02 d--------	C:\Program Files\Trend Micro
2008-01-05 19:31 . 2008-01-05 19:28	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-05 19:28 . 2008-01-05 19:34 d--------	C:\Documents and Settings\Owner\.housecall6.6
2008-01-01 13:35 . 2008-01-01 13:51 d--------	C:\Program Files\mIRC
2008-01-01 13:35 . 2008-01-01 14:05 d--------	C:\Documents and Settings\Owner\Application Data\mIRC
2007-12-23 00:43 . 2007-12-23 00:43 d--------	C:\Documents and Settings\Owner\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 03:29	---------	d-----w	C:\Documents and Settings\Owner\Application Data\uTorrent
2008-01-14 01:15	---------	d-----w	C:\Program Files\Yahoo!
2008-01-14 01:14	---------	d-----w	C:\Program Files\Starcraft
2008-01-14 01:13	---------	d-----w	C:\Program Files\Raxco
2008-01-14 01:13	---------	d-----w	C:\Program Files\MagicISO
2008-01-14 00:53	---------	d-----w	C:\Program Files\Zune
2008-01-14 00:53	---------	d-----w	C:\Program Files\TuneUp Utilities 2007
2008-01-14 00:53	---------	d-----w	C:\Program Files\QuickTime
2008-01-14 00:53	---------	d-----w	C:\Program Files\MSN Messenger
2008-01-14 00:53	---------	d-----w	C:\Program Files\Messenger Plus! Live
2008-01-14 00:53	---------	d-----w	C:\Program Files\Common Files\Webroot Shared
2008-01-14 00:52	---------	d-----w	C:\Program Files\Windows Live Toolbar
2008-01-12 09:56	---------	d-----w	C:\Program Files\Java
2008-01-10 20:34	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 09:22	---------	d-----w	C:\Program Files\Apple Software Update
2008-01-07 13:00	---------	d-----w	C:\Program Files\Folder Lock
2008-01-06 13:59	---------	d-----w	C:\Program Files\uTorrent
2008-01-06 01:47	---------	d-----w	C:\Program Files\TVUPlayer
2008-01-02 03:13	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Vso
2007-12-24 02:04	---------	d-----w	C:\Documents and Settings\Owner\Application Data\LimeWire
2007-12-17 07:33	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-12-13 11:08	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-09 06:34	---------	d-----w	C:\Program Files\Microsoft Works
2007-12-09 06:33	---------	d-----w	C:\Program Files\MSBuild
2007-12-09 06:29	---------	d-----w	C:\Program Files\Microsoft.NET
2007-12-09 06:23	---------	d-----w	C:\Program Files\Microsoft Visual Studio 8
2007-12-04 14:56	93,264	----a-w	C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55	94,544	----a-w	C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53	23,152	----a-w	C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51	42,912	----a-w	C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49	26,624	----a-w	C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04	837,496	----a-w	C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54	95,608	----a-w	C:\WINDOWS\system32\AvastSS.scr
2007-12-02 07:38	---------	d-----w	C:\Program Files\MP3Gain
2007-12-02 06:49	---------	d-----w	C:\Program Files\Common Files\Ahead
2007-12-02 06:49	---------	d-----w	C:\Program Files\Ahead
2007-12-02 06:31	---------	d-----w	C:\Program Files\MediaMonkey
2007-12-01 01:19	---------	d-----w	C:\Documents and Settings\Owner\Application Data\TVU Networks
2007-11-30 09:15	---------	d-----w	C:\Documents and Settings\Owner\Application Data\dvdcss
2007-11-29 20:10	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-11-29 20:10	---------	d-----w	C:\Program Files\Ross Histology
2007-11-25 09:25	---------	d-----w	C:\Program Files\MP3ext
2007-11-25 09:15	---------	d-----w	C:\Program Files\Winamp
2007-11-25 09:15	---------	d-----w	C:\Program Files\Mp3tag
2007-11-07 09:26	721,920	----a-w	C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43	1,287,680	----a-w	C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40	222,720	----a-w	C:\WINDOWS\system32\wmasf.dll
2007-03-28 04:23	89,052	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_27_21_21_20_small.dmp.zip
2007-03-28 04:23	22,656,498	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_27_21_20_56_full.dmp.zip
2007-03-27 05:03	22,655,457	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_25_21_15_31_full.dmp.zip
2007-03-24 20:36	22,396,790	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_22_22_47_09_full.dmp.zip
2007-03-13 21:29	93,084	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_13_14_11_54_small.dmp.zip
2007-03-09 02:07	105,147	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_06_18_12_33_small.dmp.zip
2007-03-07 04:53	88,047	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_06_20_32_00_small.dmp.zip
2007-02-26 00:41	93,830	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_24_15_05_10_small.dmp.zip
2007-02-16 19:17	89,836	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_16_11_13_47_small.dmp.zip
2007-02-14 05:07	784	----a-w	C:\Documents and Settings\Owner\Application Data\mpauth.dat
2004-10-06 08:52	22,555,648	----a-w	C:\Program Files\setup.exe
2004-10-05 20:54	27,494	----a-w	C:\Program Files\Readme.txt
2004-09-22 17:07	25,047	------w	C:\Program Files\License.rtf
2005-07-14 18:31	27,648	--sha-w	C:\WINDOWS\system32\AVSredirect.dll
2007-06-13 10:23	1,276,928	--sha-r	C:\WINDOWS\system32\firefoxupdateg.exe
2007-07-30 00:58	16,753,440	--sha-w	C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-26 10:09	548,896	--sha-w	C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( [email protected]_23.38.35.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 16:28:54	141,424	----a-w	C:\WINDOWS\Downloaded Program Files\asinst.dll
- 2008-01-13 07:28:47	233,472	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-14 00:55:30	233,472	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 07:28:47	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-14 00:55:30	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 07:28:47	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-14 00:55:30	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-13 07:28:47	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-14 00:55:30	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 07:28:47	6,254,592	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-14 00:55:30	6,316,032	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-13 07:28:47	299,008	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-14 00:55:30	299,008	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2007-06-25 05:34:08	803,908	----a-w	C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-01-13 22:55:10	238,176	----a-w	C:\WINDOWS\system32\Restore\rstrlog.dat
- 2008-01-13 07:34:15	16,384	----atw	C:\WINDOWS\Temp\Perflib_Perfdata_788.dat
+ 2008-01-14 00:34:29	16,384	----a-w	C:\WINDOWS\Temp\Perflib_Perfdata_788.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 16:03 24104]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-06 06:49 185632]
"firefox"="firefoxupdateg.exe" [2007-06-13 02:23 1276928 C:\WINDOWS\system32\firefoxupdateg.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"firefox"="firefoxupdateg.exe" [2007-06-13 02:23 1276928 C:\WINDOWS\system32\firefoxupdateg.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Post-itr Digital Notes.lnk - C:\Program Files\3M\PDNotes\PDNotes.exe [2006-03-21 13:23:30]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Window Washer"=C:\Program Files\Webroot\Washer\wwDisp.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
"SoundMan"=SOUNDMAN.EXE
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-01-13 16:34]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2002-10-16 00:11]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 09:31]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - OREANS32 
.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 01:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-10 09:22:55 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-14 04:26:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 21:05:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

