PDA

View Full Version : Adware.Vundo-Variant found on pc and more....?

EMR001
2008-05-03, 19:31
Dear Team,

I have just finished cleaning up my son's laptop and he has managed to do something to my pc in the meantime and I can see that it has a virus on it that is affecting my internet explorer pages.

I ran Spybot search & destroy removed the recommended infected objects and viruses (all items marked in red) but it crashed my whole system when I had to restart and the pc could not start up again. so I had to go back to the last configuration. I have got the pc up and running again and have tried adaware and SUPER Anitsypware, which seems to find the trojan/virus and removes it but it hasn't helped with internet.

Spybot seach and destroy has crashed and will not scan anymore...

I am very sorry to bother you again and I hope you can help me. (P.S. I now have a password protect on my pc so my children can not go on it so easily anymore)

Below is the hijackThis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:31:24, on 03/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SkypeMate\SkypeMate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {a8a270da-4963-8b1a-80a4-9962707b05d6} - {6d50b707-2699-4a08-a1b8-3694ad072a8a} - C:\WINDOWS\system32\vovtitfa.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Xerox WorkCentre 480cx Monitor] RUNDLL32.EXE C:\WINDOWS\system32\X480SHLL.DLL,AutoUpdatePnPValue
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM936d36da] Rundll32.exe "C:\WINDOWS\system32\ulgkgkdk.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [iLike] C:\Program Files\iLike\1.1.27\ilikesidebar.exe /checkforupdate
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: SkypeMate.lnk = C:\Program Files\SkypeMate\SkypeMate.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Tilslutningshjælp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Tilslutningshjælp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {07D09E9E-C667-45DD-B035-217BC2A61A3B} (ActiveX sikkerhedssoftware Control) - https://www.portalbank.dk/package/sdc/external/activex/ActiveXSikkerhedssoftware-prod-1.20.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182320155843
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

--
End of file - 14846 bytes



I have also run Kaspersky Online Scanner and below is the report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 03, 2008 6:28:18 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/05/2008
Kaspersky Anti-Virus database records: 737090
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
G:\
H:\
I:\
K:\

Scan Statistics:
Total number of scanned objects: 199488
Number of viruses found: 7
Number of infected objects: 31
Number of suspicious objects: 0
Duration of the scan process: 03:14:17

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{79E60968-934E-4E76-940E-F819ADA0C8A6}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{A3BF4EE9-3A44-47E9-AF8A-CD6852DC48F0}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip/!Easy ScreenSaver Studio 4.0.zip/Setup.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip/!Easy ScreenSaver Studio 4.0.zip Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn.zip ZIP: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn1.zip/!Easy ScreenSaver Studio 4.0.zip/Setup.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn1.zip/!Easy ScreenSaver Studio 4.0.zip Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentcmn1.zip ZIP: infected - 2 skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_2422081001_524288_60641 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_2422081001_72024064_40217 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{E7477E65-A6B3-4EDF-8294-083F38DA4137}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{F507A755-2D51-44E6-9A41-7F77B60CC21B}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Christopher\Local Settings\Temp\Rar$EX01.234\Setup.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\Documents and Settings\Christopher\Local Settings\Temporary Internet Files\Content.IE5\PQHH6AAV\glas[1] Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Christopher\Local Settings\Temporary Internet Files\Content.IE5\PQHH6AAV\idkfa[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.qrt skipped
C:\Documents and Settings\Christopher\Local Settings\Temporary Internet Files\Content.IE5\TZFOBOJU\kriv[1] Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\call256.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\chat512.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\index2.dat Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\profile16384.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\user1024.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\user16384.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\user256.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\user4096.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Application Data\Skype\ethelroper\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Ethel\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Messenger\ethel_roper@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Messenger\ethel_roper@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Messenger\ethel_roper@hotmail.com\SharingMetadata\Working\database_A690_5E2F_905E_5E9\dfsr.db Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Messenger\ethel_roper@hotmail.com\SharingMetadata\Working\database_A690_5E2F_905E_5E9\fsr.log Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Messenger\ethel_roper@hotmail.com\SharingMetadata\Working\database_A690_5E2F_905E_5E9\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Messenger\ethel_roper@hotmail.com\SharingMetadata\Working\database_A690_5E2F_905E_5E9\tmp.edb Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Windows Live Contacts\ethel_roper@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Windows Live Contacts\ethel_roper@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\History\History.IE5\MSHist012008050320080504\index.dat Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temp\_hphtra07.log Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temp\~DF51E9.tmp Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temp\~DF5E1B.tmp Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temp\~DF75FD.tmp Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temp\~DF764D.tmp Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temp\~DFC9AC.tmp Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temp\~DFCC6E.tmp Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temp\~DFF700.tmp Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Ethel\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ethel\My Documents\My Received Files\Divx.Create.Bundle.6.6.1.key+patch\Keygen\DivX Pro + DivX Player 6.6.x.exe Infected: not-a-virus:PSWTool.Win32.GetPass.h skipped
C:\Documents and Settings\Ethel\My Documents\My Received Files\divxcb661k_p.rar/Divx.Create.Bundle.6.6.1.key+patch/Keygen/DivX Pro + DivX Player 6.6.x.exe Infected: not-a-virus:PSWTool.Win32.GetPass.h skipped
C:\Documents and Settings\Ethel\My Documents\My Received Files\divxcb661k_p.rar RAR: infected - 1 skipped
C:\Documents and Settings\Ethel\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ethel\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Holger\Local Settings\Temporary Internet Files\Content.IE5\5E8O12NL\glas[1] Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Holger\Local Settings\Temporary Internet Files\Content.IE5\9JTDTVTO\idkfa[1] Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Holger\Local Settings\Temporary Internet Files\Content.IE5\KJ8Q41UB\kriv[1] Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP125\A0026215.exe/C:\Documents and Settings\Privats\Desktop\Phr33.Fox\saime.exe Infected: Trojan-PSW.Win32.Small.dv skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP125\A0026215.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP129\A0029908.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP132\A0031150.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP134\A0031203.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP134\A0031204.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP134\A0031205.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP134\A0031206.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP134\A0031207.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP134\A0031208.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP134\A0031209.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrg skipped
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP141\change.log Object is locked skipped
C:\WINDOWS\61769.exe Infected: Trojan-PSW.Win32.Small.dv skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B0BA5FB1-4F24-4289-AC1C-10F8EA2C9F67}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\qedpidpd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrt skipped
C:\WINDOWS\system32\tshwpwiu.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\ulgkgkdk.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_bzLhLW3yyU9mW7k Object is locked skipped
C:\WINDOWS\Temp\mcmsc_1UdCng9qAtoFDxT Object is locked skipped
C:\WINDOWS\Temp\mcmsc_2xv3X4ZLbDlvBef Object is locked skipped
C:\WINDOWS\Temp\mcmsc_6m0KtOGSTJ10WuK Object is locked skipped
C:\WINDOWS\Temp\mcmsc_ay1RKKeVkH1dgYe Object is locked skipped
C:\WINDOWS\Temp\mcmsc_cVSC2fTGXhxbUK9 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_WKbFh3jppfAcIgD Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP141\change.log Object is locked skipped

Scan process completed.