**************************************************************************
.
Completion time: 2008-01-13 21:06:40
ComboFix-quarantined-files.txt 2008-01-14 05:05:46
ComboFix2.txt 2008-01-14 00:59:23
ComboFix3.txt 2008-01-13 11:14:16
ComboFix4.txt 2008-01-13 07:39:45
.
2008-01-13 11:01:08	--- E O F ---


----------



## Byteman (Jan 24, 2002)

Hi,

Do you know what the loose files are in this folder>

C:\Program Files\*setup.exe*
C:\Program Files\*License.rtf*
C:\Program Files\*Readme.txt*

There should be only Folders in Program Files....looks like someone unzipped a file here for an install of something.

Check files at the Jotti site>

Go to:

http://virusscan.jotti.org/

Browse to one file using *Windows Explorer*

C:\Program Files\*setup.exe* <<< do not open or run this one....

 have them scanned one by one and post the results please

C:\Program Files\*License.rtf*
C:\Program Files\*Readme.txt* <these will open and should be readable text

Open the text ones and see what they belong to, and post the name of any game, etc it shows.


----------



## ryanryan007 (Jan 6, 2008)

quick question...y cannot i change the name of my media files? i get a msg saying if i do change teh file name extension, it will be unusable


----------



## Byteman (Jan 24, 2002)

Hi, You can change the first part, which is the name...but the extension regulates what program will play, or Open, the file so you might make the file Un-openable if you change the extension

What you want to do, is Convert the media file TO a compatible program, and there are many good free (mostly) programs that can convert, for example...an AAC iTunes file, to MP4, MP3, etc.

Same for video.


PS have you done anything with the files in my last reply? Check back a post or two..


----------



## hewee (Oct 26, 2001)

Like this site you can do without installing anything by doing it online.

Media-Convert is 100% free. No software is needed, and you don't have to register. You only need your favorite Internet browser. Your files are ready 7/7 days 24/24 hours.

http://media-convert.com/convert/


----------



## ryanryan007 (Jan 6, 2008)

but i havent changed extenstion..for example...the orignal song title was "bob marley - jammin" and i want to change it to "Bob Marley - Jammin"...it wont let me do it..its still the same format..isnt it?

ps..the files are from my disk defragmenting program..i can delete them if you want. i know its safe..but i can delete it if you want me to


----------



## Byteman (Jan 24, 2002)

Hi, Ok, I have gotten some info about the file you uploaded, and it is bad and has to go.

By the way this infection by now has passed along all the game keys, passwords, etc to others- probably anything has been. You might want to change all your passwords to all accounts, online games...banking, anything at all even email ones.

Make SURE you write down what you change them to accurately.

NEXT: First, we need to see a brand new ComboFix log from this newer version

*Delete any ComboFix.exe files that are sitting on your desktop*...we need to download the newest one to use.

Please download ComboFix from *Here* 
***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Close any open browsers. 
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Double click on *combofix.exe* & follow the prompts.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" * in your next reply..
***Note: Do not mouseclick combofix's window while it's running. That may cause it to stall***

*Post that log and a brand new Hijackthis log*


----------



## ryanryan007 (Jan 6, 2008)

ComboFix 08-01-09.2 - Owner 2008-01-16 0:21:18.4 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-14 10:41 . 2008-01-14 10:41	33,952	--a------	C:\WINDOWS\system32\drivers\oreans32.sys
2008-01-13 21:53 . 2008-01-14 10:41	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-01-13 21:53 . 2008-01-13 21:53	1,409	--a------	C:\WINDOWS\QTFont.for
2008-01-13 15:56 . 2008-01-13 14:54 d--------	C:\WINDOWS\system32\ActiveScan
2008-01-12 23:28 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-12 15:29 . 2008-01-12 15:29 d--------	C:\Program Files\WinPcap
2008-01-12 15:27 . 2008-01-13 17:22 d--------	C:\Program Files\WMR11
2008-01-12 01:56 . 2007-12-14 01:59	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2008-01-12 01:55 . 2008-01-12 01:55 d--------	C:\Program Files\Common Files\Java
2008-01-10 12:35 . 2008-01-10 12:35 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-10 12:34 . 2008-01-13 16:41 d--------	C:\Program Files\SUPERAntiSpyware
2008-01-10 12:34 . 2008-01-10 12:34 d--------	C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-10 01:26 . 2008-01-13 16:53 d--------	C:\Program Files\iTunes
2008-01-10 01:26 . 2008-01-10 01:26 d--------	C:\Program Files\iPod
2008-01-10 01:22 . 2008-01-11 03:40 d--------	C:\WINDOWS\SxsCaPendDel
2008-01-10 00:22 . 2008-01-13 15:51 d--------	C:\VundoFix Backups
2008-01-09 09:02 . 2008-01-09 09:02 d--------	C:\Program Files\Trend Micro
2008-01-05 19:31 . 2008-01-05 19:28	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-05 19:28 . 2008-01-05 19:34 d--------	C:\Documents and Settings\Owner\.housecall6.6
2008-01-01 13:35 . 2008-01-01 13:51 d--------	C:\Program Files\mIRC
2008-01-01 13:35 . 2008-01-01 14:05 d--------	C:\Documents and Settings\Owner\Application Data\mIRC
2007-12-23 00:43 . 2007-12-23 00:43 d--------	C:\Documents and Settings\Owner\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 06:12	---------	d-----w	C:\Program Files\Folder Lock
2008-01-14 03:29	---------	d-----w	C:\Documents and Settings\Owner\Application Data\uTorrent
2008-01-14 01:15	---------	d-----w	C:\Program Files\Yahoo!
2008-01-14 01:14	---------	d-----w	C:\Program Files\Starcraft
2008-01-14 01:13	---------	d-----w	C:\Program Files\Raxco
2008-01-14 01:13	---------	d-----w	C:\Program Files\MagicISO
2008-01-14 00:53	---------	d-----w	C:\Program Files\Zune
2008-01-14 00:53	---------	d-----w	C:\Program Files\TuneUp Utilities 2007
2008-01-14 00:53	---------	d-----w	C:\Program Files\QuickTime
2008-01-14 00:53	---------	d-----w	C:\Program Files\MSN Messenger
2008-01-14 00:53	---------	d-----w	C:\Program Files\Messenger Plus! Live
2008-01-14 00:53	---------	d-----w	C:\Program Files\Common Files\Webroot Shared
2008-01-14 00:52	---------	d-----w	C:\Program Files\Windows Live Toolbar
2008-01-12 09:56	---------	d-----w	C:\Program Files\Java
2008-01-10 20:34	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 09:22	---------	d-----w	C:\Program Files\Apple Software Update
2008-01-06 13:59	---------	d-----w	C:\Program Files\uTorrent
2008-01-06 01:47	---------	d-----w	C:\Program Files\TVUPlayer
2008-01-02 03:13	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Vso
2007-12-24 02:04	---------	d-----w	C:\Documents and Settings\Owner\Application Data\LimeWire
2007-12-17 07:33	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-12-13 11:08	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-09 06:34	---------	d-----w	C:\Program Files\Microsoft Works
2007-12-09 06:33	---------	d-----w	C:\Program Files\MSBuild
2007-12-09 06:29	---------	d-----w	C:\Program Files\Microsoft.NET
2007-12-09 06:23	---------	d-----w	C:\Program Files\Microsoft Visual Studio 8
2007-12-04 14:56	93,264	----a-w	C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55	94,544	----a-w	C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53	23,152	----a-w	C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51	42,912	----a-w	C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49	26,624	----a-w	C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04	837,496	----a-w	C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54	95,608	----a-w	C:\WINDOWS\system32\AvastSS.scr
2007-12-02 07:38	---------	d-----w	C:\Program Files\MP3Gain
2007-12-02 06:49	---------	d-----w	C:\Program Files\Common Files\Ahead
2007-12-02 06:49	---------	d-----w	C:\Program Files\Ahead
2007-12-02 06:31	---------	d-----w	C:\Program Files\MediaMonkey
2007-12-01 01:19	---------	d-----w	C:\Documents and Settings\Owner\Application Data\TVU Networks
2007-11-30 09:15	---------	d-----w	C:\Documents and Settings\Owner\Application Data\dvdcss
2007-11-29 20:10	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-11-29 20:10	---------	d-----w	C:\Program Files\Ross Histology
2007-11-25 09:25	---------	d-----w	C:\Program Files\MP3ext
2007-11-25 09:15	---------	d-----w	C:\Program Files\Winamp
2007-11-25 09:15	---------	d-----w	C:\Program Files\Mp3tag
2007-11-07 09:26	721,920	----a-w	C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43	1,287,680	----a-w	C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40	222,720	----a-w	C:\WINDOWS\system32\wmasf.dll
2007-03-28 04:23	89,052	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_27_21_21_20_small.dmp.zip
2007-03-28 04:23	22,656,498	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_27_21_20_56_full.dmp.zip
2007-03-27 05:03	22,655,457	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_25_21_15_31_full.dmp.zip
2007-03-24 20:36	22,396,790	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_22_22_47_09_full.dmp.zip
2007-03-13 21:29	93,084	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_13_14_11_54_small.dmp.zip
2007-03-09 02:07	105,147	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_06_18_12_33_small.dmp.zip
2007-03-07 04:53	88,047	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_06_20_32_00_small.dmp.zip
2007-02-26 00:41	93,830	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_24_15_05_10_small.dmp.zip
2007-02-16 19:17	89,836	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_16_11_13_47_small.dmp.zip
2007-02-14 05:07	784	----a-w	C:\Documents and Settings\Owner\Application Data\mpauth.dat
2004-10-06 08:52	22,555,648	----a-w	C:\Program Files\setup.exe
2004-10-05 20:54	27,494	----a-w	C:\Program Files\Readme.txt
2004-09-22 17:07	25,047	------w	C:\Program Files\License.rtf
2005-07-14 18:31	27,648	--sha-w	C:\WINDOWS\system32\AVSredirect.dll
2007-06-13 10:23	1,276,928	--sha-r	C:\WINDOWS\system32\firefoxupdateg.exe
2007-07-30 00:58	16,753,440	--sha-w	C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-26 10:09	548,896	--sha-w	C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( [email protected]_23.38.35.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 16:28:54	141,424	----a-w	C:\WINDOWS\Downloaded Program Files\asinst.dll
- 2008-01-13 07:28:47	233,472	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-14 00:55:30	233,472	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 07:28:47	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-14 00:55:30	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 07:28:47	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-14 00:55:30	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-13 07:28:47	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-14 00:55:30	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 07:28:47	6,254,592	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-14 00:55:30	6,316,032	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-13 07:28:47	299,008	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-14 00:55:30	299,008	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2007-06-25 05:34:08	803,908	----a-w	C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-01-13 22:55:10	238,176	----a-w	C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-01-14 08:03:18	16,384	----atw	C:\WINDOWS\Temp\Perflib_Perfdata_784.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 16:03 24104]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-06 06:49 185632]
"firefox"="firefoxupdateg.exe" [2007-06-13 02:23 1276928 C:\WINDOWS\system32\firefoxupdateg.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"firefox"="firefoxupdateg.exe" [2007-06-13 02:23 1276928 C:\WINDOWS\system32\firefoxupdateg.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Post-itr Digital Notes.lnk - C:\Program Files\3M\PDNotes\PDNotes.exe [2006-03-21 13:23:30]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Window Washer"=C:\Program Files\Webroot\Washer\wwDisp.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
"SoundMan"=SOUNDMAN.EXE
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-01-14 10:41]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2002-10-16 00:11]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 09:31]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - OREANS32 
.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 01:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-10 09:22:55 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-16 07:26:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 00:25:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