Kind regards.
Rorschach112
2008-05-03, 19:56
Hello

You got infected because you downloaded cracks and keygens


Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


[kill explorer]
C:\Documents and Settings\Christopher\Local Settings\Temp\Rar$EX01.234\Setup.exe
C:\Documents and Settings\Ethel\My Documents\My Received Files\Divx.Create.Bundle.6.6.1.key+patch
C:\Documents and Settings\Ethel\My Documents\My Received Files\divxcb661k_p.rar
C:\WINDOWS\61769.exe
C:\WINDOWS\system32\qedpidpd.dll
C:\WINDOWS\system32\tshwpwiu.dll
C:\WINDOWS\system32\ulgkgkdk.dll
purity
[start explorer]


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
EMR001
2008-05-03, 20:11
Thanks for your prompt reply. I have copied the paths and press move it! and my MacAfee program has come up with a registry change detected. Should I allow this change?

Quote:
Process: C:\Documents and Settings\Ethel\Desktop\OTMoveIt2.exe
Process Publisher: OldTimer Tools
Affected Items: HKEY_USERS\S-1-5-21-2426438936-4127591418-337715864-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C80120}

If you did not expect this change, McAfee recommends that you block it. If you expected this change, allow it.

Unquote.

Here is the log you requested:

Explorer killed successfully
C:\Documents and Settings\Christopher\Local Settings\Temp\Rar$EX01.234\Setup.exe moved successfully.
C:\Documents and Settings\Ethel\My Documents\My Received Files\Divx.Create.Bundle.6.6.1.key+patch\Replace File moved successfully.
C:\Documents and Settings\Ethel\My Documents\My Received Files\Divx.Create.Bundle.6.6.1.key+patch\Patch moved successfully.
C:\Documents and Settings\Ethel\My Documents\My Received Files\Divx.Create.Bundle.6.6.1.key+patch\Keygen moved successfully.
C:\Documents and Settings\Ethel\My Documents\My Received Files\Divx.Create.Bundle.6.6.1.key+patch moved successfully.
C:\Documents and Settings\Ethel\My Documents\My Received Files\divxcb661k_p.rar moved successfully.
C:\WINDOWS\61769.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qedpidpd.dll
C:\WINDOWS\system32\qedpidpd.dll NOT unregistered.
C:\WINDOWS\system32\qedpidpd.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tshwpwiu.dll
C:\WINDOWS\system32\tshwpwiu.dll NOT unregistered.
C:\WINDOWS\system32\tshwpwiu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ulgkgkdk.dll
C:\WINDOWS\system32\ulgkgkdk.dll NOT unregistered.
C:\WINDOWS\system32\ulgkgkdk.dll moved successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05032008_190724


kind regards.
Rorschach112
2008-05-03, 21:04
Yes allow the change and do this

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
EMR001
2008-05-03, 22:15
A quick question, my system is the Microsoft Windows XP Media Centre Edition Version 2002 Service Pack 2. Can I use the Microsoft Windows XP Home Edition with Service Pack 2?
EMR001
2008-05-03, 22:31
For the sake of good order, I already have the windows recovery console on my computer, will I actually need to through with downloading it and dragging and dropping on the ComboFix icon, so that it automatically installs the windows recovery console?
EMR001
2008-05-03, 23:17
Here is the log...

ComboFix 08-05-01.3 - Ethel 2008-05-03 21:47:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.589 [GMT 2:00]
Running from: C:\Documents and Settings\Ethel\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\'
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\atbnipxj.ini
C:\WINDOWS\system32\beuqyohl.ini
C:\WINDOWS\system32\bnkpaoui.ini
C:\WINDOWS\system32\fyqydmub.ini
C:\WINDOWS\system32\GhQqqtwa.ini
C:\WINDOWS\system32\GhQqqtwa.ini2
C:\WINDOWS\system32\mrkuetpl.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ppfonmlt.ini
C:\WINDOWS\system32\wvcdivpa.ini
C:\WINDOWS\system32\xyadd.bak2
C:\WINDOWS\system32\xyadd.ini2
C:\WINDOWS\system32\xyadd.tmp

----- BITS: Possible infected sites -----

hxxp://gateway.digitalmusicnotebook.com
.
((((((((((((((((((((((((( Files Created from 2008-04-03 to 2008-05-03 )))))))))))))))))))))))))))))))
.