**************************************************************************
.
Completion time: 2008-01-16 0:26:41
ComboFix-quarantined-files.txt 2008-01-16 08:25:48
ComboFix2.txt 2008-01-14 05:06:41
ComboFix3.txt 2008-01-14 00:59:23
ComboFix4.txt 2008-01-13 11:14:16
ComboFix5.txt 2008-01-13 07:39:45
.
2008-01-15 11:00:56	--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:06 AM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\firefoxupdateg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [firefox] firefoxupdateg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\RunServices: [firefox] firefoxupdateg.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Post-it® Digital Notes.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14ffe564509ecf4f7f06/netzip/RdxIE601.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/FacebookPhotoUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 7882 bytes

2 quick questions...are the dangerous files ur referring to the "readme, setup and license" files and if so..do u want me to delete them?


----------



## Byteman (Jan 24, 2002)

Hi, No those files are fine, just that they were in an odd location as you unzipped the installer apparently for a disk defragmenting program there. You can leave them they have been scanned, etc.

Next:


Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Close any open browsers. 
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Open *notepad* and copy/paste the text in the codebox below into it:
Save this as *"CFScript.txt" (this time include the "" marks) * and, Save As Type: *All Files (*.*)*


```
Driver::
oreans32.sys

File::
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\system32\firefoxupdateg.exe
C:\WINDOWS\system32\drivers\oreans32.sys

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"firefox"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"firefox"=-
```
*Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.*










This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of *Combofix.txt* in your next reply together with a *new HijackThis log*.


----------



## ryanryan007 (Jan 6, 2008)

ComboFix 08-01-09.2 - Owner 2008-01-17 3:40:47.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.155 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\drivers\oreans32.sys
C:\WINDOWS\system32\firefoxupdateg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\drivers\oreans32.sys
C:\WINDOWS\system32\firefoxupdateg.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-13 15:56 . 2008-01-13 14:54 d--------	C:\WINDOWS\system32\ActiveScan
2008-01-12 23:28 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-12 15:29 . 2008-01-12 15:29 d--------	C:\Program Files\WinPcap
2008-01-12 15:27 . 2008-01-13 17:22 d--------	C:\Program Files\WMR11
2008-01-12 01:56 . 2007-12-14 01:59	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2008-01-12 01:55 . 2008-01-12 01:55 d--------	C:\Program Files\Common Files\Java
2008-01-10 12:35 . 2008-01-10 12:35 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-10 12:34 . 2008-01-13 16:41 d--------	C:\Program Files\SUPERAntiSpyware
2008-01-10 12:34 . 2008-01-10 12:34 d--------	C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-10 01:26 . 2008-01-13 16:53 d--------	C:\Program Files\iTunes
2008-01-10 01:26 . 2008-01-10 01:26 d--------	C:\Program Files\iPod
2008-01-10 01:22 . 2008-01-11 03:40 d--------	C:\WINDOWS\SxsCaPendDel
2008-01-10 00:22 . 2008-01-13 15:51 d--------	C:\VundoFix Backups
2008-01-09 09:02 . 2008-01-09 09:02 d--------	C:\Program Files\Trend Micro
2008-01-05 19:31 . 2008-01-05 19:28	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-05 19:28 . 2008-01-05 19:34 d--------	C:\Documents and Settings\Owner\.housecall6.6
2008-01-01 13:35 . 2008-01-01 13:51 d--------	C:\Program Files\mIRC
2008-01-01 13:35 . 2008-01-01 14:05 d--------	C:\Documents and Settings\Owner\Application Data\mIRC
2007-12-23 00:43 . 2007-12-23 00:43 d--------	C:\Documents and Settings\Owner\Application Data\Yahoo!