2008-05-03 19:07 . 2008-05-03 19:07 <DIR> d-------- C:\_OTMoveIt
2008-05-03 14:03 . 2008-05-03 14:03 172 --ah----- C:\sqmnoopt15.sqm
2008-05-03 14:03 . 2008-05-03 14:03 172 --ah----- C:\sqmdata15.sqm
2008-05-03 12:18 . 2008-05-03 12:18 268 --ah----- C:\sqmdata14.sqm
2008-05-03 12:18 . 2008-05-03 12:18 244 --ah----- C:\sqmnoopt14.sqm
2008-05-02 16:13 . 2008-05-02 16:13 268 --ah----- C:\sqmdata13.sqm
2008-05-02 16:13 . 2008-05-02 16:13 244 --ah----- C:\sqmnoopt13.sqm
2008-04-30 14:33 . 2008-04-30 14:33 268 --ah----- C:\sqmdata12.sqm
2008-04-30 14:33 . 2008-04-30 14:33 244 --ah----- C:\sqmnoopt12.sqm
2008-04-29 22:53 . 2008-04-29 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-29 22:52 . 2008-04-30 06:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-29 22:52 . 2008-04-29 22:52 <DIR> d-------- C:\Documents and Settings\Ethel\Application Data\SUPERAntiSpyware.com
2008-04-29 20:25 . 2008-04-29 20:25 <DIR> d-------- C:\Documents and Settings\Holger\Contacts
2008-04-29 18:57 . 2008-04-29 18:57 <DIR> d-------- C:\Documents and Settings\Holger\Application Data\Skype
2008-04-28 16:13 . 2008-04-28 16:13 268 --ah----- C:\sqmdata11.sqm
2008-04-28 16:13 . 2008-04-28 16:13 244 --ah----- C:\sqmnoopt11.sqm
2008-04-25 17:58 . 2008-04-25 17:58 268 --ah----- C:\sqmdata10.sqm
2008-04-25 17:58 . 2008-04-25 17:58 244 --ah----- C:\sqmnoopt10.sqm
2008-04-23 21:30 . 2008-05-03 16:11 109,734 --a------ C:\WINDOWS\BM936d36da.xml
2008-04-23 20:26 . 2008-04-23 20:26 268 --ah----- C:\sqmdata09.sqm
2008-04-23 20:26 . 2008-04-23 20:26 244 --ah----- C:\sqmnoopt09.sqm
2008-04-23 20:24 . 2008-04-23 21:27 <DIR> d-------- C:\WINDOWS\system32\pnVes18
2008-04-23 20:24 . 2008-04-23 20:24 <DIR> d-------- C:\temp\zvebs14
2008-04-23 07:03 . 2008-04-23 07:03 268 --ah----- C:\sqmdata08.sqm
2008-04-23 07:03 . 2008-04-23 07:03 244 --ah----- C:\sqmnoopt08.sqm
2008-04-22 19:28 . 2008-04-22 19:28 268 --ah----- C:\sqmdata07.sqm
2008-04-22 19:28 . 2008-04-22 19:28 244 --ah----- C:\sqmnoopt07.sqm
2008-04-22 17:56 . 2008-04-22 17:56 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-04-20 20:58 . 2008-04-20 20:58 268 --ah----- C:\sqmdata06.sqm
2008-04-20 20:58 . 2008-04-20 20:58 244 --ah----- C:\sqmnoopt06.sqm
2008-04-19 13:39 . 2008-05-03 21:59 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-19 13:39 . 2008-04-19 13:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-19 13:37 . 2008-04-19 13:37 <DIR> d-------- C:\Program Files\iPod
2008-04-19 13:34 . 2008-04-19 13:35 <DIR> d-------- C:\Program Files\QuickTime
2008-04-19 13:26 . 2008-04-19 13:26 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-16 22:53 . 2008-04-16 22:53 268 --ah----- C:\sqmdata05.sqm
2008-04-16 22:53 . 2008-04-16 22:53 244 --ah----- C:\sqmnoopt05.sqm
2008-04-16 19:27 . 2008-04-16 19:27 <DIR> d-------- C:\Documents and Settings\Christopher\Application Data\Datel
2008-04-15 21:21 . 2008-04-15 21:21 268 --ah----- C:\sqmdata04.sqm
2008-04-15 21:21 . 2008-04-15 21:21 244 --ah----- C:\sqmnoopt04.sqm
2008-04-15 17:28 . 2008-04-15 17:28 <DIR> d-------- C:\games
2008-04-14 20:39 . 2008-04-14 20:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-14 20:39 . 2008-04-14 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-14 20:38 . 2008-04-29 22:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 17:48 . 2008-04-11 17:48 <DIR> d-------- C:\Documents and Settings\Anna\Application Data\HP
2008-04-11 17:46 . 2008-04-11 17:46 <DIR> d-------- C:\Documents and Settings\Anna\Application Data\SiteAdvisor
2008-04-11 17:44 . 2005-01-03 01:16 <DIR> d-------- C:\Documents and Settings\Anna\WINDOWS
2008-04-11 17:44 . 2005-01-03 01:31 <DIR> d-------- C:\Documents and Settings\Anna\Application Data\Symantec
2008-04-11 17:44 . 2008-04-24 21:17 <DIR> d-------- C:\Documents and Settings\Anna
2008-04-11 17:44 . 2008-05-03 21:57 1,024 --ah----- C:\Documents and Settings\Anna\ntuser.dat.LOG
2008-04-11 17:21 . 2008-04-11 17:21 268 --ah----- C:\sqmdata03.sqm
2008-04-11 17:21 . 2008-04-11 17:21 244 --ah----- C:\sqmnoopt03.sqm
2008-04-11 16:39 . 2008-04-11 16:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LucasArts
2008-04-11 16:34 . 2008-04-11 16:34 <DIR> d-------- C:\Program Files\LucasArts
2008-04-11 16:31 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-04-11 16:30 . 2008-04-11 16:30 <DIR> d-------- C:\Documents and Settings\Christopher\Application Data\InstallShield
2008-04-09 19:08 . 2008-04-09 19:08 <DIR> d-------- C:\Program Files\Total Video Converter 3.11
2008-04-08 23:11 . 2008-04-08 23:13 0 --a------ C:\tmp.html
2008-04-08 19:57 . 2008-04-08 19:57 <DIR> d-------- C:\Documents and Settings\Ethel\Application Data\Syntrillium
2008-04-08 19:57 . 2001-10-19 14:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-04-08 19:57 . 2001-10-19 14:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-04-08 19:57 . 2001-10-19 14:39 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-04-08 19:57 . 2001-10-19 14:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-04-08 19:57 . 2001-10-19 02:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-04-08 19:57 . 2008-04-08 19:57 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-04-08 19:55 . 2008-04-09 17:14 <DIR> d-------- C:\Program Files\coolpro2
2008-04-08 17:17 . 2008-04-12 08:24 <DIR> d-------- C:\Documents and Settings\Michelle\Application Data\LimeWire
2008-04-06 16:59 . 2008-04-06 17:33 4,534,272 --a------ C:\dump_dvd.vob
2008-04-04 19:48 . 2008-04-04 19:48 <DIR> d-------- C:\Program Files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-03 20:02 --------- d-----w C:\Documents and Settings\Ethel\Application Data\Skype
2008-05-03 20:01 --------- d-----w C:\Program Files\Steam
2008-05-03 19:26 --------- d-----w C:\Documents and Settings\Ethel\Application Data\skypePM
2008-05-03 10:41 --------- d-----w C:\Documents and Settings\Christopher\Application Data\LimeWire
2008-04-29 19:06 --------- d-----w C:\Program Files\XoftSpySE
2008-04-24 19:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-24 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-24 13:36 --------- d-----w C:\Documents and Settings\Ethel\Application Data\LimeWire
2008-04-22 15:57 --------- d-----w C:\Program Files\LimeWire
2008-04-20 12:53 --------- d-----w C:\Documents and Settings\Christopher\Application Data\SiteAdvisor
2008-04-19 20:17 --------- d-----w C:\Program Files\DivX
2008-04-19 11:38 --------- d-----w C:\Program Files\iTunes
2008-04-11 17:48 --------- d-----w C:\Program Files\SkypeMate
2008-04-11 14:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-04 17:48 --------- d-----w C:\Program Files\Common Files\Real
2008-04-02 15:55 --------- d-----w C:\Documents and Settings\Ethel\Application Data\Datel
2008-04-02 15:49 --------- d-----w C:\Program Files\Datel
2008-04-02 13:59 160,200 ----a-w C:\Documents and Settings\Ethel\Application Data\GDIPFONTCACHEV1.DAT
2008-04-01 12:14 --------- d-----w C:\Documents and Settings\Christopher\Application Data\Skype
2008-03-31 18:55 --------- d-----w C:\Documents and Settings\Ethel\Application Data\SiteAdvisor
2008-03-29 17:49 --------- d-----w C:\Program Files\Disney Interactive
2008-03-29 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Disney Interactive
2008-03-24 15:12 --------- d-----w C:\Documents and Settings\Christopher\Application Data\iLike
2008-03-21 23:11 --------- d-----w C:\Program Files\Nature 3D Screensaver
2008-03-21 23:11 --------- d-----w C:\Program Files\3Planesoft Screensaver Manager
2008-03-21 20:15 --------- d-----w C:\Program Files\Tropical Fish 3D Screensaver
2008-03-21 15:12 --------- d-----w C:\Program Files\Fireplace 3D Screensaver
2008-03-21 15:04 --------- d-----w C:\Program Files\AutoEye
2008-03-21 14:57 --------- d-----w C:\Program Files\Adobe Premiere Elements 2.0
2008-03-21 14:54 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 19:30 --------- d-----w C:\Program Files\Windows Live
2008-03-20 19:29 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-20 19:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-20 19:14 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-20 19:13 --------- d-----w C:\Program Files\Common Files\Skype
2008-03-17 22:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-15 07:38 --------- d-----w C:\Program Files\Google
2008-03-15 05:58 --------- d-----w C:\Program Files\Java
2008-02-19 15:04 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-02-19 15:04 126,976 ----a-w C:\WINDOWS\War3Unin.exe
2008-02-07 17:49 15,613 ----a-w C:\Program Files\Furnish Lite uninstal.log
2002-09-04 07:14 1,206,784 ----a-w C:\Program Files\AutoEye_PlugIn.8bf
2007-06-15 04:22 0 --sha-r C:\WINDOWS\SMINST\npc.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6d50b707-2699-4a08-a1b8-3694ad072a8a}]
C:\WINDOWS\system32\vovtitfa.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 10:17 68856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 01:24 1694208]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53 73840]
"iLike"="C:\Program Files\iLike\1.1.27\ilikesidebar.exe" [2007-09-13 12:34 63024]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-03-28 23:14 1271032]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 06:56 64512]
"ftutil2"="ftutil2.dll" [2004-06-08 07:05 106496 C:\WINDOWS\system32\ftutil2.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 09:19 77312 C:\WINDOWS\arpwrmsg.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-05 04:03 7307264]
"nwiz"="nwiz.exe" []
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 22:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 08:35 49152]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Xerox WorkCentre 480cx Monitor"="C:\WINDOWS\system32\X480SHLL.DLL" [2001-10-30 10:21 90112]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-04 19:47 185896]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53 73840]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-01-17 21:24 36904]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"BM936d36da"="C:\WINDOWS\system32\ulgkgkdk.dll" [ ]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-01-03 10:30:42 27136]

C:\Documents and Settings\Christopher\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-03-26 19:19:43 147456]

C:\Documents and Settings\Ethel\Start Menu\Programs\Startup\
SkypeMate.lnk - C:\Program Files\SkypeMate\SkypeMate.exe [2005-11-21 09:37:06 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Steam\\steamapps\\criscross404\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 dontgo;Promise Removable Disk Control Driver;C:\WINDOWS\system32\DRIVERS\DontGo.sys [2004-06-30 06:25]
R2 EcpFax;Team MFP Com Redirector;C:\WINDOWS\system32\Drivers\EcpFax.Sys [1999-01-27 07:29]
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-10-03 22:57]
R3 Bonifay;Bonifay;C:\WINDOWS\system32\DRIVERS\Bonifay.sys [2005-11-28 21:55]
R3 V0080Dev;Creative Camera VF0080 Driver;C:\WINDOWS\system32\DRIVERS\V0080Dev.sys [2005-05-06 09:11]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys [2005-10-05 19:44]
S3 Gonzales;Gonzales;C:\WINDOWS\system32\DRIVERS\Gonzales.sys [2005-12-13 15:10]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 14:56:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-06 20:18:01 C:\WINDOWS\Tasks\Internet Services.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exeb/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Internet Services\StartIS.aml
"2008-04-15 01:37:44 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-01 00:00:12 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-05-01 05:25:25 C:\WINDOWS\Tasks\WebReg Photosmart C5100 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
"2008-05-03 19:59:10 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-15 03:50:34 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-03 21:58:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Messenger\ethel_roper@hotmail.com\SharingMetadata\Working\database_A690_5E2F_905E_5E9\fsr00B8F.log 131072 bytes

scan completed successfully
hidden files: 113

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-03 22:08:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-03 20:08:14

Pre-Run: 127,568,371,712 bytes free
Post-Run: 128,998,293,504 bytes free

319 --- E O F --- 2008-04-09 20:16:20
EMR001
2008-05-04, 10:46
Here is the log from ComboFix.

ComboFix 08-05-01.3 - Ethel 2008-05-03 21:47:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.589 [GMT 2:00]
Running from: C:\Documents and Settings\Ethel\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\'
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\atbnipxj.ini
C:\WINDOWS\system32\beuqyohl.ini
C:\WINDOWS\system32\bnkpaoui.ini
C:\WINDOWS\system32\fyqydmub.ini
C:\WINDOWS\system32\GhQqqtwa.ini
C:\WINDOWS\system32\GhQqqtwa.ini2
C:\WINDOWS\system32\mrkuetpl.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ppfonmlt.ini
C:\WINDOWS\system32\wvcdivpa.ini
C:\WINDOWS\system32\xyadd.bak2
C:\WINDOWS\system32\xyadd.ini2
C:\WINDOWS\system32\xyadd.tmp

----- BITS: Possible infected sites -----

hxxp://gateway.digitalmusicnotebook.com
.
((((((((((((((((((((((((( Files Created from 2008-04-03 to 2008-05-03 )))))))))))))))))))))))))))))))
.