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 06:12	---------	d-----w	C:\Program Files\Folder Lock
2008-01-14 03:29	---------	d-----w	C:\Documents and Settings\Owner\Application Data\uTorrent
2008-01-14 01:15	---------	d-----w	C:\Program Files\Yahoo!
2008-01-14 01:14	---------	d-----w	C:\Program Files\Starcraft
2008-01-14 01:13	---------	d-----w	C:\Program Files\Raxco
2008-01-14 01:13	---------	d-----w	C:\Program Files\MagicISO
2008-01-14 00:53	---------	d-----w	C:\Program Files\Zune
2008-01-14 00:53	---------	d-----w	C:\Program Files\TuneUp Utilities 2007
2008-01-14 00:53	---------	d-----w	C:\Program Files\QuickTime
2008-01-14 00:53	---------	d-----w	C:\Program Files\MSN Messenger
2008-01-14 00:53	---------	d-----w	C:\Program Files\Messenger Plus! Live
2008-01-14 00:53	---------	d-----w	C:\Program Files\Common Files\Webroot Shared
2008-01-14 00:52	---------	d-----w	C:\Program Files\Windows Live Toolbar
2008-01-12 09:56	---------	d-----w	C:\Program Files\Java
2008-01-10 20:34	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 09:22	---------	d-----w	C:\Program Files\Apple Software Update
2008-01-06 13:59	---------	d-----w	C:\Program Files\uTorrent
2008-01-06 01:47	---------	d-----w	C:\Program Files\TVUPlayer
2008-01-02 03:13	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Vso
2007-12-24 02:04	---------	d-----w	C:\Documents and Settings\Owner\Application Data\LimeWire
2007-12-17 07:33	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-12-13 11:08	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-09 06:34	---------	d-----w	C:\Program Files\Microsoft Works
2007-12-09 06:33	---------	d-----w	C:\Program Files\MSBuild
2007-12-09 06:29	---------	d-----w	C:\Program Files\Microsoft.NET
2007-12-09 06:23	---------	d-----w	C:\Program Files\Microsoft Visual Studio 8
2007-12-04 14:56	93,264	----a-w	C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55	94,544	----a-w	C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53	23,152	----a-w	C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51	42,912	----a-w	C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49	26,624	----a-w	C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04	837,496	----a-w	C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54	95,608	----a-w	C:\WINDOWS\system32\AvastSS.scr
2007-12-02 07:38	---------	d-----w	C:\Program Files\MP3Gain
2007-12-02 06:49	---------	d-----w	C:\Program Files\Common Files\Ahead
2007-12-02 06:49	---------	d-----w	C:\Program Files\Ahead
2007-12-02 06:31	---------	d-----w	C:\Program Files\MediaMonkey
2007-12-01 01:19	---------	d-----w	C:\Documents and Settings\Owner\Application Data\TVU Networks
2007-11-30 09:15	---------	d-----w	C:\Documents and Settings\Owner\Application Data\dvdcss
2007-11-29 20:10	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-11-29 20:10	---------	d-----w	C:\Program Files\Ross Histology
2007-11-25 09:25	---------	d-----w	C:\Program Files\MP3ext
2007-11-25 09:15	---------	d-----w	C:\Program Files\Winamp
2007-11-25 09:15	---------	d-----w	C:\Program Files\Mp3tag
2007-11-07 09:26	721,920	----a-w	C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43	1,287,680	----a-w	C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40	222,720	----a-w	C:\WINDOWS\system32\wmasf.dll
2007-03-28 04:23	89,052	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_27_21_21_20_small.dmp.zip
2007-03-28 04:23	22,656,498	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_27_21_20_56_full.dmp.zip
2007-03-27 05:03	22,655,457	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_25_21_15_31_full.dmp.zip
2007-03-24 20:36	22,396,790	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_22_22_47_09_full.dmp.zip
2007-03-13 21:29	93,084	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_13_14_11_54_small.dmp.zip
2007-03-09 02:07	105,147	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_06_18_12_33_small.dmp.zip
2007-03-07 04:53	88,047	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_06_20_32_00_small.dmp.zip
2007-02-26 00:41	93,830	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_24_15_05_10_small.dmp.zip
2007-02-16 19:17	89,836	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_16_11_13_47_small.dmp.zip
2007-02-14 05:07	784	----a-w	C:\Documents and Settings\Owner\Application Data\mpauth.dat
2004-10-06 08:52	22,555,648	----a-w	C:\Program Files\setup.exe
2004-10-05 20:54	27,494	----a-w	C:\Program Files\Readme.txt
2004-09-22 17:07	25,047	------w	C:\Program Files\License.rtf
2005-07-14 18:31	27,648	--sha-w	C:\WINDOWS\system32\AVSredirect.dll
2007-07-30 00:58	16,753,440	--sha-w	C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-26 10:09	548,896	--sha-w	C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( [email protected]_23.38.35.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 16:28:54	141,424	----a-w	C:\WINDOWS\Downloaded Program Files\asinst.dll
- 2008-01-13 07:28:47	233,472	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-17 11:40:26	233,472	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 07:28:47	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 11:40:26	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 07:28:47	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-17 11:40:26	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-13 07:28:47	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-17 11:40:26	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 07:28:47	6,254,592	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-17 11:40:26	6,311,936	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-13 07:28:47	299,008	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-17 11:40:26	299,008	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2007-06-25 05:34:08	803,908	----a-w	C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-01-13 22:55:10	238,176	----a-w	C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-01-14 08:03:18	16,384	----atw	C:\WINDOWS\Temp\Perflib_Perfdata_784.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 16:03 24104]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-06 06:49 185632]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Post-itr Digital Notes.lnk - C:\Program Files\3M\PDNotes\PDNotes.exe [2006-03-21 13:23:30]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Window Washer"=C:\Program Files\Webroot\Washer\wwDisp.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
"SoundMan"=SOUNDMAN.EXE
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys []
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2002-10-16 00:11]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 09:31]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - OREANS32 
.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 01:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-17 03:50:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-17 11:26:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 03:45:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