2008-05-03 19:07 . 2008-05-03 19:07 <DIR> d-------- C:\_OTMoveIt
2008-05-03 14:03 . 2008-05-03 14:03 172 --ah----- C:\sqmnoopt15.sqm
2008-05-03 14:03 . 2008-05-03 14:03 172 --ah----- C:\sqmdata15.sqm
2008-05-03 12:18 . 2008-05-03 12:18 268 --ah----- C:\sqmdata14.sqm
2008-05-03 12:18 . 2008-05-03 12:18 244 --ah----- C:\sqmnoopt14.sqm
2008-05-02 16:13 . 2008-05-02 16:13 268 --ah----- C:\sqmdata13.sqm
2008-05-02 16:13 . 2008-05-02 16:13 244 --ah----- C:\sqmnoopt13.sqm
2008-04-30 14:33 . 2008-04-30 14:33 268 --ah----- C:\sqmdata12.sqm
2008-04-30 14:33 . 2008-04-30 14:33 244 --ah----- C:\sqmnoopt12.sqm
2008-04-29 22:53 . 2008-04-29 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-29 22:52 . 2008-04-30 06:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-29 22:52 . 2008-04-29 22:52 <DIR> d-------- C:\Documents and Settings\Ethel\Application Data\SUPERAntiSpyware.com
2008-04-29 20:25 . 2008-04-29 20:25 <DIR> d-------- C:\Documents and Settings\Holger\Contacts
2008-04-29 18:57 . 2008-04-29 18:57 <DIR> d-------- C:\Documents and Settings\Holger\Application Data\Skype
2008-04-28 16:13 . 2008-04-28 16:13 268 --ah----- C:\sqmdata11.sqm
2008-04-28 16:13 . 2008-04-28 16:13 244 --ah----- C:\sqmnoopt11.sqm
2008-04-25 17:58 . 2008-04-25 17:58 268 --ah----- C:\sqmdata10.sqm
2008-04-25 17:58 . 2008-04-25 17:58 244 --ah----- C:\sqmnoopt10.sqm
2008-04-23 21:30 . 2008-05-03 16:11 109,734 --a------ C:\WINDOWS\BM936d36da.xml
2008-04-23 20:26 . 2008-04-23 20:26 268 --ah----- C:\sqmdata09.sqm
2008-04-23 20:26 . 2008-04-23 20:26 244 --ah----- C:\sqmnoopt09.sqm
2008-04-23 20:24 . 2008-04-23 21:27 <DIR> d-------- C:\WINDOWS\system32\pnVes18
2008-04-23 20:24 . 2008-04-23 20:24 <DIR> d-------- C:\temp\zvebs14
2008-04-23 07:03 . 2008-04-23 07:03 268 --ah----- C:\sqmdata08.sqm
2008-04-23 07:03 . 2008-04-23 07:03 244 --ah----- C:\sqmnoopt08.sqm
2008-04-22 19:28 . 2008-04-22 19:28 268 --ah----- C:\sqmdata07.sqm
2008-04-22 19:28 . 2008-04-22 19:28 244 --ah----- C:\sqmnoopt07.sqm
2008-04-22 17:56 . 2008-04-22 17:56 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-04-20 20:58 . 2008-04-20 20:58 268 --ah----- C:\sqmdata06.sqm
2008-04-20 20:58 . 2008-04-20 20:58 244 --ah----- C:\sqmnoopt06.sqm
2008-04-19 13:39 . 2008-05-03 21:59 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-19 13:39 . 2008-04-19 13:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-19 13:37 . 2008-04-19 13:37 <DIR> d-------- C:\Program Files\iPod
2008-04-19 13:34 . 2008-04-19 13:35 <DIR> d-------- C:\Program Files\QuickTime
2008-04-19 13:26 . 2008-04-19 13:26 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-16 22:53 . 2008-04-16 22:53 268 --ah----- C:\sqmdata05.sqm
2008-04-16 22:53 . 2008-04-16 22:53 244 --ah----- C:\sqmnoopt05.sqm
2008-04-16 19:27 . 2008-04-16 19:27 <DIR> d-------- C:\Documents and Settings\Christopher\Application Data\Datel
2008-04-15 21:21 . 2008-04-15 21:21 268 --ah----- C:\sqmdata04.sqm
2008-04-15 21:21 . 2008-04-15 21:21 244 --ah----- C:\sqmnoopt04.sqm
2008-04-15 17:28 . 2008-04-15 17:28 <DIR> d-------- C:\games
2008-04-14 20:39 . 2008-04-14 20:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-14 20:39 . 2008-04-14 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-14 20:38 . 2008-04-29 22:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 17:48 . 2008-04-11 17:48 <DIR> d-------- C:\Documents and Settings\Anna\Application Data\HP
2008-04-11 17:46 . 2008-04-11 17:46 <DIR> d-------- C:\Documents and Settings\Anna\Application Data\SiteAdvisor
2008-04-11 17:44 . 2005-01-03 01:16 <DIR> d-------- C:\Documents and Settings\Anna\WINDOWS
2008-04-11 17:44 . 2005-01-03 01:31 <DIR> d-------- C:\Documents and Settings\Anna\Application Data\Symantec
2008-04-11 17:44 . 2008-04-24 21:17 <DIR> d-------- C:\Documents and Settings\Anna
2008-04-11 17:44 . 2008-05-03 21:57 1,024 --ah----- C:\Documents and Settings\Anna\ntuser.dat.LOG
2008-04-11 17:21 . 2008-04-11 17:21 268 --ah----- C:\sqmdata03.sqm
2008-04-11 17:21 . 2008-04-11 17:21 244 --ah----- C:\sqmnoopt03.sqm
2008-04-11 16:39 . 2008-04-11 16:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LucasArts
2008-04-11 16:34 . 2008-04-11 16:34 <DIR> d-------- C:\Program Files\LucasArts
2008-04-11 16:31 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-04-11 16:30 . 2008-04-11 16:30 <DIR> d-------- C:\Documents and Settings\Christopher\Application Data\InstallShield
2008-04-09 19:08 . 2008-04-09 19:08 <DIR> d-------- C:\Program Files\Total Video Converter 3.11
2008-04-08 23:11 . 2008-04-08 23:13 0 --a------ C:\tmp.html
2008-04-08 19:57 . 2008-04-08 19:57 <DIR> d-------- C:\Documents and Settings\Ethel\Application Data\Syntrillium
2008-04-08 19:57 . 2001-10-19 14:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-04-08 19:57 . 2001-10-19 14:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-04-08 19:57 . 2001-10-19 14:39 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-04-08 19:57 . 2001-10-19 14:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-04-08 19:57 . 2001-10-19 02:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-04-08 19:57 . 2008-04-08 19:57 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-04-08 19:55 . 2008-04-09 17:14 <DIR> d-------- C:\Program Files\coolpro2
2008-04-08 17:17 . 2008-04-12 08:24 <DIR> d-------- C:\Documents and Settings\Michelle\Application Data\LimeWire
2008-04-06 16:59 . 2008-04-06 17:33 4,534,272 --a------ C:\dump_dvd.vob
2008-04-04 19:48 . 2008-04-04 19:48 <DIR> d-------- C:\Program Files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-03 20:02 --------- d-----w C:\Documents and Settings\Ethel\Application Data\Skype
2008-05-03 20:01 --------- d-----w C:\Program Files\Steam
2008-05-03 19:26 --------- d-----w C:\Documents and Settings\Ethel\Application Data\skypePM
2008-05-03 10:41 --------- d-----w C:\Documents and Settings\Christopher\Application Data\LimeWire
2008-04-29 19:06 --------- d-----w C:\Program Files\XoftSpySE
2008-04-24 19:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-24 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-24 13:36 --------- d-----w C:\Documents and Settings\Ethel\Application Data\LimeWire
2008-04-22 15:57 --------- d-----w C:\Program Files\LimeWire
2008-04-20 12:53 --------- d-----w C:\Documents and Settings\Christopher\Application Data\SiteAdvisor
2008-04-19 20:17 --------- d-----w C:\Program Files\DivX
2008-04-19 11:38 --------- d-----w C:\Program Files\iTunes
2008-04-11 17:48 --------- d-----w C:\Program Files\SkypeMate
2008-04-11 14:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-04 17:48 --------- d-----w C:\Program Files\Common Files\Real
2008-04-02 15:55 --------- d-----w C:\Documents and Settings\Ethel\Application Data\Datel
2008-04-02 15:49 --------- d-----w C:\Program Files\Datel
2008-04-02 13:59 160,200 ----a-w C:\Documents and Settings\Ethel\Application Data\GDIPFONTCACHEV1.DAT
2008-04-01 12:14 --------- d-----w C:\Documents and Settings\Christopher\Application Data\Skype
2008-03-31 18:55 --------- d-----w C:\Documents and Settings\Ethel\Application Data\SiteAdvisor
2008-03-29 17:49 --------- d-----w C:\Program Files\Disney Interactive
2008-03-29 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Disney Interactive
2008-03-24 15:12 --------- d-----w C:\Documents and Settings\Christopher\Application Data\iLike
2008-03-21 23:11 --------- d-----w C:\Program Files\Nature 3D Screensaver
2008-03-21 23:11 --------- d-----w C:\Program Files\3Planesoft Screensaver Manager
2008-03-21 20:15 --------- d-----w C:\Program Files\Tropical Fish 3D Screensaver
2008-03-21 15:12 --------- d-----w C:\Program Files\Fireplace 3D Screensaver
2008-03-21 15:04 --------- d-----w C:\Program Files\AutoEye
2008-03-21 14:57 --------- d-----w C:\Program Files\Adobe Premiere Elements 2.0
2008-03-21 14:54 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 19:30 --------- d-----w C:\Program Files\Windows Live
2008-03-20 19:29 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-20 19:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-20 19:14 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-20 19:13 --------- d-----w C:\Program Files\Common Files\Skype
2008-03-17 22:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-15 07:38 --------- d-----w C:\Program Files\Google
2008-03-15 05:58 --------- d-----w C:\Program Files\Java
2008-02-19 15:04 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-02-19 15:04 126,976 ----a-w C:\WINDOWS\War3Unin.exe
2008-02-07 17:49 15,613 ----a-w C:\Program Files\Furnish Lite uninstal.log
2002-09-04 07:14 1,206,784 ----a-w C:\Program Files\AutoEye_PlugIn.8bf
2007-06-15 04:22 0 --sha-r C:\WINDOWS\SMINST\npc.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6d50b707-2699-4a08-a1b8-3694ad072a8a}]
C:\WINDOWS\system32\vovtitfa.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 10:17 68856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 01:24 1694208]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53 73840]
"iLike"="C:\Program Files\iLike\1.1.27\ilikesidebar.exe" [2007-09-13 12:34 63024]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-03-28 23:14 1271032]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 06:56 64512]
"ftutil2"="ftutil2.dll" [2004-06-08 07:05 106496 C:\WINDOWS\system32\ftutil2.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 09:19 77312 C:\WINDOWS\arpwrmsg.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-05 04:03 7307264]
"nwiz"="nwiz.exe" []
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 22:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 08:35 49152]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Xerox WorkCentre 480cx Monitor"="C:\WINDOWS\system32\X480SHLL.DLL" [2001-10-30 10:21 90112]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-04 19:47 185896]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53 73840]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-01-17 21:24 36904]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"BM936d36da"="C:\WINDOWS\system32\ulgkgkdk.dll" [ ]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-01-03 10:30:42 27136]

C:\Documents and Settings\Christopher\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-03-26 19:19:43 147456]

C:\Documents and Settings\Ethel\Start Menu\Programs\Startup\
SkypeMate.lnk - C:\Program Files\SkypeMate\SkypeMate.exe [2005-11-21 09:37:06 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Steam\\steamapps\\criscross404\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 dontgo;Promise Removable Disk Control Driver;C:\WINDOWS\system32\DRIVERS\DontGo.sys [2004-06-30 06:25]
R2 EcpFax;Team MFP Com Redirector;C:\WINDOWS\system32\Drivers\EcpFax.Sys [1999-01-27 07:29]
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-10-03 22:57]
R3 Bonifay;Bonifay;C:\WINDOWS\system32\DRIVERS\Bonifay.sys [2005-11-28 21:55]
R3 V0080Dev;Creative Camera VF0080 Driver;C:\WINDOWS\system32\DRIVERS\V0080Dev.sys [2005-05-06 09:11]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys [2005-10-05 19:44]
S3 Gonzales;Gonzales;C:\WINDOWS\system32\DRIVERS\Gonzales.sys [2005-12-13 15:10]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 14:56:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-06 20:18:01 C:\WINDOWS\Tasks\Internet Services.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exeb/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Internet Services\StartIS.aml
"2008-04-15 01:37:44 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-01 00:00:12 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-05-01 05:25:25 C:\WINDOWS\Tasks\WebReg Photosmart C5100 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
"2008-05-03 19:59:10 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-15 03:50:34 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-03 21:58:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Documents and Settings\Ethel\Local Settings\Application Data\Microsoft\Messenger\ethel_roper@hotmail.com\SharingMetadata\Working\database_A690_5E2F_905E_5E9\fsr00B8F.log 131072 bytes

scan completed successfully
hidden files: 113

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-03 22:08:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-03 20:08:14

Pre-Run: 127,568,371,712 bytes free
Post-Run: 128,998,293,504 bytes free

319 --- E O F --- 2008-04-09 20:16:20
Rorschach112
2008-05-04, 16:53
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\BM936d36da.xml

Folder::
C:\WINDOWS\system32\pnVes18
C:\temp\zvebs14

Registry::

Driver::



Save this as CFScript.txt, in the same location as ComboFix.exe


http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Reboot and post a new HijackThis log
EMR001
2008-05-04, 18:20
Thanks.

Here is the log:

ComboFix 08-05-01.3 - Ethel 2008-05-04 16:53:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.520 [GMT 2:00]
Running from: C:\Documents and Settings\Ethel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ethel\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\BM936d36da.xml
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\zvebs14
C:\WINDOWS\BM936d36da.xml
C:\WINDOWS\system32\pnVes18