**************************************************************************
.
Completion time: 2008-01-17 3:46:20
ComboFix-quarantined-files.txt 2008-01-17 11:45:28
ComboFix2.txt 2008-01-16 08:26:42
ComboFix3.txt 2008-01-14 05:06:41
ComboFix4.txt 2008-01-14 00:59:23
ComboFix5.txt 2008-01-13 11:14:16
.
2008-01-17 11:01:00	--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:46:51 AM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Post-it® Digital Notes.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14ffe564509ecf4f7f06/netzip/RdxIE601.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/FacebookPhotoUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 7672 bytes

it says that it deleted the oreans32 thingy..but it said that in teh last scan too..do u think we can actually get rid of this pesky thing?


----------



## Byteman (Jan 24, 2002)

Hi, Let's try a different way, one thing was not taken out or came back: The file is not running as it was deleted, the leftover Service is what is trying to run....we should be able to stop and delete it.

*****Please turn off the antivirus, antispyware programs you use,

*use this link*> *http://www.bleepingcomputer.com/forums/topic114351.html* to see what ones have to turned off so that ComboFix works correctly.....

Next:

From your Start button, then Run: type in the Run line and include the quotation marks.... Press your *Enter key once after the first line, then again after the second line is typed*

sc stop "oreans32"

sc delete "oreans32"

Next:

Run ComboFix and post the new log.