.
((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-05-04 12:56 . 2008-05-04 12:56 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-03 19:07 . 2008-05-03 19:07 <DIR> d-------- C:\_OTMoveIt
2008-05-03 14:03 . 2008-05-03 14:03 172 --ah----- C:\sqmnoopt15.sqm
2008-05-03 14:03 . 2008-05-03 14:03 172 --ah----- C:\sqmdata15.sqm
2008-05-03 12:18 . 2008-05-03 12:18 268 --ah----- C:\sqmdata14.sqm
2008-05-03 12:18 . 2008-05-03 12:18 244 --ah----- C:\sqmnoopt14.sqm
2008-05-02 16:13 . 2008-05-02 16:13 268 --ah----- C:\sqmdata13.sqm
2008-05-02 16:13 . 2008-05-02 16:13 244 --ah----- C:\sqmnoopt13.sqm
2008-04-30 14:33 . 2008-04-30 14:33 268 --ah----- C:\sqmdata12.sqm
2008-04-30 14:33 . 2008-04-30 14:33 244 --ah----- C:\sqmnoopt12.sqm
2008-04-29 22:53 . 2008-04-29 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-29 22:52 . 2008-04-30 06:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-29 22:52 . 2008-04-29 22:52 <DIR> d-------- C:\Documents and Settings\Ethel\Application Data\SUPERAntiSpyware.com
2008-04-29 20:25 . 2008-04-29 20:25 <DIR> d-------- C:\Documents and Settings\Holger\Contacts
2008-04-29 18:57 . 2008-04-29 18:57 <DIR> d-------- C:\Documents and Settings\Holger\Application Data\Skype
2008-04-28 16:13 . 2008-04-28 16:13 268 --ah----- C:\sqmdata11.sqm
2008-04-28 16:13 . 2008-04-28 16:13 244 --ah----- C:\sqmnoopt11.sqm
2008-04-25 17:58 . 2008-04-25 17:58 268 --ah----- C:\sqmdata10.sqm
2008-04-25 17:58 . 2008-04-25 17:58 244 --ah----- C:\sqmnoopt10.sqm
2008-04-23 20:26 . 2008-04-23 20:26 268 --ah----- C:\sqmdata09.sqm
2008-04-23 20:26 . 2008-04-23 20:26 244 --ah----- C:\sqmnoopt09.sqm
2008-04-23 07:03 . 2008-04-23 07:03 268 --ah----- C:\sqmdata08.sqm
2008-04-23 07:03 . 2008-04-23 07:03 244 --ah----- C:\sqmnoopt08.sqm
2008-04-22 19:28 . 2008-04-22 19:28 268 --ah----- C:\sqmdata07.sqm
2008-04-22 19:28 . 2008-04-22 19:28 244 --ah----- C:\sqmnoopt07.sqm
2008-04-22 17:56 . 2008-04-22 17:56 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-04-20 20:58 . 2008-04-20 20:58 268 --ah----- C:\sqmdata06.sqm
2008-04-20 20:58 . 2008-04-20 20:58 244 --ah----- C:\sqmnoopt06.sqm
2008-04-19 13:39 . 2008-05-04 09:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-19 13:39 . 2008-04-19 13:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-19 13:37 . 2008-04-19 13:37 <DIR> d-------- C:\Program Files\iPod
2008-04-19 13:34 . 2008-04-19 13:35 <DIR> d-------- C:\Program Files\QuickTime
2008-04-19 13:26 . 2008-04-19 13:26 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-16 22:53 . 2008-04-16 22:53 268 --ah----- C:\sqmdata05.sqm
2008-04-16 22:53 . 2008-04-16 22:53 244 --ah----- C:\sqmnoopt05.sqm
2008-04-16 19:27 . 2008-04-16 19:27 <DIR> d-------- C:\Documents and Settings\Christopher\Application Data\Datel
2008-04-15 21:21 . 2008-04-15 21:21 268 --ah----- C:\sqmdata04.sqm
2008-04-15 21:21 . 2008-04-15 21:21 244 --ah----- C:\sqmnoopt04.sqm
2008-04-15 17:28 . 2008-04-15 17:28 <DIR> d-------- C:\games
2008-04-14 20:39 . 2008-04-14 20:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-14 20:39 . 2008-04-14 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-14 20:38 . 2008-04-29 22:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 17:48 . 2008-04-11 17:48 <DIR> d-------- C:\Documents and Settings\Anna\Application Data\HP
2008-04-11 17:46 . 2008-04-11 17:46 <DIR> d-------- C:\Documents and Settings\Anna\Application Data\SiteAdvisor
2008-04-11 17:44 . 2005-01-03 01:16 <DIR> d-------- C:\Documents and Settings\Anna\WINDOWS
2008-04-11 17:44 . 2005-01-03 01:31 <DIR> d-------- C:\Documents and Settings\Anna\Application Data\Symantec
2008-04-11 17:44 . 2008-04-24 21:17 <DIR> d-------- C:\Documents and Settings\Anna
2008-04-11 17:44 . 2008-05-04 09:33 1,024 --ah----- C:\Documents and Settings\Anna\ntuser.dat.LOG
2008-04-11 17:21 . 2008-04-11 17:21 268 --ah----- C:\sqmdata03.sqm
2008-04-11 17:21 . 2008-04-11 17:21 244 --ah----- C:\sqmnoopt03.sqm
2008-04-11 16:39 . 2008-04-11 16:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LucasArts
2008-04-11 16:34 . 2008-04-11 16:34 <DIR> d-------- C:\Program Files\LucasArts
2008-04-11 16:31 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-04-11 16:30 . 2008-04-11 16:30 <DIR> d-------- C:\Documents and Settings\Christopher\Application Data\InstallShield
2008-04-09 19:08 . 2008-04-09 19:08 <DIR> d-------- C:\Program Files\Total Video Converter 3.11
2008-04-08 23:11 . 2008-04-08 23:13 0 --a------ C:\tmp.html
2008-04-08 19:57 . 2008-04-08 19:57 <DIR> d-------- C:\Documents and Settings\Ethel\Application Data\Syntrillium
2008-04-08 19:57 . 2001-10-19 14:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-04-08 19:57 . 2001-10-19 14:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-04-08 19:57 . 2001-10-19 14:39 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-04-08 19:57 . 2001-10-19 14:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-04-08 19:57 . 2001-10-19 02:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-04-08 19:57 . 2008-04-08 19:57 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-04-08 19:55 . 2008-04-09 17:14 <DIR> d-------- C:\Program Files\coolpro2
2008-04-08 17:17 . 2008-04-12 08:24 <DIR> d-------- C:\Documents and Settings\Michelle\Application Data\LimeWire
2008-04-06 16:59 . 2008-04-06 17:33 4,534,272 --a------ C:\dump_dvd.vob
2008-04-04 19:48 . 2008-04-04 19:48 <DIR> d-------- C:\Program Files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 14:58 --------- d-----w C:\Documents and Settings\Ethel\Application Data\Skype
2008-05-04 14:07 --------- d-----w C:\Documents and Settings\Ethel\Application Data\skypePM
2008-05-04 07:36 --------- d-----w C:\Program Files\Steam
2008-05-03 10:41 --------- d-----w C:\Documents and Settings\Christopher\Application Data\LimeWire
2008-04-29 19:06 --------- d-----w C:\Program Files\XoftSpySE
2008-04-24 19:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-24 19:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-24 13:36 --------- d-----w C:\Documents and Settings\Ethel\Application Data\LimeWire
2008-04-22 15:57 --------- d-----w C:\Program Files\LimeWire
2008-04-20 12:53 --------- d-----w C:\Documents and Settings\Christopher\Application Data\SiteAdvisor
2008-04-19 20:17 --------- d-----w C:\Program Files\DivX
2008-04-19 11:38 --------- d-----w C:\Program Files\iTunes
2008-04-11 17:48 --------- d-----w C:\Program Files\SkypeMate
2008-04-11 14:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-04 17:48 --------- d-----w C:\Program Files\Common Files\Real
2008-04-02 15:55 --------- d-----w C:\Documents and Settings\Ethel\Application Data\Datel
2008-04-02 15:49 --------- d-----w C:\Program Files\Datel
2008-04-02 13:59 160,200 ----a-w C:\Documents and Settings\Ethel\Application Data\GDIPFONTCACHEV1.DAT
2008-04-01 12:14 --------- d-----w C:\Documents and Settings\Christopher\Application Data\Skype
2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-31 18:55 --------- d-----w C:\Documents and Settings\Ethel\Application Data\SiteAdvisor
2008-03-29 17:49 --------- d-----w C:\Program Files\Disney Interactive
2008-03-29 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Disney Interactive
2008-03-24 15:12 --------- d-----w C:\Documents and Settings\Christopher\Application Data\iLike
2008-03-21 23:11 --------- d-----w C:\Program Files\Nature 3D Screensaver
2008-03-21 23:11 --------- d-----w C:\Program Files\3Planesoft Screensaver Manager
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-21 20:15 --------- d-----w C:\Program Files\Tropical Fish 3D Screensaver
2008-03-21 15:12 --------- d-----w C:\Program Files\Fireplace 3D Screensaver
2008-03-21 15:04 --------- d-----w C:\Program Files\AutoEye
2008-03-21 14:57 --------- d-----w C:\Program Files\Adobe Premiere Elements 2.0
2008-03-21 14:54 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 19:30 --------- d-----w C:\Program Files\Windows Live
2008-03-20 19:29 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-20 19:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-20 19:14 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-20 19:13 --------- d-----w C:\Program Files\Common Files\Skype
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-17 22:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-15 07:38 --------- d-----w C:\Program Files\Google
2008-03-15 05:58 --------- d-----w C:\Program Files\Java
2008-03-01 16:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-19 15:04 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-02-19 15:04 126,976 ----a-w C:\WINDOWS\War3Unin.exe
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-14 19:07 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-02-07 17:49 15,613 ----a-w C:\Program Files\Furnish Lite uninstal.log
2002-09-04 07:14 1,206,784 ----a-w C:\Program Files\AutoEye_PlugIn.8bf
2007-06-15 04:22 0 --sha-r C:\WINDOWS\SMINST\npc.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-03_22.07.55.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-03 19:57:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-04 07:33:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-03-12 14:42:30 1,123,696 ----a-w C:\WINDOWS\LastGood\system32\D3DCompiler_33.dll
+ 2007-05-16 14:45:16 1,124,720 ----a-w C:\WINDOWS\LastGood\system32\D3DCompiler_34.dll
+ 2007-03-15 14:57:58 443,752 ----a-w C:\WINDOWS\LastGood\system32\d3dx10_33.dll
+ 2007-05-16 14:45:16 443,752 ----a-w C:\WINDOWS\LastGood\system32\d3dx10_34.dll
+ 2007-03-12 14:42:30 3,495,784 ----a-w C:\WINDOWS\LastGood\system32\d3dx9_33.dll
+ 2007-05-16 14:45:16 3,497,832 ----a-w C:\WINDOWS\LastGood\system32\d3dx9_34.dll
+ 2007-03-05 10:42:18 15,128 ----a-w C:\WINDOWS\LastGood\system32\x3daudio1_1.dll
+ 2007-06-20 18:45:20 18,280 ----a-w C:\WINDOWS\LastGood\system32\x3daudio1_2.dll
+ 2007-01-24 13:27:30 255,848 ----a-w C:\WINDOWS\LastGood\system32\xactengine2_6.dll
+ 2007-04-04 16:55:00 261,480 ----a-w C:\WINDOWS\LastGood\system32\xactengine2_7.dll
+ 2007-06-20 18:46:04 266,088 ----a-w C:\WINDOWS\LastGood\system32\xactengine2_8.dll
+ 2007-04-04 16:53:42 81,768 ----a-w C:\WINDOWS\LastGood\system32\xinput1_3.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6d50b707-2699-4a08-a1b8-3694ad072a8a}]
C:\WINDOWS\system32\vovtitfa.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 10:17 68856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 01:24 1694208]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53 73840]
"iLike"="C:\Program Files\iLike\1.1.27\ilikesidebar.exe" [2007-09-13 12:34 63024]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-03-28 23:14 1271032]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 06:56 64512]
"ftutil2"="ftutil2.dll" [2004-06-08 07:05 106496 C:\WINDOWS\system32\ftutil2.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 09:19 77312 C:\WINDOWS\arpwrmsg.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-05 04:03 7307264]
"nwiz"="nwiz.exe" []
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 22:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 08:35 49152]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Xerox WorkCentre 480cx Monitor"="C:\WINDOWS\system32\X480SHLL.DLL" [2001-10-30 10:21 90112]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-04 19:47 185896]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53 73840]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-01-17 21:24 36904]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"BM936d36da"="C:\WINDOWS\system32\ulgkgkdk.dll" [ ]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - C:\hp\bin\CLOAKER.EXE [2005-01-03 10:30:42 27136]