----------



## ryanryan007 (Jan 6, 2008)

ComboFix 08-01-09.2 - Owner 2008-01-17 16:12:11.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.188 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-17 04:54 . 2008-01-17 04:54 d--------	C:\Program Files\Replay AV 8
2008-01-17 04:20 . 2008-01-17 04:20 d--------	C:\Program Files\WinPcap
2008-01-13 15:56 . 2008-01-13 14:54 d--------	C:\WINDOWS\system32\ActiveScan
2008-01-12 23:28 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-12 15:27 . 2008-01-17 05:14 d--------	C:\Program Files\WMR11
2008-01-12 01:56 . 2007-12-14 01:59	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2008-01-12 01:55 . 2008-01-12 01:55 d--------	C:\Program Files\Common Files\Java
2008-01-10 12:35 . 2008-01-10 12:35 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-10 12:34 . 2008-01-13 16:41 d--------	C:\Program Files\SUPERAntiSpyware
2008-01-10 12:34 . 2008-01-10 12:34 d--------	C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-10 01:26 . 2008-01-13 16:53 d--------	C:\Program Files\iTunes
2008-01-10 01:26 . 2008-01-10 01:26 d--------	C:\Program Files\iPod
2008-01-10 01:22 . 2008-01-11 03:40 d--------	C:\WINDOWS\SxsCaPendDel
2008-01-10 00:22 . 2008-01-13 15:51 d--------	C:\VundoFix Backups
2008-01-09 09:02 . 2008-01-09 09:02 d--------	C:\Program Files\Trend Micro
2008-01-05 19:31 . 2008-01-05 19:28	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-05 19:28 . 2008-01-05 19:34 d--------	C:\Documents and Settings\Owner\.housecall6.6
2008-01-01 13:35 . 2008-01-01 13:51 d--------	C:\Program Files\mIRC
2008-01-01 13:35 . 2008-01-01 14:05 d--------	C:\Documents and Settings\Owner\Application Data\mIRC
2007-12-23 00:43 . 2007-12-23 00:43 d--------	C:\Documents and Settings\Owner\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 00:12	---------	d-----w	C:\Documents and Settings\Owner\Application Data\uTorrent
2008-01-14 06:12	---------	d-----w	C:\Program Files\Folder Lock
2008-01-14 01:15	---------	d-----w	C:\Program Files\Yahoo!
2008-01-14 01:14	---------	d-----w	C:\Program Files\Starcraft
2008-01-14 01:13	---------	d-----w	C:\Program Files\Raxco
2008-01-14 01:13	---------	d-----w	C:\Program Files\MagicISO
2008-01-14 00:53	---------	d-----w	C:\Program Files\Zune
2008-01-14 00:53	---------	d-----w	C:\Program Files\TuneUp Utilities 2007
2008-01-14 00:53	---------	d-----w	C:\Program Files\QuickTime
2008-01-14 00:53	---------	d-----w	C:\Program Files\MSN Messenger
2008-01-14 00:53	---------	d-----w	C:\Program Files\Messenger Plus! Live
2008-01-14 00:53	---------	d-----w	C:\Program Files\Common Files\Webroot Shared
2008-01-14 00:52	---------	d-----w	C:\Program Files\Windows Live Toolbar
2008-01-12 09:56	---------	d-----w	C:\Program Files\Java
2008-01-10 20:34	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 09:22	---------	d-----w	C:\Program Files\Apple Software Update
2008-01-06 13:59	---------	d-----w	C:\Program Files\uTorrent
2008-01-06 01:47	---------	d-----w	C:\Program Files\TVUPlayer
2008-01-02 03:13	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Vso
2007-12-24 02:04	---------	d-----w	C:\Documents and Settings\Owner\Application Data\LimeWire
2007-12-17 07:33	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-12-13 11:08	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-09 06:34	---------	d-----w	C:\Program Files\Microsoft Works
2007-12-09 06:33	---------	d-----w	C:\Program Files\MSBuild
2007-12-09 06:29	---------	d-----w	C:\Program Files\Microsoft.NET
2007-12-09 06:23	---------	d-----w	C:\Program Files\Microsoft Visual Studio 8
2007-12-04 14:56	93,264	----a-w	C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55	94,544	----a-w	C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53	23,152	----a-w	C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51	42,912	----a-w	C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49	26,624	----a-w	C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04	837,496	----a-w	C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54	95,608	----a-w	C:\WINDOWS\system32\AvastSS.scr
2007-12-02 07:38	---------	d-----w	C:\Program Files\MP3Gain
2007-12-02 06:49	---------	d-----w	C:\Program Files\Common Files\Ahead
2007-12-02 06:49	---------	d-----w	C:\Program Files\Ahead
2007-12-02 06:31	---------	d-----w	C:\Program Files\MediaMonkey
2007-12-01 01:19	---------	d-----w	C:\Documents and Settings\Owner\Application Data\TVU Networks
2007-11-30 09:15	---------	d-----w	C:\Documents and Settings\Owner\Application Data\dvdcss
2007-11-29 20:10	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-11-29 20:10	---------	d-----w	C:\Program Files\Ross Histology
2007-11-25 09:25	---------	d-----w	C:\Program Files\MP3ext
2007-11-25 09:15	---------	d-----w	C:\Program Files\Winamp
2007-11-25 09:15	---------	d-----w	C:\Program Files\Mp3tag
2007-11-07 09:26	721,920	----a-w	C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43	1,287,680	----a-w	C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40	222,720	----a-w	C:\WINDOWS\system32\wmasf.dll
2007-03-28 04:23	89,052	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_27_21_21_20_small.dmp.zip
2007-03-28 04:23	22,656,498	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_27_21_20_56_full.dmp.zip
2007-03-27 05:03	22,655,457	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_25_21_15_31_full.dmp.zip
2007-03-24 20:36	22,396,790	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_22_22_47_09_full.dmp.zip
2007-03-13 21:29	93,084	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_13_14_11_54_small.dmp.zip
2007-03-09 02:07	105,147	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_06_18_12_33_small.dmp.zip
2007-03-07 04:53	88,047	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_06_20_32_00_small.dmp.zip
2007-02-26 00:41	93,830	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_24_15_05_10_small.dmp.zip
2007-02-16 19:17	89,836	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_16_11_13_47_small.dmp.zip
2007-02-14 05:07	784	----a-w	C:\Documents and Settings\Owner\Application Data\mpauth.dat
2004-10-06 08:52	22,555,648	----a-w	C:\Program Files\setup.exe
2004-10-05 20:54	27,494	----a-w	C:\Program Files\Readme.txt
2004-09-22 17:07	25,047	------w	C:\Program Files\License.rtf
2005-07-14 18:31	27,648	--sha-w	C:\WINDOWS\system32\AVSredirect.dll
2007-07-30 00:58	16,753,440	--sha-w	C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-26 10:09	548,896	--sha-w	C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( [email protected]_23.38.35.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 16:28:54	141,424	----a-w	C:\WINDOWS\Downloaded Program Files\asinst.dll
- 2008-01-13 07:28:47	233,472	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-17 11:40:26	233,472	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 07:28:47	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 11:40:26	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 07:28:47	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-17 11:40:26	229,376	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-13 07:28:47	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-17 11:40:26	8,192	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 07:28:47	6,254,592	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-17 11:40:26	6,311,936	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-13 07:28:47	299,008	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-17 11:40:26	299,008	----a-w	C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2007-01-25 17:31:34	42,000	----a-w	C:\WINDOWS\system32\drivers\npf.sys
+ 2005-08-02 21:10:13	32,512	----a-w	C:\WINDOWS\system32\drivers\npf.sys
- 2007-01-25 17:31:36	53,299	----a-w	C:\WINDOWS\system32\pthreadVC.dll
+ 2005-08-02 21:24:01	53,299	----a-w	C:\WINDOWS\system32\pthreadVC.dll
- 2007-06-25 05:34:08	803,908	----a-w	C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-01-13 22:55:10	238,176	----a-w	C:\WINDOWS\system32\Restore\rstrlog.dat
- 2007-01-25 17:31:34	68,480	----a-w	C:\WINDOWS\system32\WanPacket.dll
+ 2005-08-02 21:08:06	61,440	----a-w	C:\WINDOWS\system32\WanPacket.dll
- 2007-01-25 17:31:36	240,496	----a-w	C:\WINDOWS\system32\wpcap.dll
+ 2005-08-02 21:18:45	233,472	----a-w	C:\WINDOWS\system32\wpcap.dll
+ 2008-01-14 08:03:18	16,384	----atw	C:\WINDOWS\Temp\Perflib_Perfdata_784.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 16:03 24104]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-06 06:49 185632]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Post-itr Digital Notes.lnk - C:\Program Files\3M\PDNotes\PDNotes.exe [2006-03-21 13:23:30]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Window Washer"=C:\Program Files\Webroot\Washer\wwDisp.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
"SoundMan"=SOUNDMAN.EXE
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
R3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 13:10]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2002-10-16 00:11]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 01:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-17 03:50:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-17 23:26:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 16:14:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