C:\Documents and Settings\Christopher\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-03-26 19:19:43 147456]

C:\Documents and Settings\Ethel\Start Menu\Programs\Startup\
SkypeMate.lnk - C:\Program Files\SkypeMate\SkypeMate.exe [2005-11-21 09:37:06 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Steam\\steamapps\\criscross404\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 dontgo;Promise Removable Disk Control Driver;C:\WINDOWS\system32\DRIVERS\DontGo.sys [2004-06-30 06:25]
R2 EcpFax;Team MFP Com Redirector;C:\WINDOWS\system32\Drivers\EcpFax.Sys [1999-01-27 07:29]
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-10-03 22:57]
R3 Bonifay;Bonifay;C:\WINDOWS\system32\DRIVERS\Bonifay.sys [2005-11-28 21:55]
R3 V0080Dev;Creative Camera VF0080 Driver;C:\WINDOWS\system32\DRIVERS\V0080Dev.sys [2005-05-06 09:11]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys [2005-10-05 19:44]
S3 Gonzales;Gonzales;C:\WINDOWS\system32\DRIVERS\Gonzales.sys [2005-12-13 15:10]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 14:56:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-06 20:18:01 C:\WINDOWS\Tasks\Internet Services.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exeb/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Internet Services\StartIS.aml
"2008-04-15 01:37:44 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-01 00:00:12 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-05-01 05:25:25 C:\WINDOWS\Tasks\WebReg Photosmart C5100 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
"2008-05-04 15:00:04 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-15 03:50:34 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 16:57:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

? [42576]
? [43852]
? [43224]
? [43204]
scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-04 17:00:29
ComboFix-quarantined-files.txt 2008-05-04 15:00:11
ComboFix2.txt 2008-05-03 20:08:45

Pre-Run: 133,111,926,784 bytes free
Post-Run: 133,185,093,632 bytes free

319 --- E O F --- 2008-04-09 20:16:20
Rorschach112
2008-05-04, 20:12
Post a new HijackThis log and do this

Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
EMR001
2008-05-04, 20:15
Here is the hijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:14:13, on 04/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\SkypeMate\SkypeMate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {a8a270da-4963-8b1a-80a4-9962707b05d6} - {6d50b707-2699-4a08-a1b8-3694ad072a8a} - C:\WINDOWS\system32\vovtitfa.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-