**************************************************************************
.
Completion time: 2008-01-17 16:15:46
ComboFix-quarantined-files.txt 2008-01-18 00:14:53
ComboFix2.txt 2008-01-17 11:46:20
ComboFix3.txt 2008-01-16 08:26:42
ComboFix4.txt 2008-01-14 05:06:41
ComboFix5.txt 2008-01-14 00:59:23
.
2008-01-17 11:01:00	--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:28 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Post-it® Digital Notes.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14ffe564509ecf4f7f06/netzip/RdxIE601.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/FacebookPhotoUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 7593 bytes


----------



## Byteman (Jan 24, 2002)

:up::up: Looks like that one did it Ryan!

That should be all we have to do as far as fixing malware.

I don't know if you have your System Restore on or off, use this as a guide. We have to empty the Restore Points, because if you or any other user had to do a System Restore, you would simply be putting back the bad stuff we worked hard to get rid of. Here is what to do:

*Turn off System Restore: 

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab. ( If there is a check in "Turn Off System Restore...."= it is Off.)
Check Turn off System Restore.
Click Apply, and then click OK.Wait for hourglass to stop and it says
"Turned Off"


Restart your computer, turn System Restore back on and create a restore point.
To turn System Restore back on, take the checkmark out of the box where you did.
Wait till you see "Monitoring" for the status.


To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.


Then, try things out for a few days, post back if you need anything at all....post right here in your thread, OK?


----------



## ryanryan007 (Jan 6, 2008)

Wow thanks alot Byteman, i appreiciate all the time and effort and help u gave me. now that this problem is resolved..how can i prevent this from happening. So far i plan on getting the comodo firewall, and upgradeding my SAS program. any other programs u suggest i install or remove? so far i have tuneup utilities 07, lavasoft ad aware, avast and now SAS. should i add more to my secruity or keep it the way it is?

ps. can i uninstall hte programs that were recently installed for the cleanup (combofix and hijackthis)?


----------



## ryanryan007 (Jan 6, 2008)

i just ran a full scan using my upgraded SAS..and it found "Unclassified Oreans32" :S

what do i do? its already quarantined..is that enuff?


----------



## Byteman (Jan 24, 2002)

Hi, It depends on *where the item was found* it may have been in the already Quarantined items, ComboFix backups, etc.

Can you post the log of that scan that found it please....


----------



## ryanryan007 (Jan 6, 2008)

SUPERAntiSpyware Scan Log
Generated 01/18/2008 at 04:24 AM

Application Version : 3.6.1000

Core Rules Database Version : 3377
Trace Rules Database Version: 1371

Scan type : Complete Scan
Total Scan Time : 00:41:24

Memory items scanned : 496
Memory threats detected : 0
Registry items scanned : 6441
Registry threats detected : 0
File items scanned : 44574
File threats detected : 1

Unclassified.Oreans32
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS.VIR

scan 2

SUPERAntiSpyware Scan Log
Generated 01/18/2008 at 01:06 PM

Application Version : 3.6.1000

Core Rules Database Version : 3382
Trace Rules Database Version: 1376

Scan type : Complete Scan
Total Scan Time : 00:40:31

Memory items scanned : 454
Memory threats detected : 0
Registry items scanned : 6440
Registry threats detected : 0
File items scanned : 44724
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

scan 3

SUPERAntiSpyware Scan Log
Generated 01/18/2008 at 05:45 PM

Application Version : 3.6.1000

Core Rules Database Version : 3382
Trace Rules Database Version: 1376

Scan type : Complete Scan
Total Scan Time : 00:40:55

Memory items scanned : 451
Memory threats detected : 0
Registry items scanned : 6440
Registry threats detected : 0
File items scanned : 44732
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt


----------



## Byteman (Jan 24, 2002)

Hi, Look at the location that was found in....it is the backups folder that ComboFix always makes called Qoobox

The item cannot harm anything there except that, someone could come along and restore the thing, so as a last step, we remove all ComboFix files and folders\\ 

But, with this tricky type of malware, I like to wait a day or two to clean up the tools as you never know what will happen.

I think it would be safe for you now to delete (there is no uninstall with ComboFix, it is a standalone tool) all ComboFix downloads, files, folders that you have.

ComboFix stores the Qoobox folder in the root of C: drive- it;s not likely that anyone would mess with it there, but if you want to delete Qoobox, do so.

The other items are harmless Cookies> you will always be finding them, there is no need for concern, your scans will remove them.

Also> you can by running Disk Cleanup, or any other temp file cleaner upper like the one I use, CleanUP!

Hijackthis does have an uninstaller in Add/Remove and you can uninstall it if you don't want it around where someone could mis-use it..... others not aware of what they are doing, certainly can cause bad things.


----------